Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AXWIN Frame Window & Google Searches Redirected


  • This topic is locked This topic is locked
22 replies to this topic

#1 Paul in AZ

Paul in AZ

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 30 January 2010 - 11:11 PM

Hello and thanks in advance

I seem to have two problem

I will get a pop-up that says AXWIN Frame Window svchost.exe application error. If I ignore it not much happens. If I hit ok or cancel, it will likely lead to a problem where another window will pop-up and say the system will shutdown in 60 seconds. This problem is much more prevalent on one user account versus another.

Second, my Google searches are redirected.

what is my next step?

Thanks

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:53 AM

Posted 31 January 2010 - 05:01 AM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Paul in AZ

Paul in AZ
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 05 February 2010 - 09:54 PM

Thanks for the offer to help. I travel so my response time is a bit delayed. The AXWIN window comes up after running malwarebytes


Malwarebytes' Anti-Malware 1.44
Database version: 3695
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/5/2010 5:13:16 PM
mbam-log-2010-02-05 (17-13-16).txt

Scan type: Quick Scan
Objects scanned: 160877
Time elapsed: 24 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Paul Ward\Local Settings\Temporary Internet Files\Content.IE5\26QJMFST\WinProtectionUpdateV_01001[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carrie Ward\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.


OTL logfile created on: 2/5/2010 7:36:14 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Paul Ward\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.34 Gb Total Space | 38.11 Gb Free Space | 26.40% Space Free | Partition Type: NTFS
Drive D: | 423.22 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 966.99 Mb Total Space | 659.34 Mb Free Space | 68.18% Space Free | Partition Type: FAT32
Drive F: | 97.65 Gb Total Space | 20.41 Gb Free Space | 20.90% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
Drive H: | 48.83 Gb Total Space | 1.24 Gb Free Space | 2.54% Space Free | Partition Type: NTFS
Drive I: | 319.28 Gb Total Space | 273.81 Gb Free Space | 85.76% Space Free | Partition Type: NTFS

Computer Name: D6JHPM81
Current User Name: Paul Ward
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/05 19:16:00 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul Ward\Desktop\OTL.exe
PRC - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/11/10 10:14:38 | 000,443,728 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
PRC - [2009/11/10 09:28:06 | 001,131,808 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
PRC - [2009/10/29 06:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/11 04:17:36 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/08/03 20:05:02 | 000,238,888 | ---- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
PRC - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/21 11:13:58 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/21 22:27:04 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2006/10/23 05:50:35 | 000,046,640 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2006/10/18 20:05:26 | 000,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2005/11/07 05:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\DLACTRLW.EXE
PRC - [2005/07/19 22:10:06 | 000,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/07/19 22:06:12 | 000,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/03/22 23:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2003/08/27 09:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe
PRC - [2002/12/16 10:02:08 | 000,039,936 | ---- | M] (Standard Microsystems Corp.) -- C:\Program Files\Icons\SetIcon.exe


========== Modules (SafeList) ==========

MOD - [2010/02/05 19:16:00 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul Ward\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (MSSQLServerADHelper)
SRV - File not found [Disabled | Stopped] -- -- (CLTNetCnService)
SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/11/10 09:28:06 | 001,131,808 | ---- | M] (LeapFrog Enterprises, Inc.) [Auto | Running] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2009/10/28 20:21:14 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/11 04:17:35 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/09 12:22:18 | 000,144,712 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/04/25 00:07:16 | 000,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/10 05:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/08/14 00:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Disabled | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/07/20 00:42:30 | 000,141,848 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2007/07/20 00:40:48 | 000,137,752 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2007/07/20 00:38:54 | 000,186,904 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer)
SRV - [2007/03/14 22:19:48 | 000,220,160 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/10/23 05:50:35 | 000,046,640 | ---- | M] (AOL LLC) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)
SRV - [2005/09/09 03:24:30 | 000,102,400 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor4.0)
SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/11/19 10:26:40 | 000,147,456 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Disabled | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/08/27 09:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)
SRV - [2003/07/28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

IE - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
IE - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://us.mg2.mail.yahoo.com/dc/launch?.rand=4scle39is3j0l
IE - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\..\URLSearchHook: {88C897CF-C297-4AC6-B41E-A8BF1385C2C9} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\S-1-5-21-3757918247-616892490-3210646792-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\S-1-5-21-3757918247-616892490-3210646792-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: anttoolbar@ant.com:2.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7


FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/01/20 20:38:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2010/01/19 00:18:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/05 16:16:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/05 16:16:44 | 000,000,000 | ---D | M]

[2008/11/03 22:48:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Mozilla\Extensions
[2008/11/03 22:28:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Paul Ward\Application Data\Mozilla\Extensions\{6334D996-EA3E-4a0e-AA8D-15BA56B37241}
[2010/02/05 15:39:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Mozilla\Firefox\Profiles\kujrfurm.default\extensions
[2010/01/09 14:17:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Mozilla\Firefox\Profiles\kujrfurm.default\extensions\anttoolbar@ant.com
[2010/02/05 15:39:30 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/11/17 21:00:10 | 000,351,956 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 12065 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (TBSB06375 Class) - {E1DDE2F1-A332-4487-B5B1-911552045A01} - C:\Program Files\AntToolbar\Ant.com Toolbar\ant.dll ()
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\..\Toolbar\WebBrowser: (no name) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No CLSID value found.
O3 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\dla\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Monitor] C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe (LeapFrog Enterprises, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe (Standard Microsystems Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005..\Run: [SmartRAM] C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe File not found
O4 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08ce -f video -m logitech -d 11.1.0.2016 File not found
O4 - HKU\S-1-5-18..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08ce -f video -m logitech -d 11.1.0.2016 File not found
O4 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
O7 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O7 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF 03 [binary data]
O7 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (PokerStars)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3757918247-616892490-3210646792-1005\..Trusted Domains: 9 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1133585376375 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} http://offers.e-centives.com/cif/download/bin/actxcab.cab (CBSTIEPrint Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paul Ward\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/19 15:07:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{6f1e0961-f8bf-11de-a15d-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{6f1e0961-f8bf-11de-a15d-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6f1e0961-f8bf-11de-a15d-00038a000015}\Shell\AutoRun\command - "" = E:\DTSP_Launcher.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/12/07 21:38:14 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (51231838785503232)

