Solved trojan dropper gen infection

KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, April 5, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, April 05, 2010 10:40:46
Records in database: 3914156
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 117497
Threats found: 1
Infected objects found: 0
Suspicious objects found: 1
Scan duration: 06:47:20


File name / Threat / Threats count
C:\_OTL\MovedFiles\04052010_092218\C_Documents and Settings\Deb\Local Settings\Application Data\Identities\{6014D3D0-EF9B-4CC9-831A-CD589A809834}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

Selected area has been scanned.

 

That looks ok now. The only thing found is in the OTL quarantine folder.
See how your pc goes for a bit and let me know .

 

Well all I can say is a massive thank you for all of you help you are a star :O)

 

No worries. Once you are happy with the way the pc is, let me know and we can finish up

 

Hi There Again,
Just when I thought it was all over I did a malwarebytes scan last night and it seemed to find the same rootkit I thought we had removed - it says it has removed it - but has it! the scan log is the next post - many thanks!

 

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3966

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/04/2010 06:18:07
mbam-log-2010-04-08 (06-18-07).txt

Scan type: Full scan (C:\|)
Objects scanned: 288459
Time elapsed: 4 hour(s), 30 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\qowdk.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.

 

Yep just did a check for the file mbam is meant to delete and its still there after reboot - please advise - many thanks

 

Can you run OTL again please.

 

running gmer now - will post results - then otl - many thanks!

 

Could restore points be a problem?

 

Some infections have been known to spawn from infected restore points, yes.

 

should I consider deleting restore points then? If so could you give me a quick rundown on how to delete them safely? many thanks

turned off restore :O)

gmer wont finish shuts itself down :O( will run otl now

and the %userprofile% and thumbs.db files are back on my desktop?

 

Let's have a look at the OTL log first please.

 

OTL logfile created on: 08/04/2010 11:57:43 - Run 3
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Deb\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 146.60 Gb Total Space | 39.04 Gb Free Space | 26.63% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEBBIE
Current User Name: Deb
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/04 11:25:33 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Deb\Desktop\OTL.exe
PRC - [2010/04/03 07:43:07 | 002,064,224 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/04/03 07:42:25 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/12 10:50:36 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/03/12 10:50:34 | 000,617,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/03/12 10:50:29 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/12 10:48:45 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/02/23 12:20:24 | 000,176,128 | ---- | M] () -- C:\Program Files\WebView\WebView-Updater.exe
PRC - [2009/02/23 12:20:24 | 000,102,400 | ---- | M] () -- C:\Program Files\WebView\WebView-Reporting.exe
PRC - [2008/08/15 10:39:04 | 003,343,688 | ---- | M] (Webshots.com) -- C:\Program Files\Webshots\Webshots.scr
PRC - [2008/04/23 03:38:16 | 000,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/05/17 14:59:02 | 000,913,408 | ---- | M] (Sitecom Europe BV.) -- C:\Program Files\Sitecom\Sitecom Wireless Network USB Adapter Turbo G WL-172\Installer\WLANUTL.EXE
PRC - [2004/11/02 00:55:40 | 000,057,344 | ---- | M] ( ) -- C:\WINDOWS\system32\slserv.exe
PRC - [2004/08/10 23:47:38 | 000,331,776 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\sistray.exe
PRC - [2003/10/08 10:41:10 | 000,057,344 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (SafeList) ==========

