Solved Kiwee Toolbar removal problems.

coldwaterjohn · 2010/02/15

Here's the latest Hijack This Log. It shows that the previously deleted items prior to safe mode actions, are still there....

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 22:44:53, on 15/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe
C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.register.epson-europe.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: agihelper.AGUtils - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - mscoree.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Kiwee Toolbar - {1c99b848-84cb-4ce4-8cd8-ed5719484d9f} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe "
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c976ffca94367e) (gupdate1c976ffca94367e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8571 bytes

coldwaterjohn · 2010/02/15

Crunchie -your message about copying and pasting something into CF seems to have disappeared. Bu I copied it as instructed and saved it as txt to desktop and then dragged it onto the Combofix icon, which seemed to trigger CF to execute.
Here is the latest CF Log from a few minutes ago. The Hijack This log will follow
ComboFix 10-02-12.01 - Owner 15/02/2010 23:16:04.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1360 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\WinSys2.exe "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Kiwee Toolbar
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\content_a.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\content_m.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\content_y.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\logger.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\toolbarIM_a.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\toolbarIM_m.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\toolbarIM_y.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\allow.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\block.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\dontsend.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbardropdownmenu.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbarsHelprolloverbase.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbarsm1rolloverbase.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbarsm1rolloverbase_bg.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbarsm1rolloverbase_dp.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbarsm2rolloverbase.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbarstextrollover.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\kiwee_iconX16.ico
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\kiwee_iconX48.ico
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\send.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\X.bmp
c:\program files\Kiwee Toolbar
c:\program files\Kiwee Toolbar\3.2\agicore.dll
c:\program files\Kiwee Toolbar\3.2\AGTBCore.dll
c:\program files\Kiwee Toolbar\3.2\AolIMToolbar.dll
c:\program files\Kiwee Toolbar\3.2\delight.dll
c:\program files\Kiwee Toolbar\3.2\dependencies.zip
c:\program files\Kiwee Toolbar\3.2\f_in_box.dll
c:\program files\Kiwee Toolbar\3.2\f_in_box__lib.dll
c:\program files\Kiwee Toolbar\3.2\FlashCOM.dll
c:\program files\Kiwee Toolbar\3.2\ICSharpCode.SharpZipLib.dll
c:\program files\Kiwee Toolbar\3.2\Interop.SHDocVw.dll
c:\program files\Kiwee Toolbar\3.2\JsonExSerializer.dll
c:\program files\Kiwee Toolbar\3.2\kiweechatbar.zip
c:\program files\Kiwee Toolbar\3.2\KiweeCommonCtrls.dll
c:\program files\Kiwee Toolbar\3.2\KiweeContentHost.dll
c:\program files\Kiwee Toolbar\3.2\KiweeDependencyServicePlugin.dll
c:\program files\Kiwee Toolbar\3.2\KiweeIMToolbar.dll
c:\program files\Kiwee Toolbar\3.2\KiweeTBCore.dll
c:\program files\Kiwee Toolbar\3.2\KiweeTBCore.tlb
c:\program files\Kiwee Toolbar\3.2\kwtbaim.exe
c:\program files\Kiwee Toolbar\3.2\log4net.dll
c:\program files\Kiwee Toolbar\3.2\mfc80u.dll
c:\program files\Kiwee Toolbar\3.2\Microsoft.VC80.CRT.manifest
c:\program files\Kiwee Toolbar\3.2\Microsoft.VC80.MFC.manifest
c:\program files\Kiwee Toolbar\3.2\msimg32.dll
c:\program files\Kiwee Toolbar\3.2\MsnIMToolbar.dll
c:\program files\Kiwee Toolbar\3.2\msvcp80.dll
c:\program files\Kiwee Toolbar\3.2\msvcr80.dll
c:\program files\Kiwee Toolbar\3.2\Riched20.dll
c:\windows\system32\WinSys2.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-15 22:35 . 2010-02-15 22:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Kiwee Toolbar
2010-02-15 12:24 . 2010-02-15 12:24 -------- d-----w- c:\program files\Common Files\xing shared
2010-02-15 12:03 . 2010-02-15 12:03 -------- d-----w- c:\program files\TrendMicro
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-15 08:57 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 08:57 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-14 22:00 . 2010-02-14 22:01 -------- d-----w- c:\program files\Unlocker
2010-02-14 20:07 . 2010-02-14 20:07 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-02-14 14:56 . 2010-02-14 14:56 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-14 14:47 . 2010-02-14 14:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\NokiaAccount
2010-02-14 13:08 . 2010-02-14 14:41 -------- d-----w- c:\program files\UnifiedToolbar(4)
2010-02-14 13:06 . 2010-02-14 13:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-02-14 11:16 . 2010-02-14 14:51 -------- d-----w- c:\program files\UnifiedToolbar
2010-02-14 10:05 . 2010-02-14 10:05 -------- d-----w- c:\program files\Common Files\Java
2010-02-12 12:45 . 2010-02-14 14:49 -------- d-----w- c:\program files\UnifiedToolbar(2)
2010-02-11 08:57 . 2010-02-11 08:57 -------- d-----w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-08 14:01 . 2010-02-08 14:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Citrix
2010-01-29 20:02 . 2010-01-29 20:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Nokia Ovi Suite
2010-01-29 18:42 . 2010-01-29 18:42 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Nokia
2010-01-29 18:29 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-01-29 18:29 . 2010-02-14 14:46 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-29 18:28 . 2009-10-06 11:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-01-29 18:28 . 2009-10-06 11:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-01-29 18:28 . 2009-10-06 11:52 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-01-29 18:28 . 2009-10-06 11:52 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-01-29 18:28 . 2009-10-06 11:52 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-01-29 18:28 . 2009-10-06 11:55 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-01-22 14:41 . 2010-02-14 18:32 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 23:24 . 2009-12-07 20:35 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-02-15 23:23 . 2010-02-15 23:23 -------- d-----w- c:\program files\Kiwee Toolbar
2010-02-15 23:23 . 2010-02-15 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kiwee Toolbar
2010-02-15 23:22 . 2009-12-17 08:56 -------- d-----w- c:\program files\Common Files\Akamai
2010-02-15 21:44 . 2008-12-15 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\agi
2010-02-15 21:33 . 2008-12-14 02:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-02-15 18:04 . 2009-10-07 10:49 -------- d-----w- c:\program files\Flickr Uploadr
2010-02-15 16:02 . 2008-12-14 02:04 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-02-15 13:13 . 2008-12-29 11:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-15 12:29 . 2008-12-14 10:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-15 12:29 . 2008-12-14 02:02 -------- d-----r- c:\program files\Skype
2010-02-15 12:24 . 2009-01-29 10:49 -------- d-----w- c:\program files\Common Files\Real
2010-02-15 12:23 . 2008-12-16 12:33 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-02-15 12:23 . 2008-12-13 12:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-15 12:03 . 2010-02-15 12:03 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-14 21:55 . 2008-12-29 12:02 -------- d-----w- c:\program files\Java
2010-02-14 20:07 . 2010-02-14 20:07 3584 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-02-14 20:05 . 2009-03-22 20:43 -------- d-----w- c:\program files\MSECache
2010-02-14 19:48 . 2009-11-25 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-14 15:25 . 2008-12-15 18:25 -------- d-----w- c:\documents and settings\Owner\Application Data\agi
2010-02-14 14:52 . 2008-12-14 00:52 -------- d-----w- c:\program files\Google
2010-02-14 14:51 . 2009-10-07 07:37 -------- d-----w- c:\program files\UCT
2010-02-14 14:44 . 2009-09-23 15:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-14 14:42 . 2010-01-13 00:20 -------- d-----w- c:\program files\WinUndelete
2010-02-14 14:42 . 2010-01-12 15:41 -------- d-----w- c:\program files\Evening Help Guide
2010-02-14 14:31 . 2008-12-22 12:12 -------- d-----w- c:\program files\Weather
2010-02-14 13:42 . 2008-12-15 18:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\agi
2010-02-12 11:11 . 2008-12-13 13:05 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-11 08:55 . 2008-12-15 18:25 -------- d-----w- c:\program files\AGI
2010-01-29 20:02 . 2009-02-10 12:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Nokia
2010-01-29 18:30 . 2009-02-10 12:46 -------- d-----w- c:\program files\Common Files\Nokia
2010-01-29 18:29 . 2009-02-10 12:45 -------- d-----w- c:\program files\Nokia
2010-01-29 18:27 . 2010-01-29 18:27 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-29 18:27 . 2010-01-29 18:27 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-29 18:27 . 2010-01-29 18:27 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-29 18:27 . 2010-01-29 18:27 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-29 18:27 . 2010-01-29 18:27 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-29 18:27 . 2010-01-29 18:27 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-29 17:45 . 2010-01-29 17:45 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_PCS_Update.exe