========== Files/Folders - Created Within 14 Days ==========

[2010/02/05 19:15:42 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Paul Ward\Desktop\OTL.exe
[2010/02/05 16:23:07 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/05 16:23:03 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/05 07:27:07 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Paul Ward\Recent
[2010/01/31 20:13:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul Ward\Application Data\OverDrive
[2010/01/31 20:13:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul Ward\My Documents\My Media
[2010/01/31 20:12:22 | 000,000,000 | ---D | C] -- C:\Program Files\OverDrive Media Console
[2010/01/24 21:19:48 | 000,000,000 | ---D | C] -- C:\Program Files\Registry Easy
[2009/10/14 13:32:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
[2009/09/22 19:36:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/09/13 22:15:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/07/31 03:00:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/11/01 00:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\SACore
[2008/10/22 16:16:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\SupportSoft
[2008/09/09 21:59:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/08/10 00:43:38 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/12/29 06:53:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\AOL
[2007/12/25 10:14:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\AOL
[2007/12/18 18:43:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2006/12/29 20:17:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2006/10/20 20:17:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2005/12/28 20:39:23 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Paul Ward\*.tmp files -> C:\Documents and Settings\Paul Ward\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/02/05 19:38:00 | 000,000,434 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{D277B30E-340D-45DA-A321-B46970840596}.job
[2010/02/05 19:33:30 | 000,000,430 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2C36B13F-88FC-4120-8471-521ECDF4E4CB}.job
[2010/02/05 19:32:20 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/05 19:32:00 | 000,043,333 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/02/05 19:30:43 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/05 19:30:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/05 19:30:37 | 2137,149,440 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/05 19:27:34 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Paul Ward\ntuser.ini
[2010/02/05 19:26:43 | 006,973,108 | -H-- | M] () -- C:\Documents and Settings\Paul Ward\Local Settings\Application Data\IconCache.db
[2010/02/05 19:24:03 | 000,000,262 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2010/02/05 19:16:00 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul Ward\Desktop\OTL.exe
[2010/02/01 01:00:10 | 000,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/02/01 00:00:00 | 000,000,572 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Paul Ward.job
[2010/01/31 20:12:27 | 000,001,888 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\OverDrive Media Console.lnk
[2010/01/30 23:09:28 | 008,126,464 | ---- | M] () -- C:\Documents and Settings\Paul Ward\ntuser.dat
[2010/01/30 20:49:57 | 000,037,376 | ---- | M] () -- C:\Documents and Settings\Paul Ward\Desktop\Password.xls
[2010/01/30 07:27:45 | 000,144,384 | ---- | M] () -- C:\Documents and Settings\Paul Ward\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/29 23:04:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/24 22:00:00 | 000,000,392 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Paul Ward\*.tmp files -> C:\Documents and Settings\Paul Ward\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/31 20:12:27 | 000,001,888 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\OverDrive Media Console.lnk
[2009/12/11 19:07:02 | 000,000,110 | ---- | C] () -- C:\WINDOWS\{7E7D778E-121D-4BBD-BA29-FAA81B9FBD8C}_WiseFW.ini
[2009/10/05 20:06:34 | 000,003,120 | ---- | C] () -- C:\WINDOWS\System32\2939cd20-1991-4ee1-a0b7-064641f81e3b.dll
[2009/09/16 21:58:41 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\Paul Ward\Application Data\setup_ldm.iss
[2009/09/10 22:07:24 | 000,000,034 | ---- | C] () -- C:\WINDOWS\bstawin.ini
[2009/09/10 22:06:26 | 000,000,121 | ---- | C] () -- C:\WINDOWS\wizzsta.INI
[2009/04/19 19:58:38 | 000,004,063 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/11/03 23:00:33 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2008/08/29 16:55:56 | 000,000,037 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2008/04/24 18:10:31 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2007/08/14 20:05:31 | 000,058,163 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2007/07/18 17:42:42 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2006/09/28 22:40:41 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Paul Ward\Application Data\$_hpcst$.hpc
[2006/09/06 20:42:36 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/08/30 21:38:25 | 000,000,049 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2006/08/30 21:38:11 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2006/08/30 21:37:04 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2006/08/30 21:37:04 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2006/06/20 20:04:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Title.INI
[2006/04/19 23:23:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\AlbumExe.INI
[2006/04/19 23:16:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EngineExe.INI
[2006/04/19 23:12:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PanelExe.INI
[2006/04/19 20:36:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhoneBkExe.INI
[2006/04/13 12:35:04 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.Carrie Ward.ini
[2006/03/13 18:39:37 | 000,000,028 | ---- | C] () -- C:\WINDOWS\MotionDVSTUDIO.INI
[2006/02/18 21:35:33 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2006/01/01 23:36:25 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/01/01 23:36:17 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/01/01 21:07:13 | 000,000,058 | ---- | C] () -- C:\WINDOWS\DRAGDR~1.INI
[2005/12/25 23:28:21 | 000,000,759 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/12/22 09:39:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2005/12/07 21:39:14 | 000,060,068 | ---- | C] () -- C:\Documents and Settings\Paul Ward\Local Settings\Application Data\FASTWiz.html
[2005/12/06 23:26:13 | 000,144,384 | ---- | C] () -- C:\Documents and Settings\Paul Ward\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/12/06 19:51:16 | 000,177,612 | ---- | C] () -- C:\Documents and Settings\Paul Ward\Local Settings\Application Data\FASTWiz.log
[2005/12/03 08:35:37 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2005/12/03 08:22:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/02 21:38:25 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Paul Ward\Local Settings\Application Data\fusioncache.dat
[2005/11/28 17:11:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/11/23 08:19:21 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/11/23 08:10:24 | 000,000,525 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/11/23 07:38:22 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/08/12 14:57:09 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/08/05 14:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/19 15:20:39 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/19 15:01:43 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/05/11 10:04:20 | 000,000,241 | ---- | C] () -- C:\WINDOWS\System32\BELKIN.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/11/19 20:05:18 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys

========== LOP Check ==========

[2007/08/15 22:43:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2008/10/27 19:29:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DonationCoder
[2005/12/06 19:27:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2008/09/09 19:48:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IBMERS
[2008/12/28 18:46:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog
[2006/03/13 18:39:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panasonic
[2010/01/20 19:18:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2008/03/22 17:52:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2009/11/19 21:59:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/06/17 20:13:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/01/19 00:20:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/10/18 08:48:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/26 20:25:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/12/29 22:22:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carrie Ward\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/10/07 19:40:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carrie Ward\Application Data\GrabPro
[2009/12/13 09:32:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carrie Ward\Application Data\IObit
[2005/12/07 16:34:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carrie Ward\Application Data\Leadertech
[2007/08/04 10:57:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carrie Ward\Application Data\Netscape
[2009/10/06 21:37:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carrie Ward\Application Data\Orbit
[2008/02/28 20:56:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carrie Ward\Application Data\pdf995
[2008/03/25 23:12:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carrie Ward\Application Data\Snapfish
[2009/12/27 21:23:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carrie Ward\Application Data\Uniblue
[2007/01/18 22:32:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carrie Ward\Application Data\Viewpoint
[2008/04/24 18:10:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Carrie Ward\Application Data\webex
[2009/09/13 22:15:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2008/11/01 00:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\SACore
[2008/05/03 11:55:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\acccore
[2009/08/21 20:09:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\aHisoft
[2009/10/24 16:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\BallStat
[2005/12/25 22:42:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\EPSON
[2006/02/11 09:53:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\eRoom
[2009/07/11 18:43:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\GrabPro
[2008/09/09 19:48:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\IBMERS
[2009/05/27 22:17:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\IObit
[2005/12/07 21:17:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Kontiki
[2005/12/25 23:31:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Leadertech
[2005/12/25 23:28:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Musicmatch
[2007/05/04 22:03:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\MyPublisher
[2005/12/06 19:29:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Opera
[2009/10/06 22:14:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Orbit
[2010/01/31 20:13:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\OverDrive
[2005/12/08 21:22:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Palo Alto Software Inc
[2008/11/03 21:59:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Participatory Culture Foundation
[2008/11/03 22:31:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\PCF-VLC
[2006/08/30 21:38:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\pdf995
[2005/12/07 21:17:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Simple Star
[2008/12/30 20:36:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\SmartDraw
[2007/04/28 11:53:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Snapfish
[2009/12/26 19:10:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Uniblue
[2008/09/18 22:25:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul Ward\Application Data\Viewpoint
[2010/02/05 19:24:03 | 000,000,262 | ---- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
[2009/12/15 01:19:15 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2010/02/01 01:00:10 | 000,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2010/01/24 22:00:00 | 000,000,392 | ---- | M] () -- C:\WINDOWS\Tasks\SmartDefrag.job
[2010/02/05 19:33:30 | 000,000,430 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{2C36B13F-88FC-4120-8471-521ECDF4E4CB}.job
[2010/02/05 19:38:00 | 000,000,434 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{D277B30E-340D-45DA-A321-B46970840596}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/12/08 07:39:12 | 000,010,920 | ---- | M] () -- C:\aolconnfix.exe
[2005/10/31 08:56:00 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe


< MD5 for: AGP440.SYS >
[2004/08/10 04:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/10 04:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/09 19:02:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/09/09 19:02:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 22:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/03 22:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/10 04:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/10 04:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/09 19:02:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/09 19:02:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2010/01/30 09:20:06 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/01/30 09:20:06 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 04:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/10 04:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/10 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/10 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 04:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/10 04:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 17:11:51 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:53 AM

Posted 06 February 2010 - 09:22 AM

No problem. I can work at whatever pace you want. smile.gif

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Paul in AZ

Paul in AZ
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 06 February 2010 - 07:51 PM

I followed the instructions and when the computer rebooted, the combofix box said it could not find the .sys file.

When is it did run it went throught 50 or so stages, deleted 4 files and a directory. There is no log file in c:\

I have tried to redownload combofix but it says that access is denied (either the file is in use or the drive is write protected). The AXWIN Frame window pop-up still pops up. There is a combofix director with alot of files in it on the c:\





#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:53 AM

Posted 07 February 2010 - 09:39 AM

Are your Google searches still being redirected now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Paul in AZ

Paul in AZ
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 07 February 2010 - 10:20 PM

I did a quick test and none of the google searches were redirected.

Let me rephrase what happened with the combofix just to make sure I said it correctly

1) Ran program
2) It rebooted the computer
3) After reboot the cmd window came up and said it could not find the combobox.sys file and stopped there
4) I tried to redownload combobox and it would not let me write the file to the drive saying that the either the file is in use or the drive is write protected.

What is the next step?

