[TS2009]

Part II OTL Log

REST OF OTL LOG, Had to break it into parts !
CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)
========== Files/Folders - Created Within 30 Days ==========

[2010/08/13 17:20:05 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\OTL.exe
[2010/08/13 12:43:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\FCC07EEAFA184A2191059666603C6885.TMP
[2010/08/11 13:45:55 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/08/11 13:45:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\xfsmoetnw
[2010/08/11 13:45:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/08/06 21:27:49 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\TFC.exe
[2010/08/04 23:30:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\hnhwuwfuh
[2010/08/04 13:02:14 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/08/04 13:01:50 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar
[2010/08/04 13:00:15 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar Installer
[2010/08/04 12:59:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/08/03 00:28:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2010/08/03 00:28:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2010/08/02 21:54:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/08/02 21:54:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/08/02 12:44:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/07/28 21:00:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/28 21:00:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/26 10:55:49 | 000,000,000 | ---D | C] -- C:\Program Files\3ivx
[2010/07/26 10:55:04 | 000,000,000 | ---D | C] -- C:\Program Files\Flip Video
[2010/07/26 10:55:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2010/07/24 19:45:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/24 19:45:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/13 17:20:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\OTL.exe
[2010/08/13 17:07:57 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\shannon1\Desktop\gmer.zip
[2010/08/13 17:02:27 | 000,869,051 | ---- | M] () -- C:\Documents and Settings\shannon1\Desktop\SecurityCheck.exe
[2010/08/13 16:57:03 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/13 13:21:49 | 000,000,208 | ---- | M] () -- C:\Documents and Settings\shannon1\Desktop\Yahoo!.url
[2010/08/13 13:18:55 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/13 13:18:53 | 000,013,747 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/08/13 13:17:51 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/08/13 13:17:33 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/13 13:17:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/13 13:17:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/13 13:17:25 | 535,875,584 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/13 12:26:42 | 005,509,120 | ---- | M] () -- C:\Documents and Settings\shannon1\ntuser.dat
[2010/08/13 12:26:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\shannon1\ntuser.ini
[2010/08/13 10:07:29 | 000,784,384 | ---- | M] () -- C:\WINDOWS\System32\drivers\trosieu.sys
[2010/08/11 17:29:24 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\shannon1\Desktop\Aviation, Classifieds, Lazair,Kitfox,Avid Flyer, Challenger, Homebuilts, Airplane for Sale, Aircraft Listings - Lazair.com (Powered by Invision Power Board).url
[2010/08/11 14:29:43 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/08 09:16:48 | 000,000,648 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/08 09:12:32 | 000,087,040 | ---- | M] () -- C:\Documents and Settings\shannon1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/06 21:33:05 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\shannon1\Desktop\erunt_setup.exe
[2010/08/06 21:27:56 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\TFC.exe
[2010/08/06 17:02:53 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/26 16:29:47 | 000,042,980 | ---- | M] () -- C:\WINDOWS\System32\oiffl
[2010/07/26 16:29:44 | 000,105,472 | ---- | M] () -- C:\WINDOWS\System32\klgd.bmp
[2010/07/26 10:57:20 | 000,001,015 | R--- | M] () -- C:\logFile.xsl
[2010/07/26 10:55:41 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FlipShare.lnk
[2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/13 17:07:56 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\shannon1\Desktop\gmer.zip
[2010/08/13 17:02:21 | 000,869,051 | ---- | C] () -- C:\Documents and Settings\shannon1\Desktop\SecurityCheck.exe
[2010/08/11 13:46:10 | 000,784,384 | ---- | C] () -- C:\WINDOWS\System32\drivers\trosieu.sys
[2010/07/26 16:29:47 | 000,042,980 | ---- | C] () -- C:\WINDOWS\System32\oiffl
[2010/07/26 16:29:44 | 000,105,472 | ---- | C] () -- C:\WINDOWS\System32\klgd.bmp
[2010/07/26 10:57:20 | 000,001,015 | R--- | C] () -- C:\logFile.xsl
[2010/07/26 10:55:41 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FlipShare.lnk
[2010/07/24 11:13:49 | 005,509,120 | ---- | C] () -- C:\Documents and Settings\shannon1\ntuser.dat
[2008/08/21 14:52:11 | 000,198,144 | ---- | C] () -- C:\WINDOWS\System32\_psisdecd.dll
[2008/02/19 01:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2007/06/01 15:21:29 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2005/07/05 14:34:39 | 000,000,663 | ---- | C] () -- C:\WINDOWS\videoimp.ini
[2005/07/05 14:33:57 | 000,000,021 | ---- | C] () -- C:\WINDOWS\CS_setup.ini
[2005/07/05 13:08:12 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/07/05 02:41:26 | 000,000,476 | ---- | C] () -- C:\WINDOWS\DELLSTAT.INI
[2005/07/05 02:41:11 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbavs.dll
[2005/07/05 02:40:49 | 000,000,177 | ---- | C] () -- C:\WINDOWS\System32\dlbacoin.ini
[2005/07/05 02:36:23 | 000,004,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\bvrp_pci.sys
[2003/08/14 01:54:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[Advertisements]

Parts of the log from OTL.txt and the Extras.txt is missing.

