Solved Kiwee Toolbar removal problems.

coldwaterjohn · 2010/02/14

[Resolved] Kiwee Toolbar removal problems.

Introduced via a bogus screen for webshots software updater, it has proved impossible to remove so far. I have searched for all references in Safe Mode, and deleted them wherever found, and deleted Webshots software. However in the Add/Remove programs section, the remove action is inoperable for the three Kiwee items appearing there, and clicking on Remove Webshots simply triggers reinstallation of the Kiwee malware.
There follows the content of the DDS files in the next thread, and of the OTL files where I have followed the instructions you provided to another member by copying and pasting to the custom Scan section.
I hope you may be able to provide a solution for removal of this piece of malware.

coldwaterjohn · 2010/02/14

THE DDS file reads:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 0:15:37.40 on 15/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1317 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe
C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.register.epson-europe.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
mURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Kiwee Toolbar: {1c99b848-84cb-4ce4-8cd8-ed5719484d9f} - mscoree.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: avgrsstx.dll c:\progra~1\google\google~4\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\n8c4g92b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - prefs.js: keyword.URL - hxxp://search.imgag.com/?appid=kwtb&component=UnifiedToolbarFF&c=GNKWO50020&sbs=1&sc=&f=web&vernum=3.2&uid=&did={d19ee840-cad5-11dd-b3a3-001e8c668fd8}&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-13 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-13 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-13 360584]
R2 AGCoreService;AG Core Services;c:\program files\agi\core\4.2.0.10752\AGCoreService.exe [2010-2-14 20480]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-25 285392]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\norton save and restore\agent\VProSvc.exe [2007-2-13 2655848]
R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2008-12-13 1310720]
S2 AGWinService;AG Windows Service;c:\program files\agi\common\win32\pythonservice.exe [2008-12-15 10240]
S2 gupdate1c976ffca94367e;Google Update Service (gupdate1c976ffca94367e);c:\program files\google\update\GoogleUpdate.exe [2009-1-15 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-14 30192]

=============== Created Last 30 ================

2010-02-14 22:25:36 0 d-----w- c:\program files\Kiwee Toolbar
2010-02-14 22:25:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Kiwee Toolbar
2010-02-14 22:00:57 0 d-----w- c:\program files\Unlocker
2010-02-14 20:07:02 0 d-----w- c:\program files\Windows Installer Clean Up
2010-02-14 14:56:40 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-14 13:08:07 0 d-----w- c:\program files\UnifiedToolbar(4)
2010-02-14 11:16:49 0 d-----w- c:\program files\UnifiedToolbar
2010-02-12 12:45:06 0 d-----w- c:\program files\UnifiedToolbar(2)
2010-01-29 20:02:05 0 d-----w- c:\docume~1\owner\applic~1\Nokia Ovi Suite
2010-01-29 18:29:33 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-01-29 18:29:23 0 d-----w- c:\program files\PC Connectivity Solution
2010-01-29 18:28:49 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-01-29 18:28:48 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-01-29 18:28:47 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-01-29 18:28:45 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-01-29 18:28:45 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-01-29 18:28:44 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-01-22 14:41:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-16 03:06:18 145 ----a-w- c:\windows\Eudcedit.ini

==================== Find3M ====================

2010-01-16 03:07:55 39554 ----a-w- c:\windows\fonts\EUDC.EUF
2010-01-16 03:07:55 102072 ----a-w- c:\windows\fonts\EUDC.TTE
2010-01-12 04:03:33 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03:33 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 04:03:33 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03:33 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03:33 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03:33 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03:33 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03:33 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 04:03:33 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 04:03:33 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-20 11:25:36 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-12-17 17:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-17 10:57:49 1228240 ----a-w- c:\program files\ADBEPHSPCS4_LS1.exe
2009-12-17 10:57:36 853860607 ----a-w- c:\program files\ADBEPHSPCS4_LS1.7z
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 09:23:28 474112 ----a-w- c:\windows\system32\shlwapi(2)(3).dll
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-25 13:12:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-21 02:34:54 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34:54 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-19 21:42:56 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2008-12-23 00:50:15 4096 --sha-w- c:\program files\Thumbs.db
2007-04-14 00:39:26 48668560 ----a-w- c:\program files\MapSource_6123.exe
2004-10-01 15:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 0:15:59.37 ===============

coldwaterjohn · 2010/02/14

DDS Attach file content:
DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 13/12/2008 12:14:32
System Uptime: 14/02/2010 22:23:48 (2 hours ago)

Motherboard: ASUSTeK Computer INC. | | M2N-SLI
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ | Socket AM2 | 2714/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 65.528 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 112 GiB total, 55.722 GiB free.
F: is CDROM ()
G: is FIXED (NTFS) - 699 GiB total, 116.506 GiB free.
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\13223A1E8C00
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\13223A1E8C00
Service: NIC1394

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia E51
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia E51
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

==== System Restore Points ===================

RP69: 16/12/2009 13:21:21 - System Checkpoint
RP70: 17/12/2009 08:21:27 - Installed Adobe Photoshop Lightroom 2.5.
RP71: 18/12/2009 09:18:58 - System Checkpoint
RP72: 18/12/2009 21:11:33 - Installed Adobe Photoshop Lightroom 2.6.
RP73: 18/12/2009 21:12:55 - Removed Adobe Photoshop Lightroom 2.5.
RP74: 19/12/2009 03:00:26 - Software Distribution Service 3.0
RP75: 19/12/2009 09:47:53 - Avg8 Update
RP76: 20/12/2009 10:57:33 - System Checkpoint
RP77: 21/12/2009 11:14:46 - System Checkpoint
RP78: 22/12/2009 13:43:37 - System Checkpoint
RP79: 23/12/2009 09:35:53 - Avg8 Update
RP80: 24/12/2009 10:08:23 - System Checkpoint
RP81: 24/12/2009 10:57:25 - Installed iTunes
RP82: 25/12/2009 12:29:38 - System Checkpoint
RP83: 26/12/2009 13:14:29 - System Checkpoint
RP84: 27/12/2009 14:11:01 - System Checkpoint
RP85: 28/12/2009 14:53:57 - System Checkpoint
RP86: 29/12/2009 15:34:33 - System Checkpoint
RP87: 29/12/2009 23:38:37 - Removed iTunes
RP88: 31/12/2009 00:25:34 - System Checkpoint
RP89: 01/01/2010 00:42:20 - System Checkpoint
RP90: 01/01/2010 09:31:05 - Avg8 Update
RP91: 02/01/2010 10:53:27 - System Checkpoint
RP92: 03/01/2010 11:33:31 - System Checkpoint
RP93: 04/01/2010 11:34:17 - System Checkpoint
RP94: 05/01/2010 11:45:25 - System Checkpoint
RP95: 06/01/2010 13:03:21 - System Checkpoint
RP96: 07/01/2010 13:08:32 - System Checkpoint
RP97: 08/01/2010 13:17:28 - System Checkpoint
RP98: 09/01/2010 14:09:37 - System Checkpoint
RP99: 10/01/2010 14:20:10 - System Checkpoint
RP100: 11/01/2010 15:04:59 - System Checkpoint
RP101: 12/01/2010 15:19:07 - System Checkpoint
RP102: 12/01/2010 18:27:23 - Software Distribution Service 3.0
RP103: 12/01/2010 23:36:06 - Restore Operation
RP104: 13/01/2010 03:00:17 - Software Distribution Service 3.0
RP105: 14/01/2010 03:24:28 - System Checkpoint
RP106: 15/01/2010 04:24:28 - System Checkpoint
RP107: 16/01/2010 04:38:38 - System Checkpoint
RP108: 17/01/2010 05:38:38 - System Checkpoint
RP109: 18/01/2010 03:00:31 - Software Distribution Service 3.0
RP110: 18/01/2010 09:49:30 - Avg8 Update
RP111: 18/01/2010 15:28:52 - Software Distribution Service 3.0
RP112: 18/01/2010 16:05:52 - Software Distribution Service 3.0
RP113: 19/01/2010 03:00:17 - Software Distribution Service 3.0
RP114: 20/01/2010 09:10:40 - Software Distribution Service 3.0
RP115: 20/01/2010 12:09:19 - Installed Adobe Photoshop Lightroom 3 Beta.
RP116: 21/01/2010 02:33:19 - Software Distribution Service 3.0
RP117: 21/01/2010 02:52:21 - Software Distribution Service 3.0
RP118: 21/01/2010 03:00:14 - Software Distribution Service 3.0
RP119: 22/01/2010 03:00:19 - Software Distribution Service 3.0
RP120: 23/01/2010 03:05:03 - System Checkpoint
RP121: 24/01/2010 04:05:01 - System Checkpoint
RP122: 24/01/2010 23:27:49 - Installed Windows XP -- Software Updates KB952011.
RP123: 26/01/2010 00:21:33 - System Checkpoint
RP124: 27/01/2010 00:43:35 - System Checkpoint
RP125: 27/01/2010 08:20:19 - Avg8 Update
RP126: 28/01/2010 08:21:35 - System Checkpoint
RP127: 29/01/2010 08:22:41 - System Checkpoint
RP128: 30/01/2010 08:44:53 - System Checkpoint
RP129: 31/01/2010 11:02:41 - System Checkpoint
RP130: 01/02/2010 12:09:00 - System Checkpoint
RP131: 02/02/2010 15:22:10 - System Checkpoint
RP132: 03/02/2010 15:26:50 - System Checkpoint
RP133: 04/02/2010 16:07:59 - System Checkpoint
RP134: 05/02/2010 17:21:02 - System Checkpoint
RP135: 06/02/2010 17:38:17 - System Checkpoint
RP136: 07/02/2010 18:31:18 - System Checkpoint
RP137: 08/02/2010 19:01:33 - System Checkpoint
RP138: 09/02/2010 19:30:06 - System Checkpoint
RP139: 10/02/2010 09:34:54 - Software Distribution Service 3.0
RP140: 11/02/2010 10:38:47 - System Checkpoint
RP141: 12/02/2010 11:50:58 - System Checkpoint
RP142: 13/02/2010 12:47:41 - System Checkpoint
RP143: 14/02/2010 10:04:42 - Installed Java(TM) 6 Update 18
RP144: 14/02/2010 10:28:16 - Removed Java(TM) 6 Update 11
RP145: 14/02/2010 11:08:43 - Restore Operation
RP146: 14/02/2010 11:41:38 - Software Distribution Service 3.0
RP147: 14/02/2010 12:45:57 - Restore Operation
RP148: 14/02/2010 13:11:40 - Software Distribution Service 3.0
RP149: 14/02/2010 13:57:14 - Avg8 Update
RP150: 14/02/2010 14:39:34 - Software Distribution Service 3.0
RP151: 14/02/2010 14:40:21 - Restore Operation
RP152: 14/02/2010 20:07:00 - Installed Windows Installer Clean Up
RP153: 14/02/2010 21:54:52 - Installed Java(TM) 6 Update 18
RP154: 14/02/2010 23:56:02 - OTL Restore Point