2010-01-20 12:09 . 2008-12-13 13:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 09:49 . 2010-01-27 08:20 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-18 09:49 . 2010-01-27 08:20 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-12 16:08 . 2009-12-17 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-12 04:03 . 2009-12-17 13:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 04:03 . 2009-12-17 13:00 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03 . 2009-12-17 13:00 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03 . 2009-12-17 13:00 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 04:03 . 2009-12-17 13:00 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03 . 2008-10-07 13:33 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03 . 2006-06-01 09:22 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03 . 2006-06-01 09:22 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03 . 2006-06-01 09:22 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03 . 2006-06-01 09:22 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 04:03 . 2006-06-01 09:22 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 23:39 . 2009-01-28 17:11 -------- d-----w- c:\program files\Common Files\Apple
2009-12-28 00:15 . 2009-12-28 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2009-12-27 23:53 . 2009-12-28 00:15 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_webinstaller_ALL.exe
2009-12-27 08:49 . 2009-12-27 08:49 -------- d-----w- c:\program files\Common Files\PCSuite
2009-12-27 08:46 . 2009-12-27 08:46 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-12-27 08:46 . 2009-12-27 08:46 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-12-27 08:46 . 2009-12-27 08:46 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-12-27 08:46 . 2009-12-27 08:46 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-12-27 08:33 . 2009-02-10 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-27 08:33 . 2009-12-27 08:46 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-12-26 13:40 . 2009-03-20 00:17 -------- d-----w- c:\program files\PhotomatixPro3
2009-12-26 10:29 . 2008-12-14 14:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-24 16:22 . 2009-01-28 17:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-12-24 10:57 . 2009-12-24 10:56 -------- d-----w- c:\program files\QuickTime
2009-12-21 22:24 . 2009-01-28 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-21 19:14 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-20 11:25 . 2008-08-14 07:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-12-17 11:37 . 2008-12-13 12:42 30696 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-17 10:57 . 2009-12-17 08:57 1228240 ----a-w- c:\program files\ADBEPHSPCS4_LS1.exe
2009-12-17 10:57 . 2009-12-17 08:57 853860607 ----a-w- c:\program files\ADBEPHSPCS4_LS1.7z
2009-12-16 18:43 . 2008-12-13 12:09 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 09:23 . 2008-04-14 12:00 474112 ----a-w- c:\windows\system32\shlwapi(2)(3).dll
2009-12-04 18:22 . 2008-04-14 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2008-04-14 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2008-04-14 05:42 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2008-04-14 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2008-04-14 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2008-04-14 05:41 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-25 13:12 . 2008-12-13 12:45 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-25 13:12 . 2008-12-13 12:45 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-25 13:12 . 2008-12-13 12:45 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-25 13:12 . 2008-12-13 12:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 02:34 . 2008-12-13 12:41 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34 . 2006-06-01 09:22 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-19 21:42 . 2008-12-13 12:24 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-19 11:48 . 2009-12-01 12:06 872960 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 11:48 . 2009-12-01 12:06 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 11:48 . 2009-12-01 12:06 340480 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 11:48 . 2009-12-01 12:06 346624 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2008-12-23 00:50 . 2008-12-23 00:50 4096 --sha-w- c:\program files\Thumbs.db
2009-11-22 03:45 . 2008-12-14 10:18 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-15_22.36.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-15 23:21 . 2010-02-15 23:21 16384 c:\windows\Temp\Perflib_Perfdata_76c.dat
+ 2010-02-15 23:21 . 2010-02-15 23:21 16384 c:\windows\Temp\Perflib_Perfdata_66c.dat
+ 2010-02-15 23:21 . 2010-02-15 23:21 16384 c:\windows\Temp\Perflib_Perfdata_108.dat
- 2010-02-15 22:35 . 2010-02-15 22:35 98304 c:\windows\Temp\AGI\JsonExSerializer.dll
+ 2010-02-15 23:22 . 2010-02-15 23:22 98304 c:\windows\Temp\AGI\JsonExSerializer.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 86016 c:\windows\Temp\AGI\InstallLibrary.dll
+ 2010-02-15 23:22 . 2010-02-15 23:22 86016 c:\windows\Temp\AGI\InstallLibrary.dll
+ 2010-02-15 23:22 . 2010-02-15 23:22 30112 c:\windows\Temp\AGI\Installer.exe
- 2010-02-15 22:35 . 2010-02-15 22:35 30112 c:\windows\Temp\AGI\Installer.exe
+ 2010-02-15 23:22 . 2010-02-15 23:22 45056 c:\windows\Temp\AGI\delight.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 45056 c:\windows\Temp\AGI\delight.dll
+ 2010-02-15 23:22 . 2010-02-15 23:22 270336 c:\windows\Temp\AGI\log4net.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 270336 c:\windows\Temp\AGI\log4net.dll
+ 2010-02-15 23:22 . 2010-02-15 23:22 126976 c:\windows\Temp\AGI\Interop.SHDocVw.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 126976 c:\windows\Temp\AGI\Interop.SHDocVw.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 192512 c:\windows\Temp\AGI\ICSharpCode.SharpZipLib.dll
+ 2010-02-15 23:22 . 2010-02-15 23:22 192512 c:\windows\Temp\AGI\ICSharpCode.SharpZipLib.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 266240 c:\windows\Temp\AGI\f_in_box__lib.dll
+ 2010-02-15 23:22 . 2010-02-15 23:22 266240 c:\windows\Temp\AGI\f_in_box__lib.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 217088 c:\windows\Temp\AGI\f_in_box.dll
+ 2010-02-15 23:22 . 2010-02-15 23:22 217088 c:\windows\Temp\AGI\f_in_box.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 163840 c:\windows\Temp\AGI\agicore.dll
+ 2010-02-15 23:22 . 2010-02-15 23:22 163840 c:\windows\Temp\AGI\agicore.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A} "= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 10:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{1c99b848-84cb-4ce4-8cd8-ed5719484d9f} "= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}]
[HKEY_CLASSES_ROOT\UnifiedToolbar.UnifiedToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-15 198160]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"KiweeHook "= "c:\program files\Kiwee Toolbar\3.2\kwtbaim.exe" [2009-11-25 56544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
2003-09-11 03:00 99840 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-11-22 03:45 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-12-14 18:35 20480 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2004-06-08 12:31 29696 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2009-12-10 15:05 401728 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-01-11 22:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-11 22:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 17:35 32768 ------w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 16:47 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 15:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
2006-09-07 10:13 208896 ----a-r- c:\windows\system32\sw20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
2006-09-07 10:14 69632 ----a-r- c:\windows\system32\sw24.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe "=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"e:\\Program Files\\Microsoft Flight Simulator X\\fsx.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Google\\Picasa3\\Picasa3.exe "=
"c:\\Program Files\\Flickr Uploadr\\Flickr Uploadr.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP "= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/12/2008 12:45 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/12/2008 12:45 360584]
R2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10752\AGCoreService.exe [14/02/2010 11:16 20480]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 12:00 14336]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/11/2009 13:12 285392]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [13/02/2007 18:57 2655848]
R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [13/12/2008 12:28 1310720]
S2 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\pythonservice.exe [15/12/2008 18:25 10240]
S2 gupdate1c976ffca94367e;Google Update Service (gupdate1c976ffca94367e);c:\program files\Google\Update\GoogleUpdate.exe [15/01/2009 10:55 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [14/12/2008 10:18 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-14 03:16]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-15 10:55]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-15 10:55]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.register.epson-europe.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - prefs.js: keyword.URL - hxxp://search.imgag.com/?appid=kwtb&component=UnifiedToolbarFF&c=GNKWO50020&sbs=1&sc=&f=web&vernum=3.2&uid=&did={d19ee840-cad5-11dd-b3a3-001e8c668fd8}&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 23:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1352)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-15 23:27:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-15 23:27
ComboFix2.txt 2010-02-15 22:41