MOD - [2010/04/04 11:25:33 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Deb\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/12 10:50:29 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/09/17 11:33:26 | 000,651,776 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/02/23 12:20:24 | 000,176,128 | ---- | M] () [Auto | Running] -- C:\Program Files\WebView\WebView-Updater.exe -- (WebView-Update-Service)
SRV - [2009/02/23 12:20:24 | 000,102,400 | ---- | M] () [Auto | Running] -- C:\Program Files\WebView\WebView-Reporting.exe -- (WebView-Reporting-Service)
SRV - [2004/11/02 00:55:40 | 000,057,344 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\slserv.exe -- (SLService)
SRV - [2002/03/15 21:37:46 | 000,081,920 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Live Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hotukdeals.com/
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\gacela2@nurago.com: C:\Program Files\WebView\ [2010/02/04 18:06:48 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/04/05 09:27:24 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (WebView) - {4BEEA052-726D-4A6E-B65D-A6BD07C263F3} - C:\Program Files\WebView\Gacela2.dll (TNS)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [RRT-Auto] C:\Documents and Settings\Deb\Desktop\RRT.exe File not found
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe File not found
O4 - HKCU..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe (http://www.emule-project.net)
O4 - HKCU..\Run: [EPSON SX510W Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFIE.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sitecom Wireless Utility.lnk = C:\Program Files\Sitecom\Sitecom Wireless Network USB Adapter Turbo G WL-172\Installer\WLANUTL.EXE (Sitecom Europe BV.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe (Silicon Integrated Systems Corporation)
O4 - Startup: C:\Documents and Settings\Deb\Start Menu\Programs\Startup\Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (Webshots.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_19.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : About WebView - {4BEEA052-726D-4A6E-B65D-A6BD07C263F3} - C:\Program Files\WebView\Gacela2.dll (TNS)
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: autoregister.net ([autoreg] https in Trusted sites)
O15 - HKCU\..Trusted Domains: brainjuicer.com ([secure] https in Trusted sites)
O16 - DPF: {0CFA086E-6336-4D95-B6AA-90F564E99631} http://www.shopandscan.com/TNSClicker.CAB (TNSClicker.Clicker)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} http://downloads.ewido.net/ewidoOnlineScan.cab (ewidoOnlineScan Control)
O16 - DPF: {3D0D2821-8011-4B1F-BE9C-27B8E74CFBEF} http://downloads.virginmedia.com/CST/ver1/VM_ActX_2.cab (VM_ActX_2 Control)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab (InetDownload Class)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab (Reg Error: Key error.)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab (Reg Error: Key error.)
O16 - DPF: {C92FAE80-87D0-431D-BA75-3E7A64F5069F} https://media.blinkbox.com/Licensing/Blinkbox.Licensing.cab (ComplianceChecker Class)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx (CRLDownloadWrapper Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EBB176D2-AF75-4706-832F-4C8448F72757} http://www.shopandscan.com/TNSClickrc.CAB (TNSClickerc.Clicker)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Deb\Application Data\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Deb\Application Data\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/02/15 02:04:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 14 Days ==========

[2010/04/08 10:49:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WebView-Reporting-Service-Spool
[2010/04/07 20:13:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Deb\Desktop\Unused Desktop Shortcuts
[2010/04/07 20:11:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Deb\Desktop\virus reports
[2010/04/05 09:22:18 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/04 11:25:32 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Deb\Desktop\OTL.exe
[2010/04/04 09:18:14 | 000,000,000 | ---D | C] -- C:\Program Files\Free Window Registry Repair
[2010/04/04 09:05:21 | 000,000,000 | ---D | C] -- C:\Program Files\1 Click PC Fix
[2010/04/03 00:41:20 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/03 00:21:10 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/02 23:22:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\SiS
[2010/04/02 23:22:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\trayres
[2010/04/02 23:22:43 | 000,000,000 | ---D | C] -- C:\Program Files\SiS VGA Utilities V3.61a
[2010/04/02 23:16:42 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/04/02 23:14:19 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/04/02 23:14:19 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/04/02 23:14:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/02 23:14:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/02 18:51:33 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes(3)
[2010/04/02 18:51:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/02 18:35:07 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour(3)
[2010/04/02 08:40:04 | 000,000,000 | ---D | C] -- C:\Program Files\Belarc
[2010/04/01 18:14:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\SIS(2)
[2010/04/01 18:13:39 | 000,000,000 | ---D | C] -- C:\Program Files\SiS VGA Utilities V3(2).90
[2010/03/31 09:15:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/03/30 17:21:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Deb\Local Settings\Application Data\BlinkBox
[2010/03/30 17:20:23 | 000,000,000 | ---D | C] -- C:\Program Files\blinkbox
[2010/03/29 19:51:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Deb\Local Settings\Application Data\Deployment
[2007/10/08 13:54:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ApplicationHistory
[2007/09/16 11:34:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2007/09/15 20:43:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Share-to-Web Upload Folder
[2007/09/15 20:36:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2007/09/12 07:32:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2005/04/29 17:55:18 | 000,014,976 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\winddx.sys
[2005/04/29 17:53:27 | 000,653,960 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slntamr.sys
[2005/04/29 17:53:27 | 000,100,176 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slnthal.sys
[2005/04/29 17:53:27 | 000,013,216 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slwdmsup.sys
[2005/04/29 17:53:26 | 001,396,048 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlstrm.sys
[2005/04/29 17:53:26 | 000,229,720 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlmnt5.sys
[2005/04/29 17:53:26 | 000,014,520 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\RecAgent.sys