==== Installed Programs ======================

ABBYY FineReader 5.0 Sprint Plus
Acrobat.com
Ad-Aware SE Plus
Adobe Acrobat 5.0
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop 7.0
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Photoshop Lightroom 2.6
Adobe Photoshop Lightroom 3 Beta
Adobe Reader 9.3
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4

coldwaterjohn · 2010/02/14

OTL Logfile:
OTL logfile created on: 15/02/2010 00:06:18 - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 65.53 Gb Free Space | 43.97% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 111.79 Gb Total Space | 55.72 Gb Free Space | 49.85% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 698.64 Gb Total Space | 116.51 Gb Free Space | 16.68% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: REBUILD-D13FF10
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/14 22:58:20 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
PRC - [2010/01/26 15:48:24 | 000,020,480 | ---- | M] (AG Interactive) -- C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
PRC - [2010/01/16 03:12:29 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/11 22:17:44 | 000,154,216 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2009/12/12 18:12:23 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/12/12 18:12:23 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/11/25 13:12:16 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/25 13:12:14 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/25 13:12:09 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/11/25 11:46:50 | 000,056,544 | ---- | M] (AG Interactive) -- C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe
PRC - [2009/10/31 13:48:40 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
PRC - [2009/07/09 11:22:18 | 000,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/14 12:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/13 18:57:06 | 002,655,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/10/31 10:32:09 | 000,194,240 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

========== Modules (SafeList) ==========

MOD - [2010/02/14 22:58:20 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
MOD - [2009/11/25 13:12:30 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\avgrsstx.dll
MOD - [2008/04/14 12:00:00 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cabinet.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/01/28 18:18:47 | 002,431,024 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\rswin_3647.dll -- (Akamai)
SRV - [2010/01/26 15:48:24 | 000,020,480 | ---- | M] (AG Interactive) [Auto | Running] -- C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe -- (AGCoreService)
SRV - [2010/01/11 22:17:44 | 000,154,216 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2009/12/17 11:15:07 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/11/25 13:12:09 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/11/22 03:45:48 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-110309-193829)
SRV - [2009/10/27 09:26:36 | 000,657,408 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/07/09 11:22:18 | 000,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/03/24 03:16:36 | 000,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/01/15 10:55:28 | 000,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c976ffca94367e) Google Update Service (gupdate1c976ffca94367e)
SRV - [2008/12/15 18:25:54 | 000,010,240 | ---- | M] () [Auto | Stopped] -- C:\Program Files\AGI\common\win32\PythonService.exe -- (AGWinService)
SRV - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2007/02/13 18:57:06 | 002,655,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe -- (Norton Save and Restore)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/10/31 10:32:09 | 002,541,248 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2006/10/31 10:32:09 | 000,194,240 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;*.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Kiwee Toolbar "
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= "
FF - prefs.js..browser.search.order.1: "Web Search "
FF - prefs.js..browser.search.order.2: "Google "
FF - prefs.js..browser.search.selectedEngine: "Google "
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial "
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..keyword.URL: "http://search.imgag.com/?appid=kwtb&component=UnifiedToolbarFF&c=GNKWO50020&sbs=1&sc=&f=web&vernum=3.2&uid=&did={d19ee840-cad5-11dd-b3a3-001e8c668fd8}&q= "
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2009/10/29 01:49:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/12/12 18:13:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2009/11/25 13:12:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/12/27 08:49:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ [2010/02/14 12:54:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\unifiedtoolbar@aginteractive.com: C:\Program Files\UnifiedToolbar\3.2\Firefox [2010/02/14 22:25:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/14 18:09:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/14 18:09:04 | 000,000,000 | ---D | M]

[2009/04/04 08:03:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/04/04 08:03:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\uploadr@flickr.com
[2010/02/14 19:59:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions
[2009/06/24 11:39:06 | 000,000,000 | ---D | M] (Google Enhancer - True Knowledge) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{7738069b-91db-41a0-91d2-7b06ca79d2e1}
[2009/06/22 13:17:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{89736E8E-4B14-4042-8C75-AD00B6BD3900}
[2009/12/14 14:28:56 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2009/07/02 16:30:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\isreaditlater@ideashower(2).com
[2010/02/14 19:59:53 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/19 09:16:24 | 000,118,784 | ---- | M] (CANON INC.) -- C:\Program Files\Mozilla Firefox\plugins\MyCamera.dll
[2008/06/19 09:16:24 | 000,053,248 | ---- | M] (CANON INC.) -- C:\Program Files\Mozilla Firefox\plugins\NPCIG.dll
[2010/01/16 00:55:13 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/01/16 00:55:13 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/01/16 00:55:13 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/01/16 00:55:13 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2008/04/14 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/13 12:13:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/09/01 13:54:05 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/05/10 07:48:26 | 000,000,032 | ---- | M] () - G:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/02/14 22:25:36 | 000,000,000 | ---D | C] -- C:\Program Files\Kiwee Toolbar
[2010/02/14 22:25:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kiwee Toolbar
[2010/02/14 22:00:57 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/02/14 20:07:02 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Installer Clean Up
[2010/02/14 14:51:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/02/14 14:47:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\NokiaAccount
[2010/02/14 13:42:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\agi
[2010/02/14 13:08:07 | 000,000,000 | ---D | C] -- C:\Program Files\UnifiedToolbar(4)
[2010/02/14 13:06:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2010/02/14 11:16:49 | 000,000,000 | ---D | C] -- C:\Program Files\UnifiedToolbar
[2010/02/14 10:05:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/02/14 10:05:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/02/12 12:45:06 | 000,000,000 | ---D | C] -- C:\Program Files\UnifiedToolbar(2)
[2010/02/11 08:55:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/02/08 14:01:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Citrix
[2009/12/17 08:57:35 | 001,228,240 | ---- | C] (Adobe Systems Incorporated) -- C:\Program Files\ADBEPHSPCS4_LS1.exe
[2009/11/25 13:05:14 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/11/25 13:05:14 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/11/25 13:05:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/02/12 08:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/02/11 10:20:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\agi
[2009/02/11 10:20:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/10 12:48:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/02/05 17:35:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

========== Files - Modified Within 14 Days ==========

[2010/02/14 23:53:02 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/14 23:24:14 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\prvlcl.dat
[2010/02/14 22:34:03 | 007,340,032 | ---- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/02/14 22:27:24 | 000,000,679 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/14 22:27:24 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/14 22:27:24 | 000,000,223 | RHS- | M] () -- C:\boot.ini
[2010/02/14 22:24:58 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/02/14 22:24:32 | 000,191,207 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/02/14 22:24:29 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/14 22:24:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/14 22:24:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/14 22:23:07 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/02/14 18:44:42 | 000,000,053 | ---- | M] () -- C:\biosinfo
[2010/02/14 18:32:56 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/14 18:09:08 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/14 13:13:23 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/14 13:11:22 | 055,581,995 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/14 13:10:57 | 000,142,495 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/02/14 12:05:40 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/02/14 10:57:06 | 000,001,334 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\ADDRESSES 08 01 03.GCF
[2010/02/14 10:38:14 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/11 12:53:55 | 000,207,864 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Rum chocolate mousse recipe.jpg
[2010/02/10 22:39:01 | 002,720,256 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\ADDRESSES 08 01 03.OR3
[2010/02/07 12:59:28 | 001,206,199 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\fa_win_ug_en.pdf
[2010/02/05 23:37:24 | 000,017,680 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\n627563390_9071.jpg
[2010/02/04 18:59:30 | 004,443,656 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Nov96.QDF
[2010/02/04 18:59:30 | 002,332,194 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Nov96.QSD
[2010/02/04 18:47:14 | 000,000,132 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\~QW~LINK.QDT
[2010/02/04 15:45:37 | 000,064,000 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Legal and Geneal Details of investment.doc
[2010/02/04 12:32:03 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Nov96.QEL
[2010/02/04 12:32:02 | 000,000,046 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Q3.DIR
[2010/02/04 11:25:44 | 001,880,115 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\scan011.jpg
[2010/02/04 11:14:47 | 001,530,064 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\scan010.jpg
[2010/02/01 09:03:53 | 000,002,547 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Word processor.lnk