Pre-Run: 72,578,183,168 bytes free
Post-Run: 72,530,759,680 bytes free

- - End Of File - - 5571999CE644F4EB70350ADFEC59C16F

coldwaterjohn · 2010/02/15

The latest Hijack This Log follows now (23.36GMT 15-02-2010
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 23:37:09, on 15/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe
C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.register.epson-europe.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: agihelper.AGUtils - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - mscoree.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Kiwee Toolbar - {1c99b848-84cb-4ce4-8cd8-ed5719484d9f} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c976ffca94367e) (gupdate1c976ffca94367e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8599 bytes

crunchie · 2010/02/15

One more time.

1. Please open Notepad

Click Start , then Run

Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
KillAll::

Folder::
c:\documents and settings\Owner\Local Settings\Application Data\Kiwee Toolbar
c:\program files\Kiwee Toolbar
c:\documents and settings\All Users\Application Data\Kiwee Toolbar

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "KiweeHook "=-
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt

A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

coldwaterjohn · 2010/02/15

Crunchie here is the latest CF Log (23.59 GMT)
ComboFix 10-02-12.01 - Owner 15/02/2010 23:47:29.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1478 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Kiwee Toolbar
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\content_a.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\content_m.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\content_y.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\logger.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\toolbarIM_a.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\toolbarIM_m.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\config\toolbarIM_y.xml
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\allow.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\block.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\dontsend.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbardropdownmenu.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbarsHelprolloverbase.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbarsm1rolloverbase.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbarsm1rolloverbase_bg.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbarsm1rolloverbase_dp.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbarsm2rolloverbase.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\im_toolbarstextrollover.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\kiwee_iconX16.ico
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\kiwee_iconX48.ico
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\send.bmp
c:\documents and settings\All Users\Application Data\Kiwee Toolbar\images\X.bmp
c:\documents and settings\Owner\Local Settings\Application Data\Kiwee Toolbar
c:\documents and settings\Owner\Local Settings\Application Data\Kiwee Toolbar\Logs\KiweeHook.log
c:\program files\Kiwee Toolbar
c:\program files\Kiwee Toolbar\3.2\agicore.dll
c:\program files\Kiwee Toolbar\3.2\AGTBCore.dll
c:\program files\Kiwee Toolbar\3.2\AolIMToolbar.dll
c:\program files\Kiwee Toolbar\3.2\delight.dll
c:\program files\Kiwee Toolbar\3.2\dependencies.zip
c:\program files\Kiwee Toolbar\3.2\f_in_box.dll
c:\program files\Kiwee Toolbar\3.2\f_in_box__lib.dll
c:\program files\Kiwee Toolbar\3.2\FlashCOM.dll
c:\program files\Kiwee Toolbar\3.2\ICSharpCode.SharpZipLib.dll
c:\program files\Kiwee Toolbar\3.2\Interop.SHDocVw.dll
c:\program files\Kiwee Toolbar\3.2\JsonExSerializer.dll
c:\program files\Kiwee Toolbar\3.2\kiweechatbar.zip
c:\program files\Kiwee Toolbar\3.2\KiweeCommonCtrls.dll
c:\program files\Kiwee Toolbar\3.2\KiweeContentHost.dll
c:\program files\Kiwee Toolbar\3.2\KiweeDependencyServicePlugin.dll
c:\program files\Kiwee Toolbar\3.2\KiweeIMToolbar.dll
c:\program files\Kiwee Toolbar\3.2\KiweeTBCore.dll
c:\program files\Kiwee Toolbar\3.2\KiweeTBCore.tlb
c:\program files\Kiwee Toolbar\3.2\kwtbaim.exe
c:\program files\Kiwee Toolbar\3.2\log4net.dll
c:\program files\Kiwee Toolbar\3.2\mfc80u.dll
c:\program files\Kiwee Toolbar\3.2\Microsoft.VC80.CRT.manifest
c:\program files\Kiwee Toolbar\3.2\Microsoft.VC80.MFC.manifest
c:\program files\Kiwee Toolbar\3.2\msimg32.dll
c:\program files\Kiwee Toolbar\3.2\MsnIMToolbar.dll
c:\program files\Kiwee Toolbar\3.2\msvcp80.dll
c:\program files\Kiwee Toolbar\3.2\msvcr80.dll
c:\program files\Kiwee Toolbar\3.2\Riched20.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-15 23:54 . 2010-02-15 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Kiwee Toolbar
2010-02-15 12:24 . 2010-02-15 12:24 -------- d-----w- c:\program files\Common Files\xing shared
2010-02-15 12:03 . 2010-02-15 12:03 -------- d-----w- c:\program files\TrendMicro
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-15 08:57 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-15 08:57 . 2010-02-15 08:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 08:57 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-14 22:00 . 2010-02-14 22:01 -------- d-----w- c:\program files\Unlocker
2010-02-14 20:07 . 2010-02-14 20:07 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-02-14 14:56 . 2010-02-14 14:56 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-14 14:47 . 2010-02-14 14:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\NokiaAccount
2010-02-14 13:08 . 2010-02-14 14:41 -------- d-----w- c:\program files\UnifiedToolbar(4)
2010-02-14 13:06 . 2010-02-14 13:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-02-14 11:16 . 2010-02-14 14:51 -------- d-----w- c:\program files\UnifiedToolbar
2010-02-14 10:05 . 2010-02-14 10:05 -------- d-----w- c:\program files\Common Files\Java
2010-02-12 12:45 . 2010-02-14 14:49 -------- d-----w- c:\program files\UnifiedToolbar(2)
2010-02-11 08:57 . 2010-02-11 08:57 -------- d-----w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-08 14:01 . 2010-02-08 14:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Citrix
2010-01-29 20:02 . 2010-01-29 20:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Nokia Ovi Suite
2010-01-29 18:42 . 2010-01-29 18:42 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Nokia
2010-01-29 18:29 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-01-29 18:29 . 2010-02-14 14:46 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-29 18:28 . 2009-10-06 11:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-01-29 18:28 . 2009-10-06 11:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-01-29 18:28 . 2009-10-06 11:52 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-01-29 18:28 . 2009-10-06 11:52 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-01-29 18:28 . 2009-10-06 11:52 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-01-29 18:28 . 2009-10-06 11:55 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-01-22 14:41 . 2010-02-14 18:32 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 23:54 . 2010-02-15 23:54 -------- d-----w- c:\program files\Kiwee Toolbar
2010-02-15 23:53 . 2009-12-17 08:56 -------- d-----w- c:\program files\Common Files\Akamai
2010-02-15 23:24 . 2009-12-07 20:35 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-02-15 21:44 . 2008-12-15 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\agi
2010-02-15 21:33 . 2008-12-14 02:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-02-15 18:04 . 2009-10-07 10:49 -------- d-----w- c:\program files\Flickr Uploadr
2010-02-15 16:02 . 2008-12-14 02:04 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-02-15 13:13 . 2008-12-29 11:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-15 12:29 . 2008-12-14 10:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-15 12:29 . 2008-12-14 02:02 -------- d-----r- c:\program files\Skype
2010-02-15 12:24 . 2009-01-29 10:49 -------- d-----w- c:\program files\Common Files\Real
2010-02-15 12:23 . 2008-12-16 12:33 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-02-15 12:23 . 2008-12-13 12:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-15 12:03 . 2010-02-15 12:03 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-14 21:55 . 2008-12-29 12:02 -------- d-----w- c:\program files\Java
2010-02-14 20:07 . 2010-02-14 20:07 3584 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-02-14 20:05 . 2009-03-22 20:43 -------- d-----w- c:\program files\MSECache
2010-02-14 19:48 . 2009-11-25 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-14 15:25 . 2008-12-15 18:25 -------- d-----w- c:\documents and settings\Owner\Application Data\agi
2010-02-14 14:52 . 2008-12-14 00:52 -------- d-----w- c:\program files\Google
2010-02-14 14:51 . 2009-10-07 07:37 -------- d-----w- c:\program files\UCT
2010-02-14 14:44 . 2009-09-23 15:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-14 14:42 . 2010-01-13 00:20 -------- d-----w- c:\program files\WinUndelete
2010-02-14 14:42 . 2010-01-12 15:41 -------- d-----w- c:\program files\Evening Help Guide
2010-02-14 14:31 . 2008-12-22 12:12 -------- d-----w- c:\program files\Weather
2010-02-14 13:42 . 2008-12-15 18:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\agi
2010-02-12 11:11 . 2008-12-13 13:05 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-11 08:55 . 2008-12-15 18:25 -------- d-----w- c:\program files\AGI
2010-01-29 20:02 . 2009-02-10 12:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Nokia
2010-01-29 18:30 . 2009-02-10 12:46 -------- d-----w- c:\program files\Common Files\Nokia
2010-01-29 18:29 . 2009-02-10 12:45 -------- d-----w- c:\program files\Nokia
2010-01-29 18:27 . 2010-01-29 18:27 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-29 18:27 . 2010-01-29 18:27 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-29 18:27 . 2010-01-29 18:27 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-29 18:27 . 2010-01-29 18:27 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-29 18:27 . 2010-01-29 18:27 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-29 18:27 . 2010-01-29 18:27 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-29 17:45 . 2010-01-29 17:45 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_PCS_Update.exe