Please post the content of OTL.txt and Extras.txt again.


Also Which security programs have you installed?
Which of them are you using and which have you stopped using?

Are you getting redirected now?

Edited by heir, 14 August 2010 - 12:06 AM.
added question

[heir]

Parts of the log from OTL.txt and the Extras.txt is missing.

Please post the content of OTL.txt and Extras.txt again.


Also Which security programs have you installed?
Which of them are you using and which have you stopped using?

Are you getting redirected now?

Edited by heir, 14 August 2010 - 12:06 AM.
added question

[TS2009]

Bad news, the Wireshark came back before I could finish posting the OTL and Extras Logs. I'm back on a different computer this morning. I'm currently re-running Malwarebytes and will post the new Log as soon as I can. I'm only using Mcafee which seems to be totally disabled right now.

[heir]

OK

[TS2009]

This stuff keeps coming back before I can get anything fixed. I managed to run Malware again this morning.

Here's the log. Says everything is gone but it's just going to come back. McAfee still warning me... can't get it fixed.


Malwarebytes' Anti-Malware 1.25
Database version: 1076
Windows 5.1.2600 Service Pack 2

5:35:19 PM 8/21/2008
mbam-log-08-21-2008 (17-35-19).txt

Scan type: Quick Scan
Objects scanned: 50271
Time elapsed: 11 minute(s), 26 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\system32\lphctgpj0e7dc.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphctgpj0e7dc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\blphctgpj0e7dc.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphctgpj0e7dc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phctgpj0e7dc.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

[heir]

Malwarebytes' Anti-Malware 1.25
Database version: 1076
Windows 5.1.2600 Service Pack 2

5:35:19 PM 8/21/2008
mbam-log-08-21-2008 (17-35-19).txt

That's a two year old log.

I need those logs (complete)
Lets do this again.

Step 1.
MBAM-scan:

Please run MBAM (quick-scan) let it remove whats found.
Post the log in your reply.


Step 2.
GMER-scan:

• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.


Step 3.
OTL-scan:

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Standard Output.
• Underneath the option Extra Registry change it to Use SafeList.
• Underneath the option File Scans check the boxes beside Use Company Name WhiteList, Skip Microsoft Files, LOP Check, Purity Check.
• Under the Custom Scan box paste this in
  
  

  netsvcs
  %SYSTEMDRIVE%\*.*
  %systemroot%\Fonts\*.com
  %systemroot%\Fonts\*.dll
  %systemroot%\Fonts\*.ini
  %systemroot%\Fonts\*.ini2
  %systemroot%\Fonts\*.exe
  %systemroot%\system32\spool\prtprocs\w32x86\*.*
  %systemroot%\REPAIR\*.bak1
  %systemroot%\REPAIR\*.ini
  %systemroot%\system32\*.jpg
  %systemroot%\*.jpg
  %systemroot%\*.png
  %systemroot%\*.scr
  %systemroot%\*._sy
  %APPDATA%\Adobe\Update\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %APPDATA%\Microsoft\*.*
  %PROGRAMFILES%\*.*
  %APPDATA%\Update\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\System32\config\*.sav
  %PROGRAMFILES%\bak. /s
  %systemroot%\system32\bak. /s
  %ALLUSERSPROFILE%\Start Menu\*.lnk /x
  %systemroot%\system32\config\systemprofile\*.dat /x
  %systemroot%\*.config
  %systemroot%\system32\*.db
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Step 4.
Things I would like to see in your reply:

• The content of mbam-log from step 1.
• The content of ark.txt from step 2.
• The content of OTL.txt and Extras.txt from step 3.

Edited by heir, 15 August 2010 - 08:54 AM.
typo

[TS2009]

Man I'm working on it. That was a current log but my clock time was messed up and I couldn't change it. I'm making some progress now. I've run Malware while using the taskbar to repeatly neutralize Wireshark ect.... While the Shark was at bay I uninstalled McAfee and loaded up Kaspersky. Things are now working again and I'm going to run a new complete Malwarebytes scan (2 hour process) to see if anything is present and put up another log. This is the Damnest crap I've run up against yet. Stay tuned !!!