========== Files - Modified Within 14 Days ==========

[2010/04/08 12:03:28 | 000,823,808 | ---- | M] () -- C:\WINDOWS\System32\drivers\qowdk.sys
[2010/04/08 11:55:41 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/08 11:54:37 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/08 11:54:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/08 11:54:21 | 1576,587,264 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/08 11:53:00 | 008,126,464 | ---- | M] () -- C:\Documents and Settings\Deb\ntuser.dat
[2010/04/08 11:53:00 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Deb\ntuser.ini
[2010/04/08 10:54:02 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6DECB844-4F4C-4B16-BC41-417044116927}.job
[2010/04/08 08:03:30 | 058,646,228 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/04/08 06:20:06 | 000,001,123 | ---- | M] () -- C:\WINDOWS\System32\falseinstall.rdf
[2010/04/07 21:11:22 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/07 20:57:50 | 000,001,559 | ---- | M] () -- C:\Documents and Settings\Deb\Desktop\CCleaner.lnk
[2010/04/07 19:48:00 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\Epson Printer Software Downloader.job
[2010/04/05 09:27:24 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/04/04 16:47:33 | 000,523,920 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/04 16:47:33 | 000,445,266 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/04 16:47:33 | 000,072,566 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/04 11:25:33 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Deb\Desktop\OTL.exe
[2010/04/04 10:53:57 | 000,016,244 | ---- | M] () -- C:\WINDOWS\System32\rrt_is.wav
[2010/04/04 10:53:57 | 000,007,302 | ---- | M] () -- C:\WINDOWS\System32\rrt_vf.wav
[2010/04/04 10:53:57 | 000,007,148 | ---- | M] () -- C:\WINDOWS\System32\rrt_tv.wav
[2010/04/04 10:53:57 | 000,006,282 | ---- | M] () -- C:\WINDOWS\System32\rrt_tn.wav
[2010/04/04 07:54:28 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Deb\Desktop\dds.scr
[2010/04/03 21:49:39 | 000,012,210 | -HS- | M] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\XORQ
[2010/04/03 21:49:39 | 000,012,210 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\XORQ
[2010/04/03 17:45:22 | 000,001,615 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/03 00:32:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/02 22:30:34 | 000,015,906 | -HS- | M] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 22:30:34 | 000,015,906 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/04/02 11:59:23 | 000,402,912 | ---- | M] () -- C:\ituneslib.itl
[2010/04/02 00:18:16 | 000,000,070 | -H-- | M] () -- C:\WINDOWS\popcreg.dat
[2010/04/02 00:18:16 | 000,000,022 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2010/03/30 17:21:26 | 000,000,898 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\blinkbox Download Manager.lnk
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/04/08 06:20:06 | 000,001,123 | ---- | C] () -- C:\WINDOWS\System32\falseinstall.rdf
[2010/04/04 11:02:59 | 1576,587,264 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/04 10:53:57 | 000,016,244 | ---- | C] () -- C:\WINDOWS\System32\rrt_is.wav
[2010/04/04 10:53:57 | 000,007,302 | ---- | C] () -- C:\WINDOWS\System32\rrt_vf.wav
[2010/04/04 10:53:57 | 000,007,148 | ---- | C] () -- C:\WINDOWS\System32\rrt_tv.wav
[2010/04/04 10:53:57 | 000,006,282 | ---- | C] () -- C:\WINDOWS\System32\rrt_tn.wav
[2010/04/04 07:54:02 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Deb\Desktop\dds.scr
[2010/04/03 19:49:21 | 000,012,210 | -HS- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\XORQ
[2010/04/03 19:49:21 | 000,012,210 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\XORQ
[2010/04/03 19:45:39 | 000,823,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\qowdk.sys
[2010/04/03 17:45:21 | 000,001,615 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/03 00:45:55 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/03 00:32:01 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/02 22:20:28 | 000,015,906 | -HS- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 22:20:28 | 000,015,906 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/04/02 11:53:38 | 000,402,912 | ---- | C] () -- C:\ituneslib.itl
[2010/04/01 17:33:28 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\sis760.bin
[2010/04/01 17:33:28 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\sis741.bin
[2010/04/01 17:33:28 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sis660.bin
[2010/04/01 11:08:34 | 008,126,464 | ---- | C] () -- C:\Documents and Settings\Deb\ntuser.dat
[2010/03/30 17:21:23 | 000,200,650 | ---- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\BlinkBoxDesktopUpdate.log
[2010/03/30 17:20:25 | 000,000,898 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\blinkbox Download Manager.lnk
[2010/03/30 17:20:11 | 000,435,506 | ---- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\blinkboxDesktopInstall.log
[2010/01/14 16:30:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2010/01/05 20:39:43 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/11/18 08:55:38 | 000,007,168 | -HS- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\Thumbs.db