2010-01-20 12:09 . 2008-12-13 13:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 09:49 . 2010-01-27 08:20 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-18 09:49 . 2010-01-27 08:20 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-12 16:08 . 2009-12-17 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-12 04:03 . 2009-12-17 13:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 04:03 . 2009-12-17 13:00 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03 . 2009-12-17 13:00 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03 . 2009-12-17 13:00 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 04:03 . 2009-12-17 13:00 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03 . 2008-10-07 13:33 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03 . 2006-06-01 09:22 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03 . 2006-06-01 09:22 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03 . 2006-06-01 09:22 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03 . 2006-06-01 09:22 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 04:03 . 2006-06-01 09:22 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 23:39 . 2009-01-28 17:11 -------- d-----w- c:\program files\Common Files\Apple
2009-12-28 00:15 . 2009-12-28 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2009-12-27 23:53 . 2009-12-28 00:15 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_webinstaller_ALL.exe
2009-12-27 08:49 . 2009-12-27 08:49 -------- d-----w- c:\program files\Common Files\PCSuite
2009-12-27 08:46 . 2009-12-27 08:46 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-12-27 08:46 . 2009-12-27 08:46 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-12-27 08:46 . 2009-12-27 08:46 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-12-27 08:46 . 2009-12-27 08:46 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-12-27 08:33 . 2009-02-10 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-27 08:33 . 2009-12-27 08:46 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-12-26 13:40 . 2009-03-20 00:17 -------- d-----w- c:\program files\PhotomatixPro3
2009-12-26 10:29 . 2008-12-14 14:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-24 16:22 . 2009-01-28 17:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-12-24 10:57 . 2009-12-24 10:56 -------- d-----w- c:\program files\QuickTime
2009-12-21 22:24 . 2009-01-28 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-21 19:14 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-20 11:25 . 2008-08-14 07:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-12-17 11:37 . 2008-12-13 12:42 30696 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-17 10:57 . 2009-12-17 08:57 1228240 ----a-w- c:\program files\ADBEPHSPCS4_LS1.exe
2009-12-17 10:57 . 2009-12-17 08:57 853860607 ----a-w- c:\program files\ADBEPHSPCS4_LS1.7z
2009-12-16 18:43 . 2008-12-13 12:09 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 09:23 . 2008-04-14 12:00 474112 ----a-w- c:\windows\system32\shlwapi(2)(3).dll
2009-12-04 18:22 . 2008-04-14 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2008-04-14 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2008-04-14 05:42 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2008-04-14 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2008-04-14 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2008-04-14 05:41 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-25 13:12 . 2008-12-13 12:45 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-25 13:12 . 2008-12-13 12:45 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-25 13:12 . 2008-12-13 12:45 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-25 13:12 . 2008-12-13 12:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 02:34 . 2008-12-13 12:41 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 02:34 . 2006-06-01 09:22 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-19 21:42 . 2008-12-13 12:24 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-19 11:48 . 2009-12-01 12:06 872960 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 11:48 . 2009-12-01 12:06 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 11:48 . 2009-12-01 12:06 340480 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 11:48 . 2009-12-01 12:06 346624 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2008-12-23 00:50 . 2008-12-23 00:50 4096 --sha-w- c:\program files\Thumbs.db
2007-04-14 00:39 . 2008-11-26 03:03 48668560 ----a-w- c:\program files\MapSource_6123.exe
2009-11-22 03:45 . 2008-12-14 10:18 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-15_22.36.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-15 23:52 . 2010-02-15 23:52 16384 c:\windows\Temp\Perflib_Perfdata_7f0.dat
+ 2010-02-15 23:52 . 2010-02-15 23:52 16384 c:\windows\Temp\Perflib_Perfdata_73c.dat
+ 2010-02-15 23:52 . 2010-02-15 23:52 16384 c:\windows\Temp\Perflib_Perfdata_1d8.dat
- 2010-02-15 22:35 . 2010-02-15 22:35 98304 c:\windows\Temp\AGI\JsonExSerializer.dll
+ 2010-02-15 23:53 . 2010-02-15 23:53 98304 c:\windows\Temp\AGI\JsonExSerializer.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 86016 c:\windows\Temp\AGI\InstallLibrary.dll
+ 2010-02-15 23:53 . 2010-02-15 23:53 86016 c:\windows\Temp\AGI\InstallLibrary.dll
+ 2010-02-15 23:53 . 2010-02-15 23:53 30112 c:\windows\Temp\AGI\Installer.exe
- 2010-02-15 22:35 . 2010-02-15 22:35 30112 c:\windows\Temp\AGI\Installer.exe
+ 2010-02-15 23:53 . 2010-02-15 23:53 45056 c:\windows\Temp\AGI\delight.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 45056 c:\windows\Temp\AGI\delight.dll
+ 2010-02-15 23:53 . 2010-02-15 23:53 270336 c:\windows\Temp\AGI\log4net.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 270336 c:\windows\Temp\AGI\log4net.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 126976 c:\windows\Temp\AGI\Interop.SHDocVw.dll
+ 2010-02-15 23:53 . 2010-02-15 23:53 126976 c:\windows\Temp\AGI\Interop.SHDocVw.dll
+ 2010-02-15 23:53 . 2010-02-15 23:53 192512 c:\windows\Temp\AGI\ICSharpCode.SharpZipLib.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 192512 c:\windows\Temp\AGI\ICSharpCode.SharpZipLib.dll
+ 2010-02-15 23:53 . 2010-02-15 23:53 266240 c:\windows\Temp\AGI\f_in_box__lib.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 266240 c:\windows\Temp\AGI\f_in_box__lib.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 217088 c:\windows\Temp\AGI\f_in_box.dll
+ 2010-02-15 23:53 . 2010-02-15 23:53 217088 c:\windows\Temp\AGI\f_in_box.dll
- 2010-02-15 22:35 . 2010-02-15 22:35 163840 c:\windows\Temp\AGI\agicore.dll
+ 2010-02-15 23:53 . 2010-02-15 23:53 163840 c:\windows\Temp\AGI\agicore.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A} "= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 10:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{1c99b848-84cb-4ce4-8cd8-ed5719484d9f} "= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}]
[HKEY_CLASSES_ROOT\UnifiedToolbar.UnifiedToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-15 198160]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"KiweeHook "= "c:\program files\Kiwee Toolbar\3.2\kwtbaim.exe" [2009-11-25 56544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
2003-09-11 03:00 99840 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-11-22 03:45 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-12-14 18:35 20480 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2004-06-08 12:31 29696 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2009-12-10 15:05 401728 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-01-11 22:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-11 22:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 17:35 32768 ------w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 16:47 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 15:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
2006-09-07 10:13 208896 ----a-r- c:\windows\system32\sw20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
2006-09-07 10:14 69632 ----a-r- c:\windows\system32\sw24.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe "=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"e:\\Program Files\\Microsoft Flight Simulator X\\fsx.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Google\\Picasa3\\Picasa3.exe "=
"c:\\Program Files\\Flickr Uploadr\\Flickr Uploadr.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP "= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/12/2008 12:45 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/12/2008 12:45 360584]
R2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10752\AGCoreService.exe [14/02/2010 11:16 20480]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 12:00 14336]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/11/2009 13:12 285392]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [13/02/2007 18:57 2655848]
R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [13/12/2008 12:28 1310720]
S2 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\pythonservice.exe [15/12/2008 18:25 10240]
S2 gupdate1c976ffca94367e;Google Update Service (gupdate1c976ffca94367e);c:\program files\Google\Update\GoogleUpdate.exe [15/01/2009 10:55 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [14/12/2008 10:18 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-14 03:16]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-15 10:55]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-15 10:55]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.register.epson-europe.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial
FF - prefs.js: keyword.URL - hxxp://search.imgag.com/?appid=kwtb&component=UnifiedToolbarFF&c=GNKWO50020&sbs=1&sc=&f=web&vernum=3.2&uid=&did={d19ee840-cad5-11dd-b3a3-001e8c668fd8}&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 23:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(4008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-15 23:58:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-15 23:58
ComboFix2.txt 2010-02-15 23:27
ComboFix3.txt 2010-02-15 22:41