========== Files Created - No Company Name ==========

[2010/02/14 18:09:08 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/14 12:05:40 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/02/11 12:53:55 | 000,207,864 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Rum chocolate mousse recipe.jpg
[2010/02/07 12:59:17 | 001,206,199 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\fa_win_ug_en.pdf
[2010/02/05 23:37:23 | 000,017,680 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\n627563390_9071.jpg
[2010/02/04 15:39:05 | 000,064,000 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Legal and Geneal Details of investment.doc
[2010/02/04 11:25:43 | 001,880,115 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\scan011.jpg
[2010/02/04 11:14:45 | 001,530,064 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\scan010.jpg
[2010/01/16 03:06:18 | 000,000,145 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2009/12/20 11:28:22 | 000,000,576 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\afl.log
[2009/12/17 08:57:35 | 853,860,607 | ---- | C] () -- C:\Program Files\ADBEPHSPCS4_LS1.7z
[2009/12/07 20:35:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\prvlcl.dat
[2009/12/06 17:36:50 | 000,000,390 | ---- | C] () -- C:\WINDOWS\{A7A59CB1-5FAE-42A1-B335-17B1C942B43E}_WiseFW.ini
[2009/05/21 00:21:20 | 000,000,061 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\mm-device-08.ini
[2009/02/21 08:25:20 | 000,691,592 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2009/01/29 14:26:04 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2009/01/10 16:36:55 | 000,000,219 | ---- | C] () -- C:\WINDOWS\QHI.INI
[2008/12/23 00:50:14 | 000,004,096 | -HS- | C] () -- C:\Program Files\Thumbs.db
[2008/12/21 10:24:11 | 000,018,790 | ---- | C] () -- C:\WINDOWS\System32\ddmon.dll
[2008/12/15 18:25:37 | 000,339,968 | ---- | C] () -- C:\WINDOWS\System32\pythoncom25.dll
[2008/12/15 18:25:37 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\pywintypes25.dll
[2008/12/14 13:26:39 | 000,000,052 | ---- | C] () -- C:\WINDOWS\Intuprof.ini
[2008/12/14 13:26:38 | 000,001,704 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2008/12/14 04:03:59 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/14 02:29:55 | 000,064,000 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/14 01:09:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/12/13 19:26:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\winhelp.ini
[2008/12/13 19:19:57 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2008/12/13 19:19:57 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2008/12/13 19:19:05 | 000,000,027 | ---- | C] () -- C:\WINDOWS\CDE P4870EFGD.ini
[2008/12/13 19:01:22 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDER300Euro.ini
[2008/12/13 13:14:01 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2008/12/13 12:41:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\msicpl.ini
[2008/12/13 12:41:10 | 000,131,072 | R--- | C] () -- C:\WINDOWS\System32\smdll.dll
[2008/12/13 12:41:08 | 000,262,144 | R--- | C] () -- C:\WINDOWS\System32\HookShield.dll
[2008/12/13 12:41:08 | 000,253,952 | R--- | C] () -- C:\WINDOWS\System32\HookMAp.dll
[2008/12/13 12:41:08 | 000,032,768 | R--- | C] () -- C:\WINDOWS\System32\Auxiliary.dll
[2008/12/13 12:41:07 | 000,009,728 | R--- | C] () -- C:\WINDOWS\System32\sysinfoX64.sys
[2008/12/13 12:41:07 | 000,008,192 | R--- | C] () -- C:\WINDOWS\System32\sysinfo.sys
[2008/12/13 12:29:31 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\C6501rm.dll
[2008/12/13 12:29:31 | 000,000,162 | ---- | C] () -- C:\WINDOWS\C6501.ini.cfl
[2008/12/13 12:28:36 | 000,004,571 | R--- | C] () -- C:\WINDOWS\C6501.ini.cfg
[2008/12/13 12:28:30 | 000,000,326 | R--- | C] () -- C:\WINDOWS\c6501.ini
[2008/12/13 12:27:57 | 000,012,377 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/12/13 12:24:28 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/12/13 12:24:17 | 000,012,536 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/11/26 03:03:47 | 048,668,560 | ---- | C] () -- C:\Program Files\MapSource_6123.exe
[2008/06/11 09:02:34 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/06/11 09:02:34 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/06/11 09:02:34 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/06/11 09:02:34 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/06/11 09:02:34 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/06/11 09:02:34 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/06/11 09:02:32 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/06/11 09:02:32 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/06/11 09:02:32 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/06/05 08:58:26 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/04/14 12:00:00 | 001,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2007/10/18 17:36:54 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\deskMenu2.dll
[2007/08/15 06:27:18 | 000,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\n558.sys
[2006/06/01 09:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/06/01 09:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1996/02/22 02:23:00 | 000,222,928 | ---- | C] () -- C:\WINDOWS\System32\lobas09.dll
[1996/01/17 02:23:00 | 000,031,008 | ---- | C] () -- C:\WINDOWS\System32\ivtrn09.dll
[1996/01/15 02:23:00 | 000,334,016 | ---- | C] () -- C:\WINDOWS\System32\loflt09.dll

========== LOP Check ==========

[2010/02/14 22:24:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\agi
[2008/12/22 16:19:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2009/12/17 18:17:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/02/14 19:48:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2008/12/14 12:06:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2009/12/27 08:33:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2010/02/14 22:25:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kiwee Toolbar
[2009/06/03 22:14:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Memory-Map-License
[2009/02/10 12:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
[2009/12/28 00:15:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OviInstallerCache
[2009/02/10 12:47:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2009/12/16 13:49:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PhotoStitch
[2009/10/24 23:31:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/12/13 19:03:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2009/11/25 10:45:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZipSE
[2009/09/25 06:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/27 09:37:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/02/14 15:25:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\agi
[2009/08/31 21:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
[2009/02/27 16:29:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Canon
[2008/12/24 01:08:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2008/12/21 10:57:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\deskPDF
[2009/01/06 01:03:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DNA
[2009/03/02 01:23:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\EPSON
[2009/04/04 08:03:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Flickr
[2009/08/06 03:25:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GARMIN
[2009/03/20 00:39:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\HDRsoft
[2008/12/13 13:18:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterTrust
[2009/03/21 11:31:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Lucis
[2010/01/29 20:02:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Nokia
[2010/01/29 20:02:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Nokia Ovi Suite
[2009/03/21 20:46:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OfficeUpdate12
[2009/02/10 12:48:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PC Suite
[2009/06/09 13:44:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Smart Panel

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2008/04/14 12:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 12:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 12:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 12:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys
[2008/04/14 12:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 12:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 12:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/04/25 00:52:28 | 000,100,736 | R--- | M] (NVIDIA Corporation) MD5=C03E15101F6D9E82CD9B0E7D715F5DE3 -- C:\WINDOWS\system32\drivers\nvata.sys

< MD5 for: SCECLI.DLL >
[2008/04/14 12:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 12:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/12/13 11:58:50 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/12/13 11:58:50 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/12/13 11:58:50 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Owner\My Documents\mskb928080.exe:SummaryInformation
< End of report >