[2009/06/15 17:21:40 | 000,000,253 | -H-- | C] () -- C:\Documents and Settings\Deb\hpothb07.tif
[2009/06/15 17:21:40 | 000,000,158 | -H-- | C] () -- C:\Documents and Settings\Deb\hpothb07.dat
[2009/05/14 15:27:36 | 000,007,217 | -HS- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\Folder.jpg
[2009/05/14 15:27:36 | 000,002,072 | -HS- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\AlbumArtSmall.jpg
[2009/05/09 17:57:19 | 000,002,625 | ---- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\Failed Copy
[2009/05/09 17:29:53 | 012,939,480 | ---- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\moving into light (freemasons mix).mp3
[2009/05/09 16:54:29 | 000,014,662 | ---- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\.ipc_copyrecord
[2009/05/09 16:41:12 | 000,016,795 | ---- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\Skipping
[2009/05/09 15:30:33 | 000,001,232 | ---- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\iTunesPrefs
[2009/05/09 15:26:49 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\84756-11986-27475-00TC1-94865
[2008/10/06 16:13:49 | 000,001,418 | ---- | C] () -- C:\Documents and Settings\Deb\Application Data\HPCOM_48BitScanUpdate.log
[2008/10/06 16:13:49 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2008/10/06 07:41:01 | 000,000,456 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/04/18 10:35:05 | 000,000,031 | -H-- | C] () -- C:\WINDOWS\UKCpInfo.sys
[2008/01/09 16:01:48 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/01/01 23:49:47 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.INI
[2007/11/28 20:45:35 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2007/11/28 20:45:29 | 001,559,040 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/11/28 20:45:29 | 000,282,624 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/11/28 20:45:28 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/11/28 20:45:24 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/11/28 20:45:24 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/06/11 13:17:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mngui.INI
[2007/04/12 08:57:30 | 000,001,739 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/03/21 21:58:55 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat
[2006/11/27 09:57:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/09/03 09:02:11 | 000,102,400 | ---- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/07/13 12:57:44 | 000,000,115 | ---- | C] () -- C:\WINDOWS\POSTER.INI
[2006/05/09 11:38:17 | 000,000,016 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/04/07 07:44:46 | 000,000,004 | ---- | C] () -- C:\WINDOWS\jknradee.sys
[2006/03/15 11:31:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2005/11/30 02:04:58 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Deb\ntuser.dat.LOG
[2005/11/30 02:04:58 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Deb\ntuser.ini
[2005/11/30 02:04:58 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Deb\Local Settings\Application Data\fusioncache.dat
[2005/11/29 20:14:58 | 000,003,780 | ---- | C] () -- C:\Documents and Settings\Deb\Application Data\wklnhst.dat
[2005/11/29 19:58:17 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2005/11/29 19:48:16 | 000,000,014 | ---- | C] () -- C:\WINDOWS\pagesuit.ini
[2005/11/29 19:38:54 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2005/04/29 18:09:26 | 000,135,168 | R--- | C] () -- C:\WINDOWS\System32\IDEproperty.dll
[2005/04/29 18:06:32 | 000,106,346 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2005/04/29 18:06:11 | 000,102,538 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2005/04/29 18:03:28 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2005/04/29 17:58:58 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2005/04/29 17:58:58 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2005/04/29 17:55:18 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\SLLights.dll
[2005/04/29 17:55:18 | 000,221,184 | ---- | C] () -- C:\WINDOWS\System32\amr_cpl.dll
[2005/04/29 17:55:18 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\SLMOHServ.dll
[2005/04/29 17:53:27 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\slextspk.dll
[2005/04/29 17:53:27 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\SLGen.dll
[2005/04/29 17:53:26 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\coinst.dll
[2005/04/29 17:23:31 | 000,000,613 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2005/02/15 10:44:14 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/02/15 00:49:30 | 000,004,190 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/07/01 19:38:44 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\lttls13n.dll
[2004/07/01 19:38:38 | 000,708,608 | ---- | C] () -- C:\WINDOWS\System32\ltcry13n.dll
[2004/07/01 19:38:28 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2004/07/01 19:38:28 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2003/02/18 18:26:28 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[1999/01/22 19:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 09:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== LOP Check ==========