Thanks the help so far, it is greatly appreciated.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:53 AM

Posted 08 February 2010 - 08:59 AM

Mcafee and Combofix don't get along very well. And since it starts up automatically when your computer reboots it removes part of combofix and then it can't complete. Are you able to uninstall Mcafee, download and run Combofix again, then reinstall Mcafee once Combofix completes and creates the log?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Paul in AZ

Paul in AZ
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 08 February 2010 - 06:53 PM

It has an option to turn it off would that work? OR do I just need to uninstall it?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:53 AM

Posted 08 February 2010 - 07:23 PM

Well, you can try it. But the problem is that Mcafee will want to restart when your computer reboots and I don't know of any way to prevent that short of removing it altogether.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Paul in AZ

Paul in AZ
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 11 February 2010 - 11:27 PM

This is the combofix log. Can you let me know what it did and what we need to do. Before we ran this we were AXWIN window and Data Execution window

ComboFix 10-02-11.04 - Paul Ward 02/11/2010 21:03:09.2.2 - x86
Running from: c:\documents and settings\Paul Ward\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-01-12 to 2010-02-12 )))))))))))))))))))))))))))))))
.

2010-02-05 23:23 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 23:23 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 03:13 . 2010-02-01 03:13 -------- d-----w- c:\documents and settings\Paul Ward\Application Data\OverDrive
2010-02-01 03:12 . 2010-02-01 03:12 -------- d-----w- c:\program files\OverDrive Media Console
2010-01-25 04:19 . 2010-01-25 04:25 -------- d-----w- c:\program files\Registry Easy
2010-01-24 06:34 . 2009-12-16 21:42 43008 ----a-w- c:\documents and settings\Paul Ward\Application Data\Mozilla\Firefox\Profiles\kujrfurm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-01-24 06:34 . 2009-12-16 21:42 340480 ----a-w- c:\documents and settings\Paul Ward\Application Data\Mozilla\Firefox\Profiles\kujrfurm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-01-24 06:33 . 2009-12-16 21:41 346624 ----a-w- c:\documents and settings\Paul Ward\Application Data\Mozilla\Firefox\Profiles\kujrfurm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-01-24 06:33 . 2009-12-16 21:42 872960 ----a-w- c:\documents and settings\Paul Ward\Application Data\Mozilla\Firefox\Profiles\kujrfurm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-01-16 03:32 . 2010-01-16 03:32 -------- d-----w- c:\program files\Trend Micro
2010-01-13 12:31 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-12 03:51 . 2008-08-11 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-12 03:49 . 2005-12-08 04:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-12 03:14 . 2005-12-08 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-09 10:04 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-05 23:23 . 2009-12-18 03:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 03:17 . 2005-12-08 04:46 -------- d-----w- c:\documents and settings\Paul Ward\Application Data\Apple Computer
2010-01-23 05:02 . 2009-06-29 03:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 02:18 . 2006-08-31 04:38 49 ----a-w- c:\windows\wpd99.drv
2010-01-21 02:18 . 2006-08-31 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-01-19 07:20 . 2007-11-01 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-12-31 16:50 . 2005-11-23 14:37 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 05:22 . 2009-12-30 05:22 -------- d-----w- c:\documents and settings\Carrie Ward\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-12-28 04:35 . 2009-12-28 04:35 -------- d-----w- c:\documents and settings\Carrie Ward\Application Data\Malwarebytes
2009-12-28 04:23 . 2009-12-28 04:23 -------- d-----w- c:\documents and settings\Carrie Ward\Application Data\Uniblue
2009-12-27 02:10 . 2009-12-27 02:10 -------- d-----w- c:\documents and settings\Paul Ward\Application Data\Uniblue
2009-12-22 05:07 . 2005-12-03 17:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-21 19:14 . 2004-08-19 21:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 04:25 . 2009-04-08 03:18 -------- d-----w- c:\documents and settings\Paul Ward\Application Data\Move Networks
2009-12-18 04:25 . 2009-08-27 04:22 127325 ----a-w- c:\documents and settings\Paul Ward\Application Data\Move Networks\uninstall.exe
2009-12-18 04:25 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Paul Ward\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-18 04:25 . 2009-12-18 04:25 1408800 ----a-w- c:\documents and settings\Paul Ward\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-12-18 03:34 . 2009-12-18 03:34 -------- d-----w- c:\documents and settings\Paul Ward\Application Data\Malwarebytes
2009-12-18 03:34 . 2009-12-18 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-16 18:43 . 2004-08-19 22:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-19 21:49 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-12 02:04 . 2009-12-12 02:04 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2009-12-12 02:03 . 2009-12-12 02:03 6106960 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagPlugin.exe
2009-12-04 18:22 . 2005-11-23 14:37 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-19 21:49 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 06:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-19 21:49 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 04:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-19 21:49 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-19 21:49 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 06:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2004-08-19 21:49 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1DDE2F1-A332-4487-B5B1-911552045A01}]
2008-08-14 22:57 2484224 ----a-w- c:\program files\AntToolbar\Ant.com Toolbar\ant.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-22 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-03-15 220160]
"SetIcon"="c:\program files\Icons\SetIcon.exe" [2002-12-16 39936]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-07-19 439568]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-09-09 08:18 57344 ----a-w- c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 11:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ------w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 22:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 18:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 19:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2006-04-06 17:51 49152 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1166981059\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-09-13 22:49 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 03:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-08-31 05:07 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-07-25 23:02 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-07-25 23:06 2027792 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2005-03-15 15:58 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 17:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2007-05-21 04:33 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 03:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor]
2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"IDriverT"=3 (0x3)
"GBPoll"=2 (0x2)
"DSBrokerService"=3 (0x3)
"AOL ACS"=2 (0x2)
"AdobeActiveFileMonitor4.0"=2 (0x2)
"iPod Service"=3 (0x3)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"LeapFrog Connect Device Service"=2 (0x2)
"IntuitUpdateService"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"sprtsvc_dellsupportcenter"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"idsvc"=3 (0x3)
"GoToAssist"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1166981059\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2008-11-25 18560]
S1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [2007-01-02 18432]