coldwaterjohn · 2010/02/14

OTL Extras Logfile reads:
OTL Extras logfile created on: 15/02/2010 00:06:18 - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 65.53 Gb Free Space | 43.97% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 111.79 Gb Total Space | 55.72 Gb Free Space | 49.85% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 698.64 Gb Total Space | 116.51 Gb Free Space | 16.68% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: REBUILD-D13FF10
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1 "
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech)
"C:\WINDOWS\Temp\NavBrowser.exe" = C:\WINDOWS\Temp\NavBrowser.exe:*isabled:NAVBrowser -- (Naviant, Inc.)
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:EnabledNA -- (BitTorrent, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- File not found
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe" = C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe:*:Enabled:Nokia Software Updater -- (Nokia Corporation)
"C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe" = C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process -- (Nokia Corporation)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"E:\Program Files\Microsoft Flight Simulator X\fsx.exe" = E:\Program Files\Microsoft Flight Simulator X\fsx.exe:*:Enabled:Microsoft Flight Simulator® -- (Microsoft Corp.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Google\Picasa3\Picasa3.exe" = C:\Program Files\Google\Picasa3\Picasa3.exe:*:Enabledicasa -- (Google Inc.)
"C:\Program Files\Flickr Uploadr\Flickr Uploadr.exe" = C:\Program Files\Flickr Uploadr\Flickr Uploadr.exe:*:Enabled:Flickr Uploadr -- (Mozilla Foundation)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- File not found
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0219E485-AD36-4840-9FB1-E345D58CC74A}" = LucisArt 3.0.1 ED/SE Demo
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{098A2A49-7CF3-4F08-A38D-FB879117152A}" = Adobe Color NA Extra Settings CS4
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0DC0E85F-36E4-463B-B3EA-4CD8ED2222A1}" = Adobe Color EU Recommended Settings CS4
"{0E0131B2-CF18-40D9-A331-60A3746C1204}" = EPSON Scan
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{109D28C7-FB38-483A-9C91-001CB59E2699}" = EPSON CardMonitor
"{10deb052-db5d-32a6-9ff2-200e810d1a7b}" = Kiwee Toolbar for Firefox
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15F4085A-BC98-4590-AFFD-03BBBE49524E}" = Garmin Communicator Plugin
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{1793bdb7-d5c1-33be-97e2-7c3e60b6ab43}" = Kiwee Chatbar
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Multimedia Launcher
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{23B59B9F-C360-11D7-875B-0090CC005647}" = PIF DESIGNER2.1
"{23B59ED4-C360-11D7-875B-0090CC005647}" = EPSON PRINT Image Framer Tool2.1
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 18
"{27F00C63-449B-2FAB-CBE8-24AB80E17449}" = Acrobat.com
"{2D4ECAAA-28A3-4D3D-A030-E6025EB3E52C}" = nRoute
"{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}" = Logitech SetPoint
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3724743C-C279-4ACA-A451-56479745208A}" = Memory-Map European Edition
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{4BED786D-2B70-4F4F-B901-68DC5DE223DB}" = MapSource - European MetroGuide v4.01
"{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}" = Nokia Software Updater
"{4CE6B3C4-D8E2-4A5D-BEF5-5B69AF843B0C}" = PC Connectivity Solution
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{564B16F4-6B5B-47B0-9AB6-FF2E943947F7}" = Nokia Ovi Suite Software Updater
"{582D2A53-F426-4C5E-A2E6-43C1AB36B907}" = Safari
"{5F8434AA-E977-4A28-8D39-35969565DF53}" = MapSource - City Select North America v6
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{65F5B7AF-3363-11D7-BB6B-00018021113F}" = EPSON PhotoQuicker3.5
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{686BB230-DE5B-44F4-8DB0-4F9BEE7310F7}" = OpenOffice.org 2.0
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C11D561-620B-47DA-A693-4C597F3CDF40}" = EPSON Smart Panel
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{71DFAA65-77FA-41F3-A748-013B5A8524A3}" = Garmin City Navigator North America NT 2010.30
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81CB77FF-9789-4337-A46E-185F7876AC40}" = Adobe Photoshop Lightroom 2.6
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8aade841-03c5-486a-b048-bb112cc0cac5}" = Kiwee Toolbar for Internet Explorer
"{8D100E0C-1A5A-43AD-93EF-76F94AE61C30}" = OviMPlatform
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}" = Nokia PC Suite
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7BA5663-08FD-41B1-8008-DD3C3752C2E5}" = Garmin City Navigator Europe NT 2010.20 Update
"{A7E07C2B-2220-4415-87E3-784D5814BC93}" = NVIDIA PhysX v8.09.04
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Microsoft Flight Simulator X: Acceleration
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B0255743-165B-4BD5-8DA8-37DFB993B201}" = Norton Save and Restore
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}" = Nokia Ovi Suite
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B69CC1A5-0404-11D6-ABCB-005004C21D30}" = EPSON Copy Utility
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{BA4D387C-B026-4E57-BFDC-030AAB4A1CCA}" = Garmin MapSource
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BC2FE771-EDBE-3087-A676-2B6C45A2BF7E}" = Google Gears
"{BEA18030-8B42-1286-EF64-CDA6BD083888}" = BBC iPlayer Desktop
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2E8B236-7554-45FE-92C0-94EF76E4D182}" = Garmin City Navigator North America NT 2010.20
"{C48817E7-AA05-4151-A99D-1E1E550CE801}" = EPSON PhotoStarter3.1
"{C50EF365-2898-489A-B6C7-30DAA466E9A2}" = Nokia Connectivity Cable Driver
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skypeâ„¢ 4.1
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint Plus
"{D9C8DEF8-D07B-4164-BEF0-6D879A70C212}" = Microsoft Easy Assist v2
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{DEE20FE8-0F28-46C9-BAE9-869645B76412}" = EPSON Photo Print
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}" = ScanToWeb
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F1C3541D-5B93-4131-B440-692FBA3DD250}" = Ovi Desktop Sync Engine
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FDB36203-5D80-4D03-9A84-673580CAF5A7}" = Adobe Photoshop Lightroom 3 Beta
"{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}" = EPSON Print CD
"05B59228C7E1C21DFBE89260F879BD95880548D8" = Windows Driver Package - Nokia Modem (10/05/2009 4.2)
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"8CDCFB95BB84DD9C0F88F22266A0CA86035E55BA" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
"Ad-Aware SE Plus" = Ad-Aware SE Plus
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"Akamai" = Akamai NetSession Interface
"AVG9Uninstall" = AVG Free 9.0
"AVS Audio Recorder 3.9_is1" = AVS Audio Recorder version 3.9
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"AVS4YOU Video Converter 6_is1" = AVS Video Converter 6
"BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1" = BBC iPlayer Desktop
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CSCLIB" = Canon Camera Support Core Library
"deskPDF 2.5 Professional_is1" = deskPDF 2.5 Professional Edition
"DPP" = Canon Utilities Digital Photo Professional 3.5
"EOS Utility" = Canon Utilities EOS Utility
"EPSON Printer and Utilities" = EPSON Printer Software
"ESPR300 Reference Guide" = ESPR300 Reference Guide
"ESPR300 Software Guide" = ESPR300 Software Guide
"ESPR300 Standalone Guide" = ESPR300 Standalone Guide
"Flickr Uploadr" = Flickr Uploadr 3.2.1
"FlightSim_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Microsoft Flight Simulator X: Acceleration
"FLV Player" = FLV Player 2.0 (build 25)
"Generic 6501 Sound" = C-Media 6501 Sound
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"GPL Ghostscript_is1" = Docudesk GPL Ghostscript 8.15
"HDR PhotoStudio 2" = HDR PhotoStudio 2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{5F8434AA-E977-4A28-8D39-35969565DF53}" = MapSource - City Select North America v6
"InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nokia Ovi Suite" = Nokia Ovi Suite
"Nokia PC Suite" = Nokia PC Suite
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Original Data Security Tools" = Canon Utilities Original Data Security Tools
"Perf4870 Reference Guide" = Perf4870 Reference Guide
"PhotomatixPro3_is1" = Photomatix Pro version 3.1.3
"PhotomatixPro3Betax32_is1" = Photomatix Pro version 3.2.2
"PhotomatixPro3x32_is1" = Photomatix Pro version 3.2.6
"PhotoStitch" = Canon Utilities PhotoStitch
"Picasa 3" = Picasa 3
"Picture Style Editor" = Canon Utilities Picture Style Editor
"Quicken Deluxe 2000" = Quicken Deluxe 2000
"RealPlayer 12.0" = RealPlayer
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"RTMshadow_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Flight Simulator X
"SmartSuite V97.0" = Lotus SmartSuite 97
"SP1shadow_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Flight Simulator X Service Pack 1
"The Ultimate Troubleshooter" = The Ultimate Troubleshooter
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Webshots Desktop_is1" = Webshots Desktop
"WFTK" = Canon Utilities WFT-E1/E2/E3 Utility
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WinUndelete" = WinUndelete
"WinZip Self-Extractor" = WinZip Self-Extractor
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"MCR-01 Ultralight" = MCR-01 Ultralight

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 14/02/2010 10:36:48 | Computer Name = REBUILD-D13FF10 | Source = JavaQuickStarterService | ID = 1
Description =

Error - 14/02/2010 10:37:33 | Computer Name = REBUILD-D13FF10 | Source = Application Hang | ID = 1002
Description = Hanging application Ad-Watch.exe, version 3.1.2.17, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 14/02/2010 10:37:43 | Computer Name = REBUILD-D13FF10 | Source = Application Hang | ID = 1001
Description = Fault bucket 35935249.

Error - 14/02/2010 10:59:03 | Computer Name = REBUILD-D13FF10 | Source = JavaQuickStarterService | ID = 1
Description =

Error - 14/02/2010 11:37:12 | Computer Name = REBUILD-D13FF10 | Source = JavaQuickStarterService | ID = 1
Description =

Error - 14/02/2010 11:51:42 | Computer Name = REBUILD-D13FF10 | Source = JavaQuickStarterService | ID = 1
Description =

Error - 14/02/2010 14:18:14 | Computer Name = REBUILD-D13FF10 | Source = JavaQuickStarterService | ID = 1
Description =

Error - 14/02/2010 14:44:24 | Computer Name = REBUILD-D13FF10 | Source = JavaQuickStarterService | ID = 1
Description =

Error - 14/02/2010 16:06:59 | Computer Name = REBUILD-D13FF10 | Source = Application Hang | ID = 1002
Description = Hanging application Ad-Aware.exe, version 6.2.0.207, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 14/02/2010 16:07:04 | Computer Name = REBUILD-D13FF10 | Source = Application Hang | ID = 1001
Description = Fault bucket 136490868.

[ System Events ]
Error - 14/02/2010 18:05:59 | Computer Name = REBUILD-D13FF10 | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 14/02/2010 18:05:59 | Computer Name = REBUILD-D13FF10 | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 14/02/2010 18:05:59 | Computer Name = REBUILD-D13FF10 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 14/02/2010 18:05:59 | Computer Name = REBUILD-D13FF10 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD AmdK8 AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 14/02/2010 18:08:37 | Computer Name = REBUILD-D13FF10 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 14/02/2010 18:10:24 | Computer Name = REBUILD-D13FF10 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 14/02/2010 18:10:50 | Computer Name = REBUILD-D13FF10 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 14/02/2010 18:15:37 | Computer Name = REBUILD-D13FF10 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 14/02/2010 18:21:07 | Computer Name = REBUILD-D13FF10 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 14/02/2010 18:23:06 | Computer Name = REBUILD-D13FF10 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

< End of report >

crunchie · 2010/02/14

Can you first try uninstalling the following;

Kiwee Chatbar
Kiwee Toolbar for Firefox
Kiwee Toolbar for Internet Explorer

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Download the update from here if you have problems.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Make sure that you restart the computer.