[2009/11/19 19:42:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/04/02 23:20:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/01/05 20:51:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2005/11/30 18:42:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fellowes
[2009/11/24 17:50:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NokiaMusic
[2010/02/25 19:45:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2005/12/01 16:24:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2009/01/07 20:58:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2007/09/22 08:44:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Teleca
[2008/11/21 19:32:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/05/15 21:55:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tesco Photobook Creator
[2010/03/16 20:06:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2008/11/22 11:29:01 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{0A03A701-F883-4052-859E-496FFE1D2945}
[2010/04/02 18:52:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/13 20:00:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/14 16:37:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/06/10 17:40:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Amazon
[2009/05/12 09:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\DiskAid
[2010/03/16 20:10:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Epson
[2006/11/19 19:27:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Leadertech
[2009/11/24 17:52:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Nokia
[2007/10/08 16:21:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Opera
[2009/11/24 17:53:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\PC Suite
[2009/01/14 11:06:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Red Kawa
[2005/05/04 00:11:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\SampleView
[2009/01/07 20:58:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Sony
[2006/10/07 09:25:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Teleca
[2006/01/14 10:10:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Template
[2010/03/16 16:13:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\uTorrent
[2007/05/13 17:36:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Deb\Application Data\Webshots
[2010/04/07 19:48:00 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\Epson Printer Software Downloader.job
[2010/04/08 10:54:02 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{6DECB844-4F4C-4B16-BC41-417044116927}.job

========== Purity Check ==========


< End of report >

 

i had already turned off/deleted restore points before you last message - sorry!

 

If you still have combofix on your system please delete it now.

Download the latest version from here; http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Save and run it from the desktop.

==

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll::

Driver::
qowdk

File::
C:\WINDOWS\System32\drivers\qowdk.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

ComboFix 10-04-07.04 - Deb 08/04/2010 13:27:05.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1503.945 [GMT 1:00]
Running from: c:\documents and settings\Deb\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Deb\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\System32\drivers\qowdk.sys "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\SET2.tmp
c:\program files\Internet Explorer\SET3.tmp
c:\program files\Internet Explorer\SET39C.tmp
c:\program files\Internet Explorer\SET39D.tmp
c:\program files\Internet Explorer\SET39E.tmp
c:\program files\Internet Explorer\SET3FD.tmp
c:\program files\Internet Explorer\SET3FE.tmp
c:\program files\Internet Explorer\SET3FF.tmp
c:\program files\Internet Explorer\SET4.tmp
c:\windows\system32\drivers\qowdk.sys
c:\windows\system32\reboot.txt
c:\windows\system32\winlogon.bak

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QOWDK
-------\Service_qowdk


((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.