Pre-Run: 72,542,744,576 bytes free
Post-Run: 72,501,747,712 bytes free

- - End Of File - - C804D8704F3B8E214859F1EFEBA3A7D5

coldwaterjohn · 2010/02/15

Latest HijackThis Log (23.59) Log
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 00:05:54, on 16/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe
C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.register.epson-europe.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: agihelper.AGUtils - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - mscoree.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Kiwee Toolbar - {1c99b848-84cb-4ce4-8cd8-ed5719484d9f} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c976ffca94367e) (gupdate1c976ffca94367e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8599 bytes

coldwaterjohn · 2010/02/15

What now, Crunchie - are we getting there?

coldwaterjohn · 2010/02/15

Crunchie
In the latest Hijack_This scan result, I noticed it is still showing
"03 - toolbar: Kiwee Toolbar - followed by a bunch of numbers, and then mscoree.dll file missing "
By the way, despite sending you the two logs taken at 23.59 they don't appear in this thread?? Is there some kind of lag between despatch and their showing up? Or do you delete them once you have had a look at them?

crunchie · 2010/02/15

I am at work, so can only look in from time to time.
Still seem to be having problems. Looks like it is re-creating itself from somewhere.

Go here and download then run Silent Runners.vbs. Right click on the download link and select Save Target As. Save it to the desktop or to a folder in a permanent directory. It generates a log which will be created in the same folder you are running it from. Please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

coldwaterjohn · 2010/02/15

Crunchie, I do appreciate your continuing assistance, particularly as you are trying to help and juggling it with work! The vbs file has been saved to my desktop. I don't have any script-blocking program that I am aware of, but clicking on the icon Silent Runners.vbs, simply opens it in Notepad. If you have any advice, if you leave it on this thread, I will tackle it first thing tomorrow morning. It's 1 a.m. now and it's been a long day!

crunchie · 2010/02/15

Did you right click on the file when downloading it? If yes, try right clicking on the file and select 'Open with' and associate the .vbs file with wscript.exe which is located in the system32 folder.

coldwaterjohn · 2010/02/15

Will try that before heading off for the night! Thanks for the input.

coldwaterjohn · 2010/02/15

Followed your instructions. Now when I click on the file:
"There is no script Engine for file extension "txt ".
When I download onto the p.c. there is no choice in the type of file for script files - there is only available txt or "all files" both result in its being saved as Silent runner vbs.txt.
What next would you recommend?

crunchie · 2010/02/15

It must be the way that it is being downloaded. I have uploaded it for you.

coldwaterjohn · 2010/02/15

Thanks Crunchie. Here's the log from Silent Runners:
"Silent Runners.vbs ", revision 60, http://www.silentrunners.org/
Operating System: Windows XP SP3
Output limited to non-default values, except where indicated by "{++} "

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ "Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"TkBellExe" = " "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [ "RealNetworks, Inc."]
"SunJavaUpdateSched" = " "C:\Program Files\Common Files\Java\Java Update\jusched.exe" " [ "Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" [ "Adobe Systems Incorporated"]

{0bc6e3fa-78ef-4886-842c-5a1258c4455a}\(Default) = (no title provided)
-> {HKLM...CLSID} = "agihelper.AGUtils "
\InProcServer32\(Default) = "mscoree.dll" [MS]

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub "
-> {HKLM...CLSID} = "Adobe PDF Link Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" [ "Adobe Systems Incorporated"]

{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer "
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll" [ "RealPlayer"]

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter "
-> {HKLM...CLSID} = "AVG Safe Search "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\avgssie.dll" [ "AVG Technologies CZ, s.r.o."]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

{A3BC75A2-1F87-4686-AA43-5347D756017C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AVG Security Toolbar BHO "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll" [null data]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO "
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll" [ "Google Inc."]

{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper "
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" [ "Sun Microsystems, Inc."]

{E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53}\(Default) = "Google Gears Helper "
-> {HKLM...CLSID} = "Google Gears Helper "
\InProcServer32\(Default) = "C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll" [ "Google Inc."]

{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl "
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class "
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" [ "Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" [ "Hilgraeve, Inc."]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band "
-> {HKLM...CLSID} = "History Band "
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class "
-> {HKLM...CLSID} = "DesktopContext Class "
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" [ "NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer "
-> {HKLM...CLSID} = "Desktop Explorer "
\InProcServer32\(Default) = "C:\Program Files\NVIDIA Corporation\nView\nvshell.dll" [ "NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\NVIDIA Corporation\nView\nvshell.dll" [ "NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu "
-> {HKLM...CLSID} = "nView Desktop Context Menu "
\InProcServer32\(Default) = "C:\Program Files\NVIDIA Corporation\nView\nvshell.dll" [ "NVIDIA Corporation"]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG Shell Extension "
-> {HKLM...CLSID} = "AVG Shell Extension Class "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\avgse.dll" [ "AVG Technologies CZ, s.r.o."]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = " "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" " [ "Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = " "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" " [ "Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = " "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" " [ "Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = " "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" " [ "Sun Microsystems, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler "
-> {HKLM...CLSID} = "Microsoft Office Outlook "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler "
-> {HKLM...CLSID} = "Outlook File Icon Extension "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{D8A8853A-DB04-45D4-8732-A5CC49CE6107}" = "deskMenu2 Shell Extension "
-> {HKLM...CLSID} = "deskMenu2 ContextMenu Shell Extension "
\InProcServer32\(Default) = "C:\WINDOWS\system32\deskMenu2.dll" [empty string]

"{6230EF55-8E71-4F40-861A-DBA282584FF5}" = "AVS VideoConverter 6 "
-> {HKLM...CLSID} = "AVSVideoConverter Object "
\InProcServer32\(Default) = "C:\PROGRA~1\AVS4YOU\AVSVID~1\AVSVID~1.DLL" [ "Online Media Technologies Ltd."]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler "
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler "
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler "
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler "
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser "
-> {HKLM...CLSID} = "Nokia Phone Browser "
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll" [ "Nokia"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper "
-> {HKLM...CLSID} = "NVIDIA CPL Extension "
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" [ "NVIDIA Corporation"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945} "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

<<!>> linkscanner\CLSID = "{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} "
-> {HKLM...CLSID} = "XPLPPFilter Class "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\avgpp.dll" [ "AVG Technologies CZ, s.r.o."]

<<!>> ms-itss\CLSID = "{0A9007C0-4076-11D3-8789-0000F8105754} "
-> {HKLM...CLSID} = "Microsoft Infotech Storage Protocol for IE 4.0 "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL" [MS]

<<!>> mso-offdap11\CLSID = "{32505114-5902-49B2-880A-1F7738E5A384} "
-> {HKLM...CLSID} = "Data Page Plugable Protocal mso-offdap11 Handler "
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL" [MS]

<<!>> skype4com\CLSID = "{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "
-> {HKLM...CLSID} = "IEProtocolHandler Class "
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL" [ "Skype Technologies"]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AVG9 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
-> {HKLM...CLSID} = "AVG Shell Extension Class "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\avgse.dll" [ "AVG Technologies CZ, s.r.o."]

AVSVideoConverter6\(Default) = "{6230EF55-8E71-4F40-861A-DBA282584FF5} "
-> {HKLM...CLSID} = "AVSVideoConverter Object "
\InProcServer32\(Default) = "C:\PROGRA~1\AVS4YOU\AVSVID~1\AVSVID~1.DLL" [ "Online Media Technologies Ltd."]

deskMenu2\(Default) = "{D8A8853A-DB04-45D4-8732-A5CC49CE6107} "
-> {HKLM...CLSID} = "deskMenu2 ContextMenu Shell Extension "
\InProcServer32\(Default) = "C:\WINDOWS\system32\deskMenu2.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

{0BCE32B2-DA1B-41D7-A71F-C02A7D633CE5}\(Default) = (no title provided)
-> {HKLM...CLSID} = "V2iContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Norton Save and Restore\Browser\VProShellExt.dll" [ "Symantec Corporation"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3} "
-> {HKLM...CLSID} = "MBAMShlExt Class "
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" [ "Malwarebytes Corporation"]

{C95FFEAE-A32E-4122-A5C4-49B5BFB69795}\(Default) = "{C95FFEAE-A32E-4122-A5C4-49B5BFB69795} "
-> {HKLM...CLSID} = "Adobe Drive CS4 "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Adobe Drive CS4\ADFSMenu.dll" [ "Adobe Systems Incorporated"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

HKLM\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\

Nokia\(Default) = "{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A} "
-> {HKLM...CLSID} = "Nokia Phone Browser "
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll" [ "Nokia"]

HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

00nView\(Default) = "{1E9B04FB-F9E5-4718-997B-B8DA88302A48} "
-> {HKLM...CLSID} = "nView Desktop Context Menu "
\InProcServer32\(Default) = "C:\Program Files\NVIDIA Corporation\nView\nvshell.dll" [ "NVIDIA Corporation"]

NvCplDesktopContext\(Default) = "{A70C977A-BF00-412C-90B7-034C51DA2439} "
-> {HKLM...CLSID} = "DesktopContext Class "
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" [ "NVIDIA Corporation"]

{C95FFEAE-A32E-4122-A5C4-49B5BFB69795}\(Default) = "{C95FFEAE-A32E-4122-A5C4-49B5BFB69795} "
-> {HKLM...CLSID} = "Adobe Drive CS4 "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Adobe Drive CS4\ADFSMenu.dll" [ "Adobe Systems Incorporated"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = " "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" " [ "Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
-> {HKLM...CLSID} = "PDF Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

AVG9 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
-> {HKLM...CLSID} = "AVG Shell Extension Class "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\avgse.dll" [ "AVG Technologies CZ, s.r.o."]

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3} "
-> {HKLM...CLSID} = "MBAMShlExt Class "
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" [ "Malwarebytes Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

{0BCE32B2-DA1B-41D7-A71F-C02A7D633CE5}\(Default) = (no title provided)
-> {HKLM...CLSID} = "V2iContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Norton Save and Restore\Browser\VProShellExt.dll" [ "Symantec Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile "

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper2.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper2.bmp "

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\GPhotos.scr" [ "Google Inc."]

Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

BridgeCS4ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS4 "
"InvokeProgID" = "Adobe.adobebridgeCS4 "
"InvokeVerb" = "launch "
HKLM\SOFTWARE\Classes\Adobe.adobebridgeCS4\shell\launch\command\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS4\bridgeproxy.exe -v %1" [ "Adobe Systems, Inc."]

BridgeCS4NonVolumeHandler\
"Provider" = "Adobe Bridge CS4 "
"ProgID" = "Adobe.adobebridgeMTP_1 "
HKLM\SOFTWARE\Classes\Adobe.adobebridgeMTP_1\CLSID\(Default) = "{1E6C711B-6D70-4a65-8AB6-745DC19BE2A6} "
-> {HKLM...CLSID} = "Adobe Bridge CS4 "
\LocalServer32\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS4\bridgeproxy.exe -m" [ "Adobe Systems, Inc."]