============

Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

coldwaterjohn · 2010/02/15

Crunchie

Here is the malware log:

Malwarebytes' Anti-Malware 1.44
Database version: 3741
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

15/02/2010 11:43:01
mbam-log-2010-02-15 (11-43-01).txt

Scan type: Full Scan (C:\|E:\|G:\|)
Objects scanned: 454113
Time elapsed: 2 hour(s), 42 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\WinSys.exe (Trojan.Agent) -> Quarantined and deleted successfully.

coldwaterjohn · 2010/02/15

Here is the Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:05:45, on 15/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe
C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.register.epson-europe.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: agihelper.AGUtils - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - mscoree.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Kiwee Toolbar - {1c99b848-84cb-4ce4-8cd8-ed5719484d9f} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c976ffca94367e) (gupdate1c976ffca94367e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8420 bytes

coldwaterjohn · 2010/02/15

Crunchie, I am ready whenever you are, for the next step in the process.
I am guessing we are about 12 hours apart, but I am a night owl, or at least I am when trying to fix something like this, with your help!

crunchie · 2010/02/15

"coldwaterjohn said: ↑

Crunchie, I am ready whenever you are, for the next step in the process.
I am guessing we are about 12 hours apart, but I am a night owl, or at least I am when trying to fix something like this, with your help!
Click to expand...

No worries. I just crawled out of bed .

Can you please do the following.

===============

Let's look for, and delete, any program segments (prefetches) that might be present, and are associated with the Kiwee toolbar. To do this, let's:

1) Click "Start | Search ", then search for each of these program's base name(s), in all files and folders:

kwtbaim.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section "
2. Click "Open Process manager "

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process ". Now, click "Refresh ", check again, and repeat this step if any remain.

===============

Scan with HijackThis and then place a check next to all the following, if present:

R3 - URLSearchHook: agihelper.AGUtils - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - mscoree.dll (file missing)

O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)

O3 - Toolbar: Kiwee Toolbar - {1c99b848-84cb-4ce4-8cd8-ed5719484d9f} - mscoree.dll (file missing)

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked ".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\Kiwee Toolbar

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop

Physically disconnect from the internet.

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

Double click combofix.exe & follow the prompts.

When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log

Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

coldwaterjohn · 2010/02/15

Will get back yto you as soon as I have tackled this lot.

coldwaterjohn · 2010/02/15

Crunchie

The file search found kwtbaim in c:\program files\kiwee toolbar\3.2 56 kb application but access was denied when attempting to delete it.

Do you want me to ignore this and run Hijack This, or do something else?

coldwaterjohn · 2010/02/15

Running HijackThis, found the line you mention.
"Kill Process" resulted in the message "The Selected process could not be killed. It may have already closed or it may be protected by Windows. This process might be a service, which you can stop from the Services applet in Admin Tools. (To load this window, click Start, Run, and enter Services.msc') "

coldwaterjohn · 2010/02/15

No sign of the item in the services.msc search, just for info.

coldwaterjohn · 2010/02/15

I identified and managed to get rid of the items listed by you with fix checked.
The search for c:\program Files\Kiwee Toolbar, found it but would not let me delete it.
Now going to move to Safe Mode after downloading Combofix.
I assume that is to be run in safe Mode?

coldwaterjohn · 2010/02/15

In safe mode, everything previously undeletable appeared to be able to be deleted.
However here are the logs for CF and Hijack This. Unfortunately on the Hijack Log are appearing once more all the items which appear to have been deleted earlier...

CF Log:
ComboFix 10-02-12.01 - Owner 15/02/2010 22:27:21.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1515 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\ZbThumbnail.info
C:\text.txt
c:\windows\winhelp.ini
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-15 22:35 . 2010-02-15 22:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Kiwee Toolbar
2010-02-15 22:09 . 2010-02-15 22:09 -------- d-----w- c:\program files\Kiwee Toolbar
2010-02-15 22:09 . 2010-02-15 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Kiwee Toolbar
2010-02-15 12:24 . 2010-02-15 12:24 -------- d-----w- c:\program files\Common Files\xing shared
2010-02-15 12:03 . 2010-02-15 12:03 -------- d-----w- c:\program files\TrendMicro
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-15 08:57 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 08:57 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-14 22:00 . 2010-02-14 22:01 -------- d-----w- c:\program files\Unlocker
2010-02-14 20:07 . 2010-02-14 20:07 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-02-14 14:56 . 2010-02-14 14:56 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-14 14:47 . 2010-02-14 14:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\NokiaAccount
2010-02-14 13:08 . 2010-02-14 14:41 -------- d-----w- c:\program files\UnifiedToolbar(4)
2010-02-14 13:06 . 2010-02-14 13:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-02-14 11:16 . 2010-02-14 14:51 -------- d-----w- c:\program files\UnifiedToolbar
2010-02-14 10:05 . 2010-02-14 10:05 -------- d-----w- c:\program files\Common Files\Java
2010-02-12 12:45 . 2010-02-14 14:49 -------- d-----w- c:\program files\UnifiedToolbar(2)
2010-02-11 08:57 . 2010-02-11 08:57 -------- d-----w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-08 14:01 . 2010-02-08 14:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Citrix
2010-01-29 20:02 . 2010-01-29 20:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Nokia Ovi Suite
2010-01-29 18:42 . 2010-01-29 18:42 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Nokia
2010-01-29 18:29 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-01-29 18:29 . 2010-02-14 14:46 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-29 18:28 . 2009-10-06 11:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-01-29 18:28 . 2009-10-06 11:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-01-29 18:28 . 2009-10-06 11:52 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-01-29 18:28 . 2009-10-06 11:52 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-01-29 18:28 . 2009-10-06 11:52 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-01-29 18:28 . 2009-10-06 11:55 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-01-22 14:41 . 2010-02-14 18:32 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 22:36 . 2009-12-17 08:56 -------- d-----w- c:\program files\Common Files\Akamai
2010-02-15 21:44 . 2008-12-15 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\agi
2010-02-15 21:33 . 2008-12-14 02:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-02-15 20:24 . 2009-12-07 20:35 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-02-15 18:04 . 2009-10-07 10:49 -------- d-----w- c:\program files\Flickr Uploadr
2010-02-15 16:02 . 2008-12-14 02:04 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-02-15 13:13 . 2008-12-29 11:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-15 12:29 . 2008-12-14 10:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-15 12:29 . 2008-12-14 02:02 -------- d-----r- c:\program files\Skype
2010-02-15 12:24 . 2009-01-29 10:49 -------- d-----w- c:\program files\Common Files\Real
2010-02-15 12:23 . 2008-12-16 12:33 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-02-15 12:23 . 2008-12-13 12:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-15 12:03 . 2010-02-15 12:03 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-14 21:55 . 2008-12-29 12:02 -------- d-----w- c:\program files\Java
2010-02-14 20:07 . 2010-02-14 20:07 3584 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-02-14 20:05 . 2009-03-22 20:43 -------- d-----w- c:\program files\MSECache
2010-02-14 19:48 . 2009-11-25 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-14 15:25 . 2008-12-15 18:25 -------- d-----w- c:\documents and settings\Owner\Application Data\agi
2010-02-14 14:52 . 2008-12-14 00:52 -------- d-----w- c:\program files\Google
2010-02-14 14:51 . 2009-10-07 07:37 -------- d-----w- c:\program files\UCT
2010-02-14 14:44 . 2009-09-23 15:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-14 14:42 . 2010-01-13 00:20 -------- d-----w- c:\program files\WinUndelete
2010-02-14 14:42 . 2010-01-12 15:41 -------- d-----w- c:\program files\Evening Help Guide
2010-02-14 14:31 . 2008-12-22 12:12 -------- d-----w- c:\program files\Weather
2010-02-14 13:42 . 2008-12-15 18:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\agi