.
Contents of the 'Scheduled Tasks' folder

2010-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-02-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]

2010-02-12 c:\windows\Tasks\User_Feed_Synchronization-{2C36B13F-88FC-4120-8471-521ECDF4E4CB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2010-02-12 c:\windows\Tasks\User_Feed_Synchronization-{D277B30E-340D-45DA-A321-B46970840596}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://us.mg2.mail.yahoo.com/dc/launch?.rand=4scle39is3j0l
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: turbotax.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
FF - ProfilePath - c:\documents and settings\Paul Ward\Application Data\Mozilla\Firefox\Profiles\kujrfurm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Paul Ward\Application Data\Mozilla\Firefox\Profiles\kujrfurm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Paul Ward\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\Paul Ward\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Paul Ward\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{88C897CF-C297-4AC6-B41E-A8BF1385C2C9} - (no file)
WebBrowser-{6CD56C02-CB4D-41B5-A0FE-B479061CCB41} - (no file)
HKCU-Run-SmartRAM - c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-Advanced SystemCare 3 - c:\program files\IObit\Advanced SystemCare 3\AWC.exe
MSConfigStartUp-AOL Fast Start - c:\program files\AOL 9.1\AOL.EXE
MSConfigStartUp-PC Connection Agent - c:\program files\Microsoft ActiveSync\wcescomm.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-Upromise - c:\program files\Upromise\Upromise.exe
MSConfigStartUp-Upromise Update - c:\program files\Upromise\UpromiseUa.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_0E996B068B56FCA2.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-11 21:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A749369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(812)
c:\windows\system32\WININET.dll
.
Completion time: 2010-02-11 21:23:56
ComboFix-quarantined-files.txt 2010-02-12 04:23

Pre-Run: 47,852,793,856 bytes free
Post-Run: 47,963,176,960 bytes free

- - End Of File - - 1726D5E7B6264270895EA14EDE1DD707


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:53 AM

Posted 12 February 2010 - 08:14 AM

It didn't find any additional malware files this run, so that's good. It did remove some orphaned registry entries.
Are you still getting the AXWIN Frame window pop-up?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Paul in AZ

Paul in AZ
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 12 February 2010 - 09:53 PM

I have not seen them. I did have some google redirection, so I re-installed Malware, it did not find anything, but so far there has been no more redirections. I am having a problem with I-Tunes. It says I need a new version. So download the new version, and afer it tries to install it says that the Windows Installer Services cannot be accessed.

Any thoughts?

#14 Paul in AZ

Paul in AZ
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 12 February 2010 - 10:08 PM

I spoke too soon I got the window

AXWIN Frame Window: svchost.exe - Application Error

The instruction at "0x02917f7a0" referenced memory at "0x0291f7a0". The memory could not be "written"

Let me ask, is this a virus or a hardware issue?

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:53 AM

Posted 14 February 2010 - 09:24 AM

The error itself appears to be a symptom of a rootkit infection that Combofix usually clears.


We need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users