[heir]

No that wasa even done with an outdated version of MBAM.

Malwarebytes' Anti-Malware 1.25
Database version: 1076
Windows 5.1.2600 Service Pack 2

No need to run a full scan with MBAM quick-scan is enough for now.

If MBAM won't run rename mbam.exe to mbam.com as in the guide for removing Wireshark.. remember to rename it back again.

Edited by heir, 15 August 2010 - 10:55 AM.
added last sentence

[TS2009]

Latest Mbam Log !
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4424

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

8/15/2010 2:18:45 PM
mbam-log-2010-08-15 (14-18-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 199436
Time elapsed: 2 hour(s), 27 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[heir]

OK waiting for the logs from GMER and OTL.

[TS2009]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-15 15:57:15
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\shannon1\LOCALS~1\Temp\axldypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF270658C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xF2706E0C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xF2707922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xF2707E94]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xF27070EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xF2705436]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xF2707D6C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xF2706192]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xF2707C28]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xF270634E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xF2707FC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF2709C08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xF2706AAA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xF2707CCA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xF27095FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xF27059FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xF2705D88]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xF2707576]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xF270A5CA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xF2705ECA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xF2705F74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xF2707382]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xF270968C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xF2705412]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xF2705424]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xF2709CBC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xF27060C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xF2707F36]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xF2706E8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xF27055DC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xF2707E04]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xF2706792]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xF2709C32]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xF2708068]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xF27066B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xF270601E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xF2705C46]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xF2709FD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xF2705896]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xF2709922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xF2705B0E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xF27052B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xF27083F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xF27082B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xF270939A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xF270CE2C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xF270A4AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xF2705248]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xF270765C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xF2706CC8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xF2708C4A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xF2709786]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xF270A114]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xF270571E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xF270A1F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xF270A320]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xF2709526]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xF270690A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xF2706860]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xF2709E8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xF27069EA]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 114 804E2780 16 Bytes [4E, 63, 70, F2, C6, 7F, 70, ...]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E283C 12 Bytes [8C, 96, 70, F2, 12, 54, 70, ...] {MOV WORD [ESI+0x5412f270], SS; JO 0xfffffffffffffffa; AND AL, 0x54; JO 0xfffffffffffffffe}
.text ntoskrnl.exe!_abnormal_termination + 34C 804E29B8 16 Bytes [0E, 5B, 70, F2, B0, 52, 70, ...]
.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [F8, A1, 70, F2, 20, A3, 70, ...]
.text ntoskrnl.exe!_abnormal_termination + 4A0 804E2B0C 4 Bytes JMP B6F27069

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[756] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[756] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[756] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 33, 6D]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1420] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1420] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1420] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 33, 6D]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3484] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3484] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 3E352139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3484] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 3E35216A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3484] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3484] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3484] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3484] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3484] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3484] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3484] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3484] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

[TS2009]

OTL:

OTL logfile created on: 8/15/2010 4:14:35 PM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\shannon1\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 208.00 Mb Available Physical Memory | 41.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 49.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 47.62 Gb Free Space | 63.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SHANNON
Current User Name: shannon1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/13 17:20:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\OTL.exe
PRC - [2010/02/22 09:23:32 | 000,755,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SoftwareDistribution\Download\fa9033ce5fe9893052be754add448e10\update\update.exe
PRC - [2009/10/20 20:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
PRC - [2009/10/20 20:34:38 | 000,207,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/03 15:48:49 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/11/01 17:13:26 | 000,151,552 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
PRC - [2006/12/18 19:13:04 | 002,465,792 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
PRC - [2002/01/30 19:30:48 | 000,212,992 | ---- | M] (Nikon Corporation) -- C:\Program Files\Nikon\NkView5\NkvMon.exe


========== Modules (SafeList) ==========

MOD - [2010/08/13 17:20:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2009/10/20 20:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe -- (AVP)


========== Driver Services (SafeList) ==========

DRV - [2010/08/15 10:38:30 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2009/10/14 21:18:34 | 000,036,880 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg)
DRV - [2009/10/02 19:39:44 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/09/14 14:42:46 | 000,032,272 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2009/09/01 15:29:50 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2006/10/20 14:03:04 | 000,183,552 | ---- | M] (CyberLink Corporation.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\CLBUDFR.sys -- (CLBUDFR)
DRV - [2006/10/20 14:03:04 | 000,010,368 | ---- | M] (Cyberlink Co.,Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\CLBStor.sys -- (CLBStor)
DRV - [2003/08/28 18:58:00 | 000,004,272 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bvrp_pci.sys -- (bvrp_pci)
DRV - [2003/05/02 15:19:00 | 001,312,555 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\THBExt [2003/10/08 00:54:06 | 000,000,000 | ---D | M]