2010-02-12 11:11 . 2008-12-13 13:05 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-11 08:55 . 2008-12-15 18:25 -------- d-----w- c:\program files\AGI
2010-01-29 20:02 . 2009-02-10 12:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Nokia
2010-01-29 18:30 . 2009-02-10 12:46 -------- d-----w- c:\program files\Common Files\Nokia
2010-01-29 18:29 . 2009-02-10 12:45 -------- d-----w- c:\program files\Nokia
2010-01-29 18:27 . 2010-01-29 18:27 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-29 18:27 . 2010-01-29 18:27 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-29 18:27 . 2010-01-29 18:27 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-29 18:27 . 2010-01-29 18:27 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-29 18:27 . 2010-01-29 18:27 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-29 18:27 . 2010-01-29 18:27 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-29 17:45 . 2010-01-29 17:45 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_PCS_Update.exe
2010-01-20 12:09 . 2008-12-13 13:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 09:49 . 2010-01-27 08:20 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-18 09:49 . 2010-01-27 08:20 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-12 16:08 . 2009-12-17 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-12 04:03 . 2009-12-17 13:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 04:03 . 2009-12-17 13:00 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03 . 2009-12-17 13:00 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03 . 2009-12-17 13:00 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 04:03 . 2009-12-17 13:00 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03 . 2008-10-07 13:33 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03 . 2006-06-01 09:22 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03 . 2006-06-01 09:22 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03 . 2006-06-01 09:22 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03 . 2006-06-01 09:22 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 04:03 . 2006-06-01 09:22 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 23:39 . 2009-01-28 17:11 -------- d-----w- c:\program files\Common Files\Apple
2009-12-28 00:15 . 2009-12-28 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2009-12-27 23:53 . 2009-12-28 00:15 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_webinstaller_ALL.exe
2009-12-27 08:49 . 2009-12-27 08:49 -------- d-----w- c:\program files\Common Files\PCSuite
2009-12-27 08:46 . 2009-12-27 08:46 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-12-27 08:46 . 2009-12-27 08:46 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-12-27 08:46 . 2009-12-27 08:46 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-12-27 08:46 . 2009-12-27 08:46 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-12-27 08:33 . 2009-02-10 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-27 08:33 . 2009-12-27 08:46 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-12-26 13:40 . 2009-03-20 00:17 -------- d-----w- c:\program files\PhotomatixPro3
2009-12-26 10:29 . 2008-12-14 14:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-24 16:22 . 2009-01-28 17:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-12-24 10:57 . 2009-12-24 10:56 -------- d-----w- c:\program files\QuickTime
2009-12-21 22:24 . 2009-01-28 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-21 19:14 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-20 11:25 . 2008-08-14 07:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-12-17 11:37 . 2008-12-13 12:42 30696 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-17 10:57 . 2009-12-17 08:57 1228240 ----a-w- c:\program files\ADBEPHSPCS4_LS1.exe
2009-12-17 10:57 . 2009-12-17 08:57 853860607 ----a-w- c:\program files\ADBEPHSPCS4_LS1.7z
2009-12-16 18:43 . 2008-12-13 12:09 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 09:23 . 2008-04-14 12:00 474112 ----a-w- c:\windows\system32\shlwapi(2)(3).dll
2009-12-04 18:22 . 2008-04-14 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2008-04-14 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2008-04-14 05:42 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2008-04-14 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2008-04-14 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2008-04-14 05:41 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-25 13:12 . 2008-12-13 12:45 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-25 13:12 . 2008-12-13 12:45 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-25 13:12 . 2008-12-13 12:45 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-25 13:12 . 2008-12-13 12:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 02:34 . 2008-12-13 12:41 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34 . 2006-06-01 09:22 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-19 21:42 . 2008-12-13 12:24 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-19 11:48 . 2009-12-01 12:06 872960 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 11:48 . 2009-12-01 12:06 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 11:48 . 2009-12-01 12:06 340480 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 11:48 . 2009-12-01 12:06 346624 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2008-12-23 00:50 . 2008-12-23 00:50 4096 --sha-w- c:\program files\Thumbs.db
2007-04-14 00:39 . 2008-11-26 03:03 48668560 ----a-w- c:\program files\MapSource_6123.exe
2004-10-01 15:00 . 2008-12-13 13:14 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-11-22 03:45 . 2008-12-14 10:18 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A} "= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 10:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{1c99b848-84cb-4ce4-8cd8-ed5719484d9f} "= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}]
[HKEY_CLASSES_ROOT\UnifiedToolbar.UnifiedToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-15 198160]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"KiweeHook "= "c:\program files\Kiwee Toolbar\3.2\kwtbaim.exe" [2009-11-25 56544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
2003-09-11 03:00 99840 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-11-22 03:45 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiweeHook]
2009-11-25 11:46 56544 ----a-w- c:\program files\Kiwee Toolbar\3.2\kwtbaim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-12-14 18:35 20480 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2004-06-08 12:31 29696 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2009-12-10 15:05 401728 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-01-11 22:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-11 22:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 17:35 32768 ------w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 16:47 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 15:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
2006-09-07 10:13 208896 ----a-r- c:\windows\system32\sw20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
2006-09-07 10:14 69632 ----a-r- c:\windows\system32\sw24.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
2006-10-03 06:37 217088 ----a-r- c:\windows\system32\WinSys2.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe "=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"e:\\Program Files\\Microsoft Flight Simulator X\\fsx.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Google\\Picasa3\\Picasa3.exe "=
"c:\\Program Files\\Flickr Uploadr\\Flickr Uploadr.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP "= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/12/2008 12:45 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/12/2008 12:45 360584]
R2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10752\AGCoreService.exe [14/02/2010 11:16 20480]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 12:00 14336]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/11/2009 13:12 285392]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [13/02/2007 18:57 2655848]
R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [13/12/2008 12:28 1310720]
S2 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\pythonservice.exe [15/12/2008 18:25 10240]
S2 gupdate1c976ffca94367e;Google Update Service (gupdate1c976ffca94367e);c:\program files\Google\Update\GoogleUpdate.exe [15/01/2009 10:55 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [14/12/2008 10:18 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-14 03:16]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-15 10:55]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-15 10:55]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.register.epson-europe.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - prefs.js: keyword.URL - hxxp://search.imgag.com/?appid=kwtb&component=UnifiedToolbarFF&c=GNKWO50020&sbs=1&sc=&f=web&vernum=3.2&uid=&did={d19ee840-cad5-11dd-b3a3-001e8c668fd8}&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-AWMON - c:\program files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
MSConfigStartUp-C6501Sound - c6501.cpl
MSConfigStartUp-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 22:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2840)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-15 22:41:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-15 22:41