CanonZB4PicturesOnArrival\
"Provider" = "Canon ZoomBrowser EX "
"InvokeProgID" = "Zb.AutoplayHandler "
"InvokeVerb" = "open "
HKLM\SOFTWARE\Classes\Zb.AutoplayHandler\shell\open\command\(Default) = "C:\Program Files\Canon\ZoomBrowser EX MCU\MCULauncher.exe" [null data]

EPSONCardMonitor\
"Provider" = "EPSON CardMonitor1.2 "
"InvokeProgID" = "EPSON.CardMonitor.1 "
"InvokeVerb" = "Play "
HKLM\SOFTWARE\Classes\EPSON.CardMonitor.1\shell\Play\DropTarget\CLSID = "{95ABECB2-A2BC-4fdc-A413-554CB2AAD55F} "
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Program Files\EPSON\EPSON CardMonitor\epcmcom.exe" [null data]

Lightroom2AutoPlayHandler\
"Provider" = "Adobe Photoshop Lightroom 2.0 "
"InvokeProgID" = "Adobe.AdobeLightroom "
"InvokeVerb" = "open "
HKLM\SOFTWARE\Classes\Adobe.AdobeLightroom\shell\open\command\(Default) = "C:\Program Files\Adobe\Adobe Photoshop Lightroom 3 Beta\Lightroom.exe "%L" " [ "Adobe Systems"]

Lightroom2BetaAutoPlayHandler\
"Provider" = "Adobe Photoshop Lightroom 2.0 "
"InvokeProgID" = "Adobe.AdobeLightroom "
"InvokeVerb" = "open "
HKLM\SOFTWARE\Classes\Adobe.AdobeLightroom\shell\open\command\(Default) = "C:\Program Files\Adobe\Adobe Photoshop Lightroom 3 Beta\Lightroom.exe "%L" " [ "Adobe Systems"]

Lightroom3BetaAutoPlayHandler\
"Provider" = "Adobe Photoshop Lightroom 3.0 "
"InvokeProgID" = "Adobe.AdobeLightroom "
"InvokeVerb" = "open "
HKLM\SOFTWARE\Classes\Adobe.AdobeLightroom\shell\open\command\(Default) = "C:\Program Files\Adobe\Adobe Photoshop Lightroom 3 Beta\Lightroom.exe "%L" " [ "Adobe Systems"]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501 "
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24} "
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay "
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay2CDAudio\
"Provider" = "Nero Express "
"InvokeProgID" = "Nero.AutoPlay2 "
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio "
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" [ "Ahead Software AG"]

NeroAutoPlay2CopyCD\
"Provider" = "Nero Express "
"InvokeProgID" = "Nero.AutoPlay2 "
"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD "
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /DialogiscCopy /Drive:%L" [ "Ahead Software AG"]

NeroAutoPlay2DataDisc\
"Provider" = "Nero Express "
"InvokeProgID" = "Nero.AutoPlay2 "
"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc "
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" [ "Ahead Software AG"]

NeroAutoPlay2LaunchNeroStartSmart\
"Provider" = "Nero StartSmart "
"InvokeProgID" = "Nero.AutoPlay2 "
"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart "
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" [ "Ahead Software AG"]

PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD "
"InvokeProgID" = "DVD "
"InvokeVerb" = "PlayWithPowerDVD "
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = " "C:\Program Files\CyberLink DVD Solution\PowerDVD\PowerDVD.exe" "%l" " [ "CyberLink Corp."]

Picasa2ImportPicturesOnArrival\
"Provider" = "Picasa3 "
"InvokeProgID" = "picasa2.autoplay "
"InvokeVerb" = "import "
HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "C:\Program Files\Google\Picasa3\Picasa3.exe "%1" " [ "Google Inc."]

PPCDBurningOnArrival\
"Provider" = "PowerProducer "
"InvokeProgID" = "Picture "
"InvokeVerb" = "OpenWithPowerProducer "
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = " "C:\Program Files\CyberLink DVD Solution\PowerProducer\Producer.exe" " [ "Cyberlink"]

PPDCameraArrival\
"Provider" = "PowerProducer "
"InvokeProgID" = "Picture "
"InvokeVerb" = "OpenWithPowerProducer "
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = " "C:\Program Files\CyberLink DVD Solution\PowerProducer\Producer.exe" " [ "Cyberlink"]

PPDVArrival\
"Provider" = "PowerProducer "
"ProgID" = "Shell.HWEventHandlerShellExecute "
"InitCmdLine" = " "C:\Program Files\CyberLink DVD Solution\PowerProducer\Producer.exe" "
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} "
-> {HKLM...CLSID} = "ShellExecute HW Event Handler "
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

RPCDBurningOnArrival\
"Provider" = "RealPlayer "
"InvokeProgID" = "RealPlayer.CDBurn.6 "
"InvokeVerb" = "open "
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = " "C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1" " [ "RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer "
"ProgID" = "RealPlayer.HWEventHandler "
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2} "
-> {HKLM...CLSID} = "RealNetworks Scheduler "
\LocalServer32\(Default) = " "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" [ "RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer "
"InvokeProgID" = "RealPlayer.AudioCD.6 "
"InvokeVerb" = "play "
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = " "C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " [ "RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer "
"InvokeProgID" = "RealPlayer.DVD.6 "
"InvokeVerb" = "play "
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = " "C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " [ "RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer "
"InvokeProgID" = "RealPlayer.AutoPlay.6 "
"InvokeVerb" = "open "
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = " "C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1" " [ "RealNetworks, Inc."]

Enabled Scheduled Tasks:
------------------------

"Google Software Updater" -> launches: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe scheduled_start" [ "Google"]
"GoogleUpdateTaskMachineCore" -> launches: "C:\Program Files\Google\Update\GoogleUpdate.exe /c" [ "Google Inc."]
"GoogleUpdateTaskMachineUA" -> launches: "C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler" [ "Google Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" [ "Apple Inc."]
000000000005\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "
-> {HKLM...CLSID} = "AVG Security Toolbar "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll" [null data]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" = "AVG Security Toolbar "
-> {HKLM...CLSID} = "AVG Security Toolbar "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll" [null data]

"{1C99B848-84CB-4CE4-8CD8-ED5719484D9F}" = "Kiwee Toolbar "
-> {HKLM...CLSID} = "Kiwee Toolbar "
\InProcServer32\(Default) = "mscoree.dll" [MS]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research "
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5}\
"MenuText" = "&Gears Settings "
"CLSIDExtension" = "{0B4350D1-055F-47A3-B112-5F2F2B0D6F08} "
-> {HKLM...CLSID} = "Google Gears ToolsMenuItem "
\InProcServer32\(Default) = "C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll" [ "Google Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research "

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001 "
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{A3BC75A2-1F87-4686-AA43-5347D756017C}" = (no title provided)
-> {HKLM...CLSID} = "AVG Security Toolbar BHO "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll" [null data]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AG Core Services, AGCoreService, " "C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe" " [null data]
Akamai NetSession Interface, Akamai, "C:\WINDOWS\System32\svchost.exe -k Akamai" { "c:\program files\common files\akamai\rswin_3647.dll" [null data]}
Apple Mobile Device, Apple Mobile Device, " "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" " [ "Apple Inc."]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, " "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" " [ "Symantec Corporation"]
AVG Free WatchDog, avg9wd, " "C:\Program Files\AVG\AVG9\avgwdsvc.exe" " [ "AVG Technologies CZ, s.r.o."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" { "C:\WINDOWS\System32\bthserv.dll" [MS]}
Bonjour Service, Bonjour Service, " "C:\Program Files\Bonjour\mDNSResponder.exe" " [ "Apple Inc."]
Canon Camera Access Library 8, CCALib8, "C:\Program Files\Canon\CAL\CALMAIN.exe" [ "Canon Inc."]
Java Quick Starter, JavaQuickStarterService, " "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" " [ "Sun Microsystems, Inc."]
Machine Debug Manager, MDM, " "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" " [MS]
Norton Save and Restore, Norton Save and Restore, "C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe" [ "Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" [ "NVIDIA Corporation"]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" { "C:\WINDOWS\System32\WUDFSvc.dll" [MS]}

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Docudesk Print Monitor\Driver = "C:\WINDOWS\system32\ddmon.dll" [null data]
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" [ "SEIKO EPSON CORPORATION"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

---------- (launch time: 2010-02-16 01:39:28)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 32 seconds, including 6 seconds for message boxes)

coldwaterjohn · 2010/02/15

I see this entry at the end of the Toolbars section of the Log:

"{1C99B848-84CB-4CE4-8CD8-ED5719484D9F}" = "Kiwee Toolbar "
-> {HKLM...CLSID} = "Kiwee Toolbar "
\InProcServer32\(Default) = "mscoree.dll" [MS]

coldwaterjohn · 2010/02/15

Let me give us both a break, and head off for some sleep - I'll follow up with whatever you suggest next, in the morning.