2010-04-05 08:22 . 2010-04-05 08:22 -------- d-----w- C:\_OTL
2010-04-04 09:47 . 2010-04-04 09:47 -------- d-sh--w- c:\documents and settings\Administrator.DEBBIE.000\IETldCache
2010-04-04 08:18 . 2010-04-05 08:36 -------- d-----w- c:\program files\Free Window Registry Repair
2010-04-04 08:05 . 2010-04-04 10:00 -------- d-----w- c:\program files\1 Click PC Fix
2010-04-02 23:41 . 2010-04-02 23:45 -------- d-----w- c:\program files\iTunes
2010-04-02 23:21 . 2010-04-02 23:21 -------- d-----w- c:\program files\Bonjour
2010-04-02 22:23 . 2010-04-02 22:23 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-02 22:22 . 2010-04-02 22:22 -------- d-----w- c:\windows\SiS
2010-04-02 22:22 . 2010-04-02 22:22 -------- d-----w- c:\windows\system32\trayres
2010-04-02 22:22 . 2010-04-02 22:22 -------- d-----w- c:\program files\SiS VGA Utilities V3.61a
2010-04-02 17:51 . 2010-04-02 22:21 -------- d-----w- c:\program files\iTunes(3)
2010-04-02 17:51 . 2010-04-02 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-02 17:35 . 2010-04-02 22:22 -------- d-----w- c:\program files\Bonjour(3)
2010-04-02 07:40 . 2010-04-02 07:40 -------- d-----w- c:\program files\Belarc
2010-04-01 17:14 . 2010-04-02 22:22 -------- d-----w- c:\windows\SIS(2)
2010-04-01 17:13 . 2010-04-02 22:22 -------- d-----w- c:\program files\SiS VGA Utilities V3(2).90
2010-04-01 16:33 . 2006-01-19 09:34 49152 ----a-w- c:\windows\system32\sis660.bin
2010-04-01 16:33 . 2005-10-07 14:13 65536 ----a-w- c:\windows\system32\sis760.bin
2010-04-01 16:33 . 2005-10-07 14:13 65536 ----a-w- c:\windows\system32\sis741.bin
2010-03-30 16:21 . 2010-03-30 16:21 -------- d-----w- c:\documents and settings\Deb\Local Settings\Application Data\BlinkBox
2010-03-30 16:20 . 2010-03-30 16:20 -------- d-----w- c:\program files\blinkbox
2010-03-29 18:51 . 2010-03-30 16:20 -------- d-----w- c:\documents and settings\Deb\Local Settings\Application Data\Deployment
2010-03-12 09:50 . 2010-03-12 09:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 05:00 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 07:04 . 2010-04-08 07:04 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-07 19:57 . 2008-11-23 00:11 -------- d-----w- c:\program files\CCleaner
2010-04-04 13:04 . 2006-11-10 20:58 -------- d-----w- c:\program files\Java
2010-04-03 18:50 . 2009-11-18 21:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-03 16:45 . 2009-12-27 12:01 -------- d-----w- c:\program files\QuickTime
2010-04-03 06:44 . 2010-04-03 06:44 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-03 06:44 . 2010-04-03 06:44 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-03 06:44 . 2010-04-03 06:44 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-03 06:44 . 2010-04-03 06:44 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-03 06:44 . 2010-04-03 06:44 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-03 06:44 . 2010-04-03 06:44 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-03 06:44 . 2010-04-03 06:44 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-03 06:44 . 2010-04-03 06:44 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll
2010-04-03 06:44 . 2010-04-03 06:44 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-03 06:44 . 2010-04-03 06:44 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-03 06:44 . 2010-04-03 06:44 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-03 06:44 . 2010-04-03 06:44 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-03 06:39 . 2010-04-03 06:39 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-03 06:39 . 2010-04-03 06:39 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-02 23:46 . 2008-11-23 00:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 23:42 . 2005-05-03 23:14 -------- d-----w- c:\program files\iPod
2010-04-02 23:42 . 2007-11-22 08:38 -------- d-----w- c:\program files\Common Files\Apple
2010-04-02 23:31 . 2006-11-27 08:38 -------- d-----w- c:\program files\Apple Software Update
2010-04-02 23:28 . 2008-12-11 00:03 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-02 22:23 . 2010-04-01 16:04 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\CyberLink
2010-04-02 22:22 . 2005-05-03 23:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-02 22:20 . 2009-11-19 09:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-02 13:21 . 2010-01-28 08:13 -------- d-----w- c:\program files\Lavalys
2010-04-01 23:18 . 2010-02-25 18:44 70 ---h--w- c:\windows\popcreg.dat
2010-04-01 23:18 . 2010-02-25 18:44 22 ----a-w- c:\windows\popcinfot.dat