Pre-Run: 70,023,098,368 bytes free
Post-Run: 72,562,728,960 bytes free

- - End Of File - - A1BA1A9F86ED3724995DB073AD5A28F1

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 22:44:53, on 15/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe
C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.register.epson-europe.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: agihelper.AGUtils - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - mscoree.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Kiwee Toolbar - {1c99b848-84cb-4ce4-8cd8-ed5719484d9f} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe "
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c976ffca94367e) (gupdate1c976ffca94367e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8571 bytes

coldwaterjohn · 2010/02/15

Deleted items in Safe Mode, but on reverting to Windows they have reappeared.

Here is the CF_Log:

ComboFix 10-02-12.01 - Owner 15/02/2010 22:27:21.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1515 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\ZbThumbnail.info
C:\text.txt
c:\windows\winhelp.ini
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-15 22:35 . 2010-02-15 22:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Kiwee Toolbar
2010-02-15 22:09 . 2010-02-15 22:09 -------- d-----w- c:\program files\Kiwee Toolbar
2010-02-15 22:09 . 2010-02-15 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Kiwee Toolbar
2010-02-15 12:24 . 2010-02-15 12:24 -------- d-----w- c:\program files\Common Files\xing shared
2010-02-15 12:03 . 2010-02-15 12:03 -------- d-----w- c:\program files\TrendMicro
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-15 08:57 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 08:57 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-14 22:00 . 2010-02-14 22:01 -------- d-----w- c:\program files\Unlocker
2010-02-14 20:07 . 2010-02-14 20:07 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-02-14 14:56 . 2010-02-14 14:56 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-14 14:47 . 2010-02-14 14:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\NokiaAccount
2010-02-14 13:08 . 2010-02-14 14:41 -------- d-----w- c:\program files\UnifiedToolbar(4)
2010-02-14 13:06 . 2010-02-14 13:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-02-14 11:16 . 2010-02-14 14:51 -------- d-----w- c:\program files\UnifiedToolbar
2010-02-14 10:05 . 2010-02-14 10:05 -------- d-----w- c:\program files\Common Files\Java
2010-02-12 12:45 . 2010-02-14 14:49 -------- d-----w- c:\program files\UnifiedToolbar(2)
2010-02-11 08:57 . 2010-02-11 08:57 -------- d-----w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-08 14:01 . 2010-02-08 14:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Citrix
2010-01-29 20:02 . 2010-01-29 20:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Nokia Ovi Suite
2010-01-29 18:42 . 2010-01-29 18:42 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Nokia
2010-01-29 18:29 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-01-29 18:29 . 2010-02-14 14:46 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-29 18:28 . 2009-10-06 11:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-01-29 18:28 . 2009-10-06 11:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-01-29 18:28 . 2009-10-06 11:52 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-01-29 18:28 . 2009-10-06 11:52 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-01-29 18:28 . 2009-10-06 11:52 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-01-29 18:28 . 2009-10-06 11:55 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-01-22 14:41 . 2010-02-14 18:32 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 22:36 . 2009-12-17 08:56 -------- d-----w- c:\program files\Common Files\Akamai
2010-02-15 21:44 . 2008-12-15 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\agi
2010-02-15 21:33 . 2008-12-14 02:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-02-15 20:24 . 2009-12-07 20:35 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-02-15 18:04 . 2009-10-07 10:49 -------- d-----w- c:\program files\Flickr Uploadr
2010-02-15 16:02 . 2008-12-14 02:04 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-02-15 13:13 . 2008-12-29 11:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-15 12:29 . 2008-12-14 10:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-15 12:29 . 2008-12-14 02:02 -------- d-----r- c:\program files\Skype
2010-02-15 12:24 . 2009-01-29 10:49 -------- d-----w- c:\program files\Common Files\Real
2010-02-15 12:23 . 2008-12-16 12:33 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-02-15 12:23 . 2008-12-13 12:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-15 12:03 . 2010-02-15 12:03 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-14 21:55 . 2008-12-29 12:02 -------- d-----w- c:\program files\Java
2010-02-14 20:07 . 2010-02-14 20:07 3584 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-02-14 20:05 . 2009-03-22 20:43 -------- d-----w- c:\program files\MSECache
2010-02-14 19:48 . 2009-11-25 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-14 15:25 . 2008-12-15 18:25 -------- d-----w- c:\documents and settings\Owner\Application Data\agi
2010-02-14 14:52 . 2008-12-14 00:52 -------- d-----w- c:\program files\Google
2010-02-14 14:51 . 2009-10-07 07:37 -------- d-----w- c:\program files\UCT
2010-02-14 14:44 . 2009-09-23 15:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-14 14:42 . 2010-01-13 00:20 -------- d-----w- c:\program files\WinUndelete
2010-02-14 14:42 . 2010-01-12 15:41 -------- d-----w- c:\program files\Evening Help Guide
2010-02-14 14:31 . 2008-12-22 12:12 -------- d-----w- c:\program files\Weather
2010-02-14 13:42 . 2008-12-15 18:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\agi
2010-02-12 11:11 . 2008-12-13 13:05 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-11 08:55 . 2008-12-15 18:25 -------- d-----w- c:\program files\AGI
2010-01-29 20:02 . 2009-02-10 12:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Nokia
2010-01-29 18:30 . 2009-02-10 12:46 -------- d-----w- c:\program files\Common Files\Nokia
2010-01-29 18:29 . 2009-02-10 12:45 -------- d-----w- c:\program files\Nokia
2010-01-29 18:27 . 2010-01-29 18:27 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-29 18:27 . 2010-01-29 18:27 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-29 18:27 . 2010-01-29 18:27 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-29 18:27 . 2010-01-29 18:27 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-29 18:27 . 2010-01-29 18:27 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-29 18:27 . 2010-01-29 18:27 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-29 17:45 . 2010-01-29 17:45 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_PCS_Update.exe
2010-01-20 12:09 . 2008-12-13 13:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 09:49 . 2010-01-27 08:20 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-18 09:49 . 2010-01-27 08:20 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-12 16:08 . 2009-12-17 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-12 04:03 . 2009-12-17 13:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 04:03 . 2009-12-17 13:00 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03 . 2009-12-17 13:00 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03 . 2009-12-17 13:00 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 04:03 . 2009-12-17 13:00 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03 . 2008-10-07 13:33 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03 . 2006-06-01 09:22 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03 . 2006-06-01 09:22 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03 . 2006-06-01 09:22 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03 . 2006-06-01 09:22 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 04:03 . 2006-06-01 09:22 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 23:39 . 2009-01-28 17:11 -------- d-----w- c:\program files\Common Files\Apple
2009-12-28 00:15 . 2009-12-28 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2009-12-27 23:53 . 2009-12-28 00:15 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_webinstaller_ALL.exe
2009-12-27 08:49 . 2009-12-27 08:49 -------- d-----w- c:\program files\Common Files\PCSuite
2009-12-27 08:46 . 2009-12-27 08:46 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-12-27 08:46 . 2009-12-27 08:46 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-12-27 08:46 . 2009-12-27 08:46 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-12-27 08:46 . 2009-12-27 08:46 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-12-27 08:33 . 2009-02-10 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-27 08:33 . 2009-12-27 08:46 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-12-26 13:40 . 2009-03-20 00:17 -------- d-----w- c:\program files\PhotomatixPro3
2009-12-26 10:29 . 2008-12-14 14:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-24 16:22 . 2009-01-28 17:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-12-24 10:57 . 2009-12-24 10:56 -------- d-----w- c:\program files\QuickTime
2009-12-21 22:24 . 2009-01-28 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-21 19:14 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-20 11:25 . 2008-08-14 07:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-12-17 11:37 . 2008-12-13 12:42 30696 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-17 10:57 . 2009-12-17 08:57 1228240 ----a-w- c:\program files\ADBEPHSPCS4_LS1.exe
2009-12-17 10:57 . 2009-12-17 08:57 853860607 ----a-w- c:\program files\ADBEPHSPCS4_LS1.7z
2009-12-16 18:43 . 2008-12-13 12:09 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 09:23 . 2008-04-14 12:00 474112 ----a-w- c:\windows\system32\shlwapi(2)(3).dll
2009-12-04 18:22 . 2008-04-14 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2008-04-14 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2008-04-14 05:42 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2008-04-14 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2008-04-14 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2008-04-14 05:41 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-25 13:12 . 2008-12-13 12:45 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-25 13:12 . 2008-12-13 12:45 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-25 13:12 . 2008-12-13 12:45 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-25 13:12 . 2008-12-13 12:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 02:34 . 2008-12-13 12:41 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34 . 2006-06-01 09:22 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-19 21:42 . 2008-12-13 12:24 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-19 11:48 . 2009-12-01 12:06 872960 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 11:48 . 2009-12-01 12:06 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 11:48 . 2009-12-01 12:06 340480 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 11:48 . 2009-12-01 12:06 346624 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2008-12-23 00:50 . 2008-12-23 00:50 4096 --sha-w- c:\program files\Thumbs.db
2007-04-14 00:39 . 2008-11-26 03:03 48668560 ----a-w- c:\program files\MapSource_6123.exe
2004-10-01 15:00 . 2008-12-13 13:14 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-11-22 03:45 . 2008-12-14 10:18 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A} "= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 10:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{1c99b848-84cb-4ce4-8cd8-ed5719484d9f} "= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}]
[HKEY_CLASSES_ROOT\UnifiedToolbar.UnifiedToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-15 198160]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"KiweeHook "= "c:\program files\Kiwee Toolbar\3.2\kwtbaim.exe" [2009-11-25 56544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
2003-09-11 03:00 99840 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-11-22 03:45 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiweeHook]
2009-11-25 11:46 56544 ----a-w- c:\program files\Kiwee Toolbar\3.2\kwtbaim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-12-14 18:35 20480 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2004-06-08 12:31 29696 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2009-12-10 15:05 401728 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-01-11 22:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-11 22:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 17:35 32768 ------w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 16:47 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 15:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
2006-09-07 10:13 208896 ----a-r- c:\windows\system32\sw20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
2006-09-07 10:14 69632 ----a-r- c:\windows\system32\sw24.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
2006-10-03 06:37 217088 ----a-r- c:\windows\system32\WinSys2.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe "=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"e:\\Program Files\\Microsoft Flight Simulator X\\fsx.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Google\\Picasa3\\Picasa3.exe "=
"c:\\Program Files\\Flickr Uploadr\\Flickr Uploadr.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP "= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/12/2008 12:45 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/12/2008 12:45 360584]
R2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10752\AGCoreService.exe [14/02/2010 11:16 20480]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 12:00 14336]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/11/2009 13:12 285392]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [13/02/2007 18:57 2655848]
R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [13/12/2008 12:28 1310720]
S2 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\pythonservice.exe [15/12/2008 18:25 10240]
S2 gupdate1c976ffca94367e;Google Update Service (gupdate1c976ffca94367e);c:\program files\Google\Update\GoogleUpdate.exe [15/01/2009 10:55 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [14/12/2008 10:18 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-14 03:16]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-15 10:55]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-15 10:55]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.register.epson-europe.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - prefs.js: keyword.URL - hxxp://search.imgag.com/?appid=kwtb&component=UnifiedToolbarFF&c=GNKWO50020&sbs=1&sc=&f=web&vernum=3.2&uid=&did={d19ee840-cad5-11dd-b3a3-001e8c668fd8}&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-AWMON - c:\program files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
MSConfigStartUp-C6501Sound - c6501.cpl
MSConfigStartUp-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 22:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2840)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-15 22:41:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-15 22:41

Pre-Run: 70,023,098,368 bytes free
Post-Run: 72,562,728,960 bytes free

- - End Of File - - A1BA1A9F86ED3724995DB073AD5A28F1

coldwaterjohn · 2010/02/15

Here is the latest Hijack This Log, which still contains the items which had previously been removed under Fix Checked.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 22:44:53, on 15/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe
C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.register.epson-europe.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: agihelper.AGUtils - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - mscoree.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Kiwee Toolbar - {1c99b848-84cb-4ce4-8cd8-ed5719484d9f} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe "
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c976ffca94367e) (gupdate1c976ffca94367e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8571 bytes

crunchie · 2010/02/15

1. Please open Notepad

Click Start , then Run

Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
KillAll::

File::
c:\windows\system32\WinSys2.exe
Folder::
c:\program files\Kiwee Toolbar
c:\documents and settings\All Users\Application Data\Kiwee Toolbar

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "KiweeHook "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiweeHook]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt

A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

coldwaterjohn · 2010/02/15

Here's the CF Log - Still seems to be a problem....