crunchie · 2010/02/15

Just showing the one entry there so let's do this now;

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Get some sleep and we can do this later .

coldwaterjohn · 2010/02/16

Here is the OTL Log content:
OTL logfile created on: 16/02/2010 08:40:09 - Run 2
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 67.40 Gb Free Space | 45.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 111.79 Gb Total Space | 55.72 Gb Free Space | 49.85% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 698.64 Gb Total Space | 116.48 Gb Free Space | 16.67% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: REBUILD-D13FF10
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/15 13:13:01 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2010/02/14 22:58:20 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/01/26 15:48:24 | 000,020,480 | ---- | M] (AG Interactive) -- C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe
PRC - [2010/01/11 22:17:44 | 000,154,216 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2010/01/11 15:21:52 | 000,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe
PRC - [2009/12/12 18:12:23 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/12/12 18:12:23 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/11/25 13:12:16 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/25 13:12:14 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/25 13:12:09 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/11/25 11:46:50 | 000,056,544 | ---- | M] (AG Interactive) -- C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe
PRC - [2009/10/31 13:48:40 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
PRC - [2009/07/09 11:22:18 | 000,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/14 10:14:42 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/14 12:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/13 18:57:06 | 002,655,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/10/31 10:32:09 | 000,194,240 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

========== Modules (SafeList) ==========

MOD - [2010/02/14 22:58:20 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2010/02/15 13:13:01 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2010/01/28 18:18:47 | 002,431,024 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\rswin_3647.dll -- (Akamai)
SRV - [2010/01/26 15:48:24 | 000,020,480 | ---- | M] (AG Interactive) [Auto | Running] -- C:\Program Files\AGI\core\4.2.0.10752\AGCoreService.exe -- (AGCoreService)
SRV - [2010/01/11 22:17:44 | 000,154,216 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2009/12/17 11:15:07 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/11/25 13:12:09 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/11/22 03:45:48 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-110309-193829)
SRV - [2009/10/27 09:26:36 | 000,657,408 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/07/09 11:22:18 | 000,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/03/24 03:16:36 | 000,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/01/15 10:55:28 | 000,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c976ffca94367e) Google Update Service (gupdate1c976ffca94367e)
SRV - [2008/12/15 18:25:54 | 000,010,240 | ---- | M] () [Auto | Stopped] -- C:\Program Files\AGI\common\win32\PythonService.exe -- (AGWinService)
SRV - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2007/02/13 18:57:06 | 002,655,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe -- (Norton Save and Restore)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/10/31 10:32:09 | 002,541,248 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2006/10/31 10:32:09 | 000,194,240 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;*.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Kiwee Toolbar "
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= "
FF - prefs.js..browser.search.order.1: "Web Search "
FF - prefs.js..browser.search.order.2: "Google "
FF - prefs.js..browser.search.selectedEngine: "Google "
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GBfficial "
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://search.imgag.com/?appid=kwtb&component=UnifiedToolbarFF&c=GNKWO50020&sbs=1&sc=&f=web&vernum=3.2&uid=&did={d19ee840-cad5-11dd-b3a3-001e8c668fd8}&q= "
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2009/10/29 01:49:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/12/12 18:13:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2009/11/25 13:12:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/12/27 08:49:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ [2010/02/14 12:54:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\unifiedtoolbar@aginteractive.com: C:\Program Files\UnifiedToolbar\3.2\Firefox [2010/02/15 22:09:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/15 12:24:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/15 21:44:02 | 000,000,000 | ---D | M]

[2009/04/04 08:03:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/04/04 08:03:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\uploadr@flickr.com
[2010/02/15 20:20:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions
[2009/06/24 11:39:06 | 000,000,000 | ---D | M] (Google Enhancer - True Knowledge) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{7738069b-91db-41a0-91d2-7b06ca79d2e1}
[2009/06/22 13:17:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{89736E8E-4B14-4042-8C75-AD00B6BD3900}
[2009/12/14 14:28:56 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2009/07/02 16:30:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n8c4g92b.default\extensions\isreaditlater@ideashower(2).com
[2010/02/15 20:20:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/19 09:16:24 | 000,118,784 | ---- | M] (CANON INC.) -- C:\Program Files\Mozilla Firefox\plugins\MyCamera.dll
[2008/06/19 09:16:24 | 000,053,248 | ---- | M] (CANON INC.) -- C:\Program Files\Mozilla Firefox\plugins\NPCIG.dll
[2010/01/16 00:55:13 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/01/16 00:55:13 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/01/16 00:55:13 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/01/16 00:55:13 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/02/15 23:52:47 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [KiweeHook] C:\Program Files\Kiwee Toolbar\3.2\kwtbaim.exe (AG Interactive)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/13 12:13:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/09/01 13:54:05 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/12/13 11:55:27 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/02/16 01:16:55 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/02/15 23:54:05 | 000,000,000 | ---D | C] -- C:\Program Files\Kiwee Toolbar
[2010/02/15 23:54:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kiwee Toolbar
[2010/02/15 22:22:12 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/15 22:20:48 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/15 22:20:48 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/15 22:20:48 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/15 22:20:48 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/15 22:20:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/15 22:05:11 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/15 12:24:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2010/02/15 12:03:04 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/02/15 08:57:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/02/15 08:57:36 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/15 08:57:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/15 08:57:34 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/15 08:57:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/14 22:58:18 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/02/14 22:00:57 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/02/14 20:07:02 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Installer Clean Up
[2010/02/14 14:51:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/02/14 14:47:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\NokiaAccount
[2010/02/14 13:42:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\agi
[2010/02/14 13:08:07 | 000,000,000 | ---D | C] -- C:\Program Files\UnifiedToolbar(4)
[2010/02/14 13:06:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2010/02/14 11:16:49 | 000,000,000 | ---D | C] -- C:\Program Files\UnifiedToolbar
[2010/02/14 10:05:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/02/14 10:05:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/02/12 12:45:06 | 000,000,000 | ---D | C] -- C:\Program Files\UnifiedToolbar(2)
[2010/02/11 08:55:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/02/08 14:01:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Citrix
[2009/12/17 08:57:35 | 001,228,240 | ---- | C] (Adobe Systems Incorporated) -- C:\Program Files\ADBEPHSPCS4_LS1.exe
[2009/11/25 13:05:14 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/11/25 13:05:14 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/11/25 13:05:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/02/12 08:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/02/11 10:20:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\agi
[2009/02/11 10:20:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/10 12:48:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/02/05 17:35:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

========== Files - Modified Within 14 Days ==========

[2010/02/16 09:30:58 | 000,453,695 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Silent Runners.vbs
[2010/02/16 07:53:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/16 07:24:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\prvlcl.dat
[2010/02/16 03:18:36 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/02/16 03:18:17 | 000,191,207 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/02/16 03:18:14 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/16 03:18:14 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/16 03:18:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/16 03:16:53 | 007,340,032 | ---- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/02/16 01:36:18 | 000,109,884 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\Silent Runners.zip
[2010/02/16 01:00:23 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\cscript.exe
[2010/02/16 00:45:41 | 001,735,036 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Siemens Gigaset SL785 Manual.pdf
[2010/02/16 00:05:54 | 000,008,600 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\hijackthis_23.59GMT
[2010/02/16 00:05:07 | 000,002,441 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/02/15 23:53:12 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/15 23:52:47 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/15 23:37:09 | 000,008,600 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\hijackthis_Log 23.36GMT_15_02_2010
[2010/02/15 22:44:53 | 000,008,572 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\hijackthis_Log
[2010/02/15 22:25:55 | 000,000,679 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/15 22:25:55 | 000,000,293 | RHS- | M] () -- C:\boot.ini
[2010/02/15 22:10:53 | 000,000,223 | ---- | M] () -- C:\Boot.bak
[2010/02/15 22:07:40 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/02/15 21:40:52 | 003,857,112 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/02/15 14:02:42 | 055,614,854 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/15 12:24:31 | 000,000,897 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk
[2010/02/15 12:23:40 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/02/15 08:57:39 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/14 22:58:20 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/02/14 18:44:42 | 000,000,053 | ---- | M] () -- C:\biosinfo
[2010/02/14 18:32:56 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/14 18:09:08 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/14 13:13:27 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/14 13:10:57 | 000,142,495 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/02/14 12:05:40 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/02/14 10:57:06 | 000,001,334 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\ADDRESSES 08 01 03.GCF
[2010/02/14 10:38:14 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/11 12:53:55 | 000,207,864 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Rum chocolate mousse recipe.jpg
[2010/02/10 22:39:01 | 002,720,256 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\ADDRESSES 08 01 03.OR3
[2010/02/07 12:59:28 | 001,206,199 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\fa_win_ug_en.pdf
[2010/02/05 23:37:24 | 000,017,680 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\n627563390_9071.jpg
[2010/02/04 18:59:30 | 004,443,656 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Nov96.QDF
[2010/02/04 18:59:30 | 002,332,194 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Nov96.QSD
[2010/02/04 18:47:14 | 000,000,132 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\~QW~LINK.QDT
[2010/02/04 15:45:37 | 000,064,000 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Legal and Geneal Details of investment.doc
[2010/02/04 12:32:03 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Nov96.QEL
[2010/02/04 12:32:02 | 000,000,046 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Q3.DIR
[2010/02/04 11:25:44 | 001,880,115 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\scan011.jpg
[2010/02/04 11:14:47 | 001,530,064 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\scan010.jpg