2010-03-31 08:15 . 2006-11-10 20:22 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 08:15 . 2010-03-31 08:15 503808 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4f406995-n\msvcp71.dll
2010-03-31 08:15 . 2010-03-31 08:15 499712 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4f406995-n\jmc.dll
2010-03-31 08:15 . 2010-03-31 08:15 348160 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4f406995-n\msvcr71.dll
2010-03-31 08:15 . 2010-03-31 08:15 12800 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-55665735-n\decora-d3d.dll
2010-03-31 08:15 . 2010-03-31 08:15 61440 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-55665735-n\decora-sse.dll
2010-03-29 23:46 . 2008-11-23 00:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2008-11-23 00:27 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 00:48 . 2010-03-26 00:48 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-16 19:10 . 2010-01-05 20:09 -------- d-----w- c:\documents and settings\Deb\Application Data\Epson
2010-03-16 19:06 . 2010-01-05 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\UDL
2010-03-16 15:13 . 2007-11-27 22:17 -------- d-----w- c:\documents and settings\Deb\Application Data\uTorrent
2010-03-15 14:54 . 2005-11-29 18:44 -------- d-----w- c:\program files\Hewlett-Packard
2010-03-12 14:44 . 2007-11-27 22:17 -------- d-----w- c:\program files\uTorrent
2010-03-12 09:51 . 2010-03-12 09:51 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-12 09:51 . 2010-03-12 09:51 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-12 09:51 . 2010-03-12 09:51 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-12 09:50 . 2009-11-19 18:40 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 09:50 . 2009-11-19 18:40 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-12 09:48 . 2009-11-19 18:40 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 12:04 . 2008-12-11 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-09 03:28 . 2009-01-19 12:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 09:54 . 2010-03-08 09:54 -------- d-----w- c:\program files\MediaMonkey
2010-03-03 08:07 . 2009-11-18 21:39 117760 ----a-w- c:\documents and settings\Deb\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-01 23:38 . 2005-11-30 01:04 -------- d-----w- c:\documents and settings\Deb\Application Data\Apple Computer
2010-03-01 21:43 . 2010-03-01 21:20 -------- d-----w- c:\program files\Apple Software Update(2)
2010-03-01 21:43 . 2010-03-01 21:22 -------- d-----w- c:\program files\iTunes(2)
2010-03-01 21:43 . 2010-03-01 21:21 -------- d-----w- c:\program files\Bonjour(2)
2010-02-25 18:45 . 2010-02-25 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2010-02-25 18:44 . 2010-02-25 18:44 -------- d-----w- c:\program files\PopCap Games
2010-02-25 16:02 . 2010-02-25 16:02 152576 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-25 16:02 . 2010-02-25 16:02 79488 ----a-w- c:\documents and settings\Deb\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-25 06:24 . 2005-02-15 06:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-18 09:06 . 2010-02-18 09:06 3584 ----a-r- c:\documents and settings\Deb\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-02-18 09:06 . 2010-02-18 09:06 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-02-18 09:05 . 2010-02-18 09:05 -------- d-----w- c:\program files\MSECACHE
2010-02-17 21:51 . 2010-02-17 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-02-17 21:29 . 2010-02-17 21:29 -------- d-----w- c:\program files\Defraggler
2010-02-17 21:28 . 2010-02-17 21:28 -------- d-----w- c:\documents and settings\Deb\Application Data\Yahoo!
2010-02-17 21:28 . 2008-12-11 08:07 -------- d-----w- c:\program files\Yahoo!
2010-02-12 10:46 . 2010-02-12 10:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 10:46 . 2010-02-12 10:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 10:03 . 2010-02-25 17:23 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-04 17:09 . 2010-02-04 17:09 52224 ----a-w- c:\documents and settings\Deb\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-04 08:14 . 2005-02-15 01:03 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 12:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eMuleAutoStart "= "c:\program files\eMule\emule.exe" [2009-02-22 5668864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG "= "c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SoundMan "= "SOUNDMAN.EXE" [2003-10-08 57344]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Power2GoExpress "= "c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2004-11-06 1359967]