ComboFix 10-02-12.01 - Owner 15/02/2010 22:27:21.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1515 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\ZbThumbnail.info
C:\text.txt
c:\windows\winhelp.ini
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-15 22:35 . 2010-02-15 22:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Kiwee Toolbar
2010-02-15 22:09 . 2010-02-15 22:09 -------- d-----w- c:\program files\Kiwee Toolbar
2010-02-15 22:09 . 2010-02-15 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Kiwee Toolbar
2010-02-15 12:24 . 2010-02-15 12:24 -------- d-----w- c:\program files\Common Files\xing shared
2010-02-15 12:03 . 2010-02-15 12:03 -------- d-----w- c:\program files\TrendMicro
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-15 08:57 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 08:57 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-14 22:00 . 2010-02-14 22:01 -------- d-----w- c:\program files\Unlocker
2010-02-14 20:07 . 2010-02-14 20:07 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-02-14 14:56 . 2010-02-14 14:56 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-14 14:47 . 2010-02-14 14:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\NokiaAccount
2010-02-14 13:08 . 2010-02-14 14:41 -------- d-----w- c:\program files\UnifiedToolbar(4)
2010-02-14 13:06 . 2010-02-14 13:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-02-14 11:16 . 2010-02-14 14:51 -------- d-----w- c:\program files\UnifiedToolbar
2010-02-14 10:05 . 2010-02-14 10:05 -------- d-----w- c:\program files\Common Files\Java
2010-02-12 12:45 . 2010-02-14 14:49 -------- d-----w- c:\program files\UnifiedToolbar(2)
2010-02-11 08:57 . 2010-02-11 08:57 -------- d-----w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-08 14:01 . 2010-02-08 14:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Citrix
2010-01-29 20:02 . 2010-01-29 20:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Nokia Ovi Suite
2010-01-29 18:42 . 2010-01-29 18:42 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Nokia
2010-01-29 18:29 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-01-29 18:29 . 2010-02-14 14:46 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-29 18:28 . 2009-10-06 11:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-01-29 18:28 . 2009-10-06 11:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-01-29 18:28 . 2009-10-06 11:52 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-01-29 18:28 . 2009-10-06 11:52 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-01-29 18:28 . 2009-10-06 11:52 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-01-29 18:28 . 2009-10-06 11:55 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-01-22 14:41 . 2010-02-14 18:32 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 22:36 . 2009-12-17 08:56 -------- d-----w- c:\program files\Common Files\Akamai
2010-02-15 21:44 . 2008-12-15 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\agi
2010-02-15 21:33 . 2008-12-14 02:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-02-15 20:24 . 2009-12-07 20:35 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-02-15 18:04 . 2009-10-07 10:49 -------- d-----w- c:\program files\Flickr Uploadr
2010-02-15 16:02 . 2008-12-14 02:04 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-02-15 13:13 . 2008-12-29 11:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-15 12:29 . 2008-12-14 10:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-15 12:29 . 2008-12-14 02:02 -------- d-----r- c:\program files\Skype
2010-02-15 12:24 . 2009-01-29 10:49 -------- d-----w- c:\program files\Common Files\Real
2010-02-15 12:23 . 2008-12-16 12:33 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-02-15 12:23 . 2008-12-13 12:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-15 12:03 . 2010-02-15 12:03 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-14 21:55 . 2008-12-29 12:02 -------- d-----w- c:\program files\Java
2010-02-14 20:07 . 2010-02-14 20:07 3584 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-02-14 20:05 . 2009-03-22 20:43 -------- d-----w- c:\program files\MSECache
2010-02-14 19:48 . 2009-11-25 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-14 15:25 . 2008-12-15 18:25 -------- d-----w- c:\documents and settings\Owner\Application Data\agi
2010-02-14 14:52 . 2008-12-14 00:52 -------- d-----w- c:\program files\Google
2010-02-14 14:51 . 2009-10-07 07:37 -------- d-----w- c:\program files\UCT
2010-02-14 14:44 . 2009-09-23 15:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-14 14:42 . 2010-01-13 00:20 -------- d-----w- c:\program files\WinUndelete
2010-02-14 14:42 . 2010-01-12 15:41 -------- d-----w- c:\program files\Evening Help Guide
2010-02-14 14:31 . 2008-12-22 12:12 -------- d-----w- c:\program files\Weather
2010-02-14 13:42 . 2008-12-15 18:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\agi
2010-02-12 11:11 . 2008-12-13 13:05 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-11 08:55 . 2008-12-15 18:25 -------- d-----w- c:\program files\AGI
2010-01-29 20:02 . 2009-02-10 12:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Nokia
2010-01-29 18:30 . 2009-02-10 12:46 -------- d-----w- c:\program files\Common Files\Nokia
2010-01-29 18:29 . 2009-02-10 12:45 -------- d-----w- c:\program files\Nokia
2010-01-29 18:27 . 2010-01-29 18:27 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-29 18:27 . 2010-01-29 18:27 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-29 18:27 . 2010-01-29 18:27 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-29 18:27 . 2010-01-29 18:27 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-29 18:27 . 2010-01-29 18:27 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-29 18:27 . 2010-01-29 18:27 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-29 17:45 . 2010-01-29 17:45 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_PCS_Update.exe
2010-01-20 12:09 . 2008-12-13 13:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 09:49 . 2010-01-27 08:20 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-18 09:49 . 2010-01-27 08:20 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-12 16:08 . 2009-12-17 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-12 04:03 . 2009-12-17 13:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 04:03 . 2009-12-17 13:00 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03 . 2009-12-17 13:00 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03 . 2009-12-17 13:00 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 04:03 . 2009-12-17 13:00 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03 . 2008-10-07 13:33 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03 . 2006-06-01 09:22 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03 . 2006-06-01 09:22 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03 . 2006-06-01 09:22 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03 . 2006-06-01 09:22 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 04:03 . 2006-06-01 09:22 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 23:39 . 2009-01-28 17:11 -------- d-----w- c:\program files\Common Files\Apple
2009-12-28 00:15 . 2009-12-28 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2009-12-27 23:53 . 2009-12-28 00:15 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_webinstaller_ALL.exe
2009-12-27 08:49 . 2009-12-27 08:49 -------- d-----w- c:\program files\Common Files\PCSuite
2009-12-27 08:46 . 2009-12-27 08:46 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-12-27 08:46 . 2009-12-27 08:46 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-12-27 08:46 . 2009-12-27 08:46 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-12-27 08:46 . 2009-12-27 08:46 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-12-27 08:33 . 2009-02-10 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-27 08:33 . 2009-12-27 08:46 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-12-26 13:40 . 2009-03-20 00:17 -------- d-----w- c:\program files\PhotomatixPro3
2009-12-26 10:29 . 2008-12-14 14:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-24 16:22 . 2009-01-28 17:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-12-24 10:57 . 2009-12-24 10:56 -------- d-----w- c:\program files\QuickTime
2009-12-21 22:24 . 2009-01-28 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-21 19:14 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-20 11:25 . 2008-08-14 07:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-12-17 11:37 . 2008-12-13 12:42 30696 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-17 10:57 . 2009-12-17 08:57 1228240 ----a-w- c:\program files\ADBEPHSPCS4_LS1.exe
2009-12-17 10:57 . 2009-12-17 08:57 853860607 ----a-w- c:\program files\ADBEPHSPCS4_LS1.7z
2009-12-16 18:43 . 2008-12-13 12:09 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 09:23 . 2008-04-14 12:00 474112 ----a-w- c:\windows\system32\shlwapi(2)(3).dll
2009-12-04 18:22 . 2008-04-14 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2008-04-14 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2008-04-14 05:42 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2008-04-14 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2008-04-14 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2008-04-14 05:41 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-25 13:12 . 2008-12-13 12:45 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-25 13:12 . 2008-12-13 12:45 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-25 13:12 . 2008-12-13 12:45 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-25 13:12 . 2008-12-13 12:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 02:34 . 2008-12-13 12:41 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34 . 2006-06-01 09:22 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-19 21:42 . 2008-12-13 12:24 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-19 11:48 . 2009-12-01 12:06 872960 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 11:48 . 2009-12-01 12:06 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 11:48 . 2009-12-01 12:06 340480 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 11:48 . 2009-12-01 12:06 346624 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2008-12-23 00:50 . 2008-12-23 00:50 4096 --sha-w- c:\program files\Thumbs.db
2007-04-14 00:39 . 2008-11-26 03:03 48668560 ----a-w- c:\program files\MapSource_6123.exe
2004-10-01 15:00 . 2008-12-13 13:14 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-11-22 03:45 . 2008-12-14 10:18 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A} "= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 10:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{1c99b848-84cb-4ce4-8cd8-ed5719484d9f} "= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}]
[HKEY_CLASSES_ROOT\UnifiedToolbar.UnifiedToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-15 198160]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"KiweeHook "= "c:\program files\Kiwee Toolbar\3.2\kwtbaim.exe" [2009-11-25 56544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
2003-09-11 03:00 99840 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-11-22 03:45 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiweeHook]
2009-11-25 11:46 56544 ----a-w- c:\program files\Kiwee Toolbar\3.2\kwtbaim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-12-14 18:35 20480 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2004-06-08 12:31 29696 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2009-12-10 15:05 401728 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-01-11 22:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-11 22:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 17:35 32768 ------w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 16:47 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 15:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
2006-09-07 10:13 208896 ----a-r- c:\windows\system32\sw20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
2006-09-07 10:14 69632 ----a-r- c:\windows\system32\sw24.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
2006-10-03 06:37 217088 ----a-r- c:\windows\system32\WinSys2.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe "=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"e:\\Program Files\\Microsoft Flight Simulator X\\fsx.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Google\\Picasa3\\Picasa3.exe "=
"c:\\Program Files\\Flickr Uploadr\\Flickr Uploadr.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP "= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/12/2008 12:45 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/12/2008 12:45 360584]
R2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10752\AGCoreService.exe [14/02/2010 11:16 20480]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 12:00 14336]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/11/2009 13:12 285392]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [13/02/2007 18:57 2655848]
R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [13/12/2008 12:28 1310720]
S2 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\pythonservice.exe [15/12/2008 18:25 10240]
S2 gupdate1c976ffca94367e;Google Update Service (gupdate1c976ffca94367e);c:\program files\Google\Update\GoogleUpdate.exe [15/01/2009 10:55 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [14/12/2008 10:18 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-14 03:16]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-15 10:55]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-15 10:55]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.register.epson-europe.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - prefs.js: keyword.URL - hxxp://search.imgag.com/?appid=kwtb&component=UnifiedToolbarFF&c=GNKWO50020&sbs=1&sc=&f=web&vernum=3.2&uid=&did={d19ee840-cad5-11dd-b3a3-001e8c668fd8}&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-AWMON - c:\program files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
MSConfigStartUp-C6501Sound - c6501.cpl
MSConfigStartUp-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 22:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2840)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-15 22:41:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-15 22:41

Pre-Run: 70,023,098,368 bytes free
Post-Run: 72,562,728,960 bytes free

- - End Of File - - A1BA1A9F86ED3724995DB073AD5A28F1

Log in or Sign up

Solved Kiwee Toolbar removal problems.

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Kiwee Toolbar removal problems.

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

Share This Page

Useful Searches