========== Files Created - No Company Name ==========

[2010/02/16 01:44:18 | 000,109,884 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\Silent Runners.zip
[2010/02/16 01:39:08 | 000,453,695 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Silent Runners.vbs
[2010/02/16 01:00:23 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\cscript.exe
[2010/02/16 00:45:41 | 001,735,036 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Siemens Gigaset SL785 Manual.pdf
[2010/02/16 00:05:54 | 000,008,600 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\hijackthis_23.59GMT
[2010/02/15 23:37:09 | 000,008,600 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\hijackthis_Log 23.36GMT_15_02_2010
[2010/02/15 22:44:53 | 000,008,572 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\hijackthis_Log
[2010/02/15 22:22:18 | 000,000,223 | ---- | C] () -- C:\Boot.bak
[2010/02/15 22:22:15 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/15 22:20:48 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/15 22:20:48 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/15 22:20:48 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/15 22:20:48 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/15 22:20:48 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/15 21:39:58 | 003,857,112 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/02/15 12:24:31 | 000,000,897 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk
[2010/02/15 12:03:04 | 000,002,441 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/02/15 08:57:39 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/14 18:09:08 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/14 12:05:40 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/02/11 12:53:55 | 000,207,864 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Rum chocolate mousse recipe.jpg
[2010/02/07 12:59:17 | 001,206,199 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\fa_win_ug_en.pdf
[2010/02/05 23:37:23 | 000,017,680 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\n627563390_9071.jpg
[2010/02/04 15:39:05 | 000,064,000 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Legal and Geneal Details of investment.doc
[2010/02/04 11:25:43 | 001,880,115 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\scan011.jpg
[2010/02/04 11:14:45 | 001,530,064 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\scan010.jpg
[2010/01/16 03:06:18 | 000,000,145 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2009/12/20 11:28:22 | 000,000,576 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\afl.log
[2009/12/17 08:57:35 | 853,860,607 | ---- | C] () -- C:\Program Files\ADBEPHSPCS4_LS1.7z
[2009/12/07 20:35:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\prvlcl.dat
[2009/12/06 17:36:50 | 000,000,390 | ---- | C] () -- C:\WINDOWS\{A7A59CB1-5FAE-42A1-B335-17B1C942B43E}_WiseFW.ini
[2009/05/21 00:21:20 | 000,000,061 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\mm-device-08.ini
[2009/02/21 08:25:20 | 000,691,592 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2009/01/29 14:26:04 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2009/01/10 16:36:55 | 000,000,219 | ---- | C] () -- C:\WINDOWS\QHI.INI
[2008/12/23 00:50:14 | 000,004,096 | -HS- | C] () -- C:\Program Files\Thumbs.db
[2008/12/21 10:24:11 | 000,018,790 | ---- | C] () -- C:\WINDOWS\System32\ddmon.dll
[2008/12/15 18:25:37 | 000,339,968 | ---- | C] () -- C:\WINDOWS\System32\pythoncom25.dll
[2008/12/15 18:25:37 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\pywintypes25.dll
[2008/12/14 13:26:39 | 000,000,052 | ---- | C] () -- C:\WINDOWS\Intuprof.ini
[2008/12/14 13:26:38 | 000,001,704 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2008/12/14 04:03:59 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/14 02:29:55 | 000,064,000 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/14 01:09:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/12/13 19:19:57 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2008/12/13 19:19:57 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2008/12/13 19:19:05 | 000,000,027 | ---- | C] () -- C:\WINDOWS\CDE P4870EFGD.ini
[2008/12/13 19:01:22 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDER300Euro.ini
[2008/12/13 13:14:01 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2008/12/13 12:41:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\msicpl.ini
[2008/12/13 12:41:10 | 000,131,072 | R--- | C] () -- C:\WINDOWS\System32\smdll.dll
[2008/12/13 12:41:08 | 000,262,144 | R--- | C] () -- C:\WINDOWS\System32\HookShield.dll
[2008/12/13 12:41:08 | 000,253,952 | R--- | C] () -- C:\WINDOWS\System32\HookMAp.dll
[2008/12/13 12:41:08 | 000,032,768 | R--- | C] () -- C:\WINDOWS\System32\Auxiliary.dll
[2008/12/13 12:41:07 | 000,009,728 | R--- | C] () -- C:\WINDOWS\System32\sysinfoX64.sys
[2008/12/13 12:41:07 | 000,008,192 | R--- | C] () -- C:\WINDOWS\System32\sysinfo.sys
[2008/12/13 12:29:31 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\C6501rm.dll
[2008/12/13 12:29:31 | 000,000,162 | ---- | C] () -- C:\WINDOWS\C6501.ini.cfl
[2008/12/13 12:28:36 | 000,004,571 | R--- | C] () -- C:\WINDOWS\C6501.ini.cfg
[2008/12/13 12:28:30 | 000,000,326 | R--- | C] () -- C:\WINDOWS\c6501.ini
[2008/12/13 12:27:57 | 000,012,377 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/12/13 12:24:28 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/12/13 12:24:17 | 000,012,536 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/11/26 03:03:47 | 048,668,560 | ---- | C] () -- C:\Program Files\MapSource_6123.exe
[2008/06/11 09:02:34 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/06/11 09:02:34 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/06/11 09:02:34 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/06/11 09:02:34 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/06/11 09:02:34 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/06/11 09:02:34 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/06/11 09:02:32 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/06/11 09:02:32 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/06/11 09:02:32 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/06/05 08:58:26 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/04/14 12:00:00 | 001,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2007/10/18 17:36:54 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\deskMenu2.dll
[2007/08/15 06:27:18 | 000,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\n558.sys
[2006/06/01 09:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/06/01 09:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1996/02/22 02:23:00 | 000,222,928 | ---- | C] () -- C:\WINDOWS\System32\lobas09.dll
[1996/01/17 02:23:00 | 000,031,008 | ---- | C] () -- C:\WINDOWS\System32\ivtrn09.dll
[1996/01/15 02:23:00 | 000,334,016 | ---- | C] () -- C:\WINDOWS\System32\loflt09.dll

========== LOP Check ==========

[2010/02/15 21:44:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\agi
[2008/12/22 16:19:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2009/12/17 18:17:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/02/14 19:48:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2008/12/14 12:06:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2009/12/27 08:33:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2010/02/15 23:54:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kiwee Toolbar
[2009/06/03 22:14:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Memory-Map-License
[2009/02/10 12:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
[2009/12/28 00:15:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OviInstallerCache
[2009/02/10 12:47:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2009/12/16 13:49:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PhotoStitch
[2009/10/24 23:31:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/12/13 19:03:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2009/11/25 10:45:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZipSE
[2009/09/25 06:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/27 09:37:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/02/16 01:14:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\agi
[2009/08/31 21:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
[2009/02/27 16:29:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Canon
[2008/12/24 01:08:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2008/12/21 10:57:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\deskPDF
[2009/01/06 01:03:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DNA
[2009/03/02 01:23:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\EPSON
[2009/04/04 08:03:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Flickr
[2009/08/06 03:25:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GARMIN
[2009/03/20 00:39:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\HDRsoft
[2008/12/13 13:18:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterTrust
[2009/03/21 11:31:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Lucis
[2010/01/29 20:02:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Nokia
[2010/01/29 20:02:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Nokia Ovi Suite
[2009/03/21 20:46:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OfficeUpdate12
[2009/02/10 12:48:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PC Suite
[2009/06/09 13:44:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Smart Panel

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2008/04/14 12:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 12:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 12:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 12:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 12:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys
[2008/04/14 12:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 12:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 12:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 12:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/04/25 00:52:28 | 000,100,736 | R--- | M] (NVIDIA Corporation) MD5=C03E15101F6D9E82CD9B0E7D715F5DE3 -- C:\WINDOWS\system32\drivers\nvata.sys

< MD5 for: SCECLI.DLL >
[2008/04/14 12:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 12:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 12:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/12/13 11:58:50 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/12/13 11:58:50 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/12/13 11:58:50 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Owner\My Documents\mskb928080.exe:SummaryInformation
< End of report >

coldwaterjohn · 2010/02/16

There is no sign of an Extras.txt file of today's date created anywhere on my system following the OTL Quick Scan.
I have done a search, and all it pulls up was the file created yesterday?

Log in or Sign up

Solved Kiwee Toolbar removal problems.

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

Attached Files:

Silent Runners.zip

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Kiwee Toolbar removal problems.

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

Attached Files:

Silent Runners.zip

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

crunchie Inactive

coldwaterjohn Inactive Thread Starter

coldwaterjohn Inactive Thread Starter

Share This Page

Useful Searches