[2010/08/10 08:34:02 | 000,002,074 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2009/04/17 13:53:09 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [EverioService] C:\Program Files\CyberLink\PCM4Everio\EverioService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe File not found
O4 - HKCU..\Run: [Power2GoExpress] C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe (Cyberlink)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe (Nikon Corporation)
O4 - Startup: C:\Documents and Settings\shannon1\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe (Leader Technologies)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra Button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcaf...90/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1174165687968 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\kloehk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop WallPaper: C:\Documents and Settings\shannon1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\shannon1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (msapsspc.dllschannel.dlldigest.dllmsnsspc.dll) - File not found
O29 - HKLM SecurityProviders - (digiwet.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/07/05 01:00:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (15776209447157760)

========== Files/Folders - Created Within 30 Days ==========

[2010/08/15 16:14:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/08/13 17:20:05 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\OTL.exe
[2010/08/13 12:43:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\FCC07EEAFA184A2191059666603C6885.TMP
[2010/08/11 13:45:55 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/08/11 13:45:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\xfsmoetnw
[2010/08/11 13:45:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/08/06 21:27:49 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\TFC.exe
[2010/08/04 23:30:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\hnhwuwfuh
[2010/08/04 13:02:14 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/08/04 13:01:50 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar
[2010/08/04 13:00:15 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar Installer
[2010/08/04 12:59:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/08/03 00:28:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2010/08/03 00:28:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2010/08/02 21:54:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/08/02 21:54:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/08/02 12:44:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/07/28 21:00:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/28 21:00:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/26 10:55:49 | 000,000,000 | ---D | C] -- C:\Program Files\3ivx
[2010/07/26 10:55:04 | 000,000,000 | ---D | C] -- C:\Program Files\Flip Video
[2010/07/26 10:55:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2010/07/24 19:45:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/24 19:45:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/15 15:57:06 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/15 14:31:12 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/08/15 13:55:49 | 000,000,620 | -HS- | M] () -- C:\WINDOWS\KLIF.spi
[2010/08/15 11:29:19 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/15 11:28:11 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/15 11:28:06 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/15 11:28:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/15 11:28:02 | 535,875,584 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/15 10:49:39 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\shannon1\ntuser.ini
[2010/08/15 10:49:38 | 005,509,120 | ---- | M] () -- C:\Documents and Settings\shannon1\ntuser.dat
[2010/08/15 10:38:30 | 000,315,408 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2010/08/15 10:38:26 | 000,113,933 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2010/08/15 10:38:26 | 000,097,549 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2010/08/13 17:20:05 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\OTL.exe
[2010/08/13 17:07:57 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\shannon1\Desktop\gmer.zip
[2010/08/13 17:02:27 | 000,869,051 | ---- | M] () -- C:\Documents and Settings\shannon1\Desktop\SecurityCheck.exe
[2010/08/13 13:21:49 | 000,000,208 | ---- | M] () -- C:\Documents and Settings\shannon1\Desktop\Yahoo!.url
[2010/08/11 17:29:24 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\shannon1\Desktop\Aviation, Classifieds, Lazair,Kitfox,Avid Flyer, Challenger, Homebuilts, Airplane for Sale, Aircraft Listings - Lazair.com (Powered by Invision Power Board).url
[2010/08/11 14:29:43 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/08 09:16:48 | 000,000,648 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/08 09:12:32 | 000,087,040 | ---- | M] () -- C:\Documents and Settings\shannon1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/06 21:33:05 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\shannon1\Desktop\erunt_setup.exe
[2010/08/06 21:27:56 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\shannon1\Desktop\TFC.exe
[2010/08/06 17:02:53 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/26 16:29:47 | 000,042,980 | ---- | M] () -- C:\WINDOWS\System32\oiffl
[2010/07/26 16:29:44 | 000,105,472 | ---- | M] () -- C:\WINDOWS\System32\klgd.bmp
[2010/07/26 10:57:20 | 000,001,015 | R--- | M] () -- C:\logFile.xsl
[2010/07/26 10:55:41 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FlipShare.lnk
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/15 12:08:50 | 000,000,620 | -HS- | C] () -- C:\WINDOWS\KLIF.spi
[2010/08/13 17:07:56 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\shannon1\Desktop\gmer.zip
[2010/08/13 17:02:21 | 000,869,051 | ---- | C] () -- C:\Documents and Settings\shannon1\Desktop\SecurityCheck.exe
[2010/07/26 16:29:47 | 000,042,980 | ---- | C] () -- C:\WINDOWS\