c:\documents and settings\Deb\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2005-12-1 157000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Sitecom Wireless Utility.lnk - c:\program files\Sitecom\Sitecom Wireless Network USB Adapter Turbo G WL-172\Installer\WLANUTL.EXE [2008-11-22 913408]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-4-29 331776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-12 09:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart]
2009-02-22 19:15 5668864 ----a-w- c:\program files\eMule\emule.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 00:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
2004-07-01 19:08 53248 ----a-w- c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 08:50 155648 ------w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-06-29 08:03 32768 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2005-10-26 16:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-04-03 18:50 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\eMule\\emule.exe "=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4661:TCP "= 4661:TCP:eMule1
"4672:UDP "= 4672:UDP:eMule2

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [19/11/2009 19:40 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [19/11/2009 19:40 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/11/2009 11:44 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 11:44 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/03/2010 10:50 308064]
R2 WebView-Reporting-Service;WebView-Reporting-Service;c:\program files\WebView\WebView-Reporting.exe [23/02/2009 12:20 102400]
R2 WebView-Update-Service;WebView-Update-Service;c:\program files\WebView\WebView-Updater.exe [23/02/2009 12:20 176128]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [07/01/2009 20:50 13224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 11:44 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-04-07 c:\windows\Tasks\Epson Printer Software Downloader.job
- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-01-23 15:03]

2010-04-08 c:\windows\Tasks\User_Feed_Synchronization-{6DECB844-4F4C-4B16-BC41-417044116927}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotukdeals.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: autoregister.net\autoreg
Trusted Zone: brainjuicer.com\secure
TCP: {8B490C73-1D01-4C04-B040-790FED4782FE} = 194.168.4.100,194.168.8.100
DPF: {0CFA086E-6336-4D95-B6AA-90F564E99631} - hxxp://www.shopandscan.com/TNSClicker.CAB
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {3D0D2821-8011-4B1F-BE9C-27B8E74CFBEF} - hxxp://downloads.virginmedia.com/CST/ver1/VM_ActX_2.cab
DPF: {C92FAE80-87D0-431D-BA75-3E7A64F5069F} - hxxps://media.blinkbox.com/Licensing/Blinkbox.Licensing.cab
DPF: {EBB176D2-AF75-4706-832F-4C8448F72757} - hxxp://www.shopandscan.com/TNSClickrc.CAB
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RRT-Auto - c:\documents and settings\Deb\Desktop\RRT.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
AddRemove-HP PSC 2200 Series - c:\program files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 13:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(348)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\slserv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\SOUNDMAN.EXE
c:\progra~1\Webshots\Webshots.scr
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-08 13:53:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-08 12:53
ComboFix2.txt 2009-11-18 18:54
ComboFix3.txt 2008-12-11 08:05

Pre-Run: 41,862,033,408 bytes free
Post-Run: 42,115,604,480 bytes free

- - End Of File - - EE2821599D297CA7B7AB333747046064

 

mbam has just discovered two more items - may be to do with restore points!

 

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3969

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/04/2010 19:59:10
mbam-log-2010-04-08 (19-59-10).txt

Scan type: Full scan (C:\|)
Objects scanned: 239428
Time elapsed: 3 hour(s), 18 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\qowdk.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP1\A0000173.sys

 

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with [color= "blue"]Kaspersky Online Scanner[/color]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet [color= "#3333FF"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    • [color= "#6666CC"]Extended[/color]
  • Scan Options:
    • [color= "#6666CC"]Scan Archives[/color]
    • [color= "#6666CC"]Scan Mail Bases[/color]
• Click OK and, under select a target to scan, select My Computer

When the scan is done, in the [color= "Navy"]Scan is completed [/color]window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the [color= "Navy"]Save as [/color]prompt, [color= "navy"]Save in[/color] area, select: Desktop
In the [color= "navy"]File name[/color] area, use KScan, or something similar
In [color= "navy"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the [color= "Navy"]Kaspersky Online Scanner Report [/color]in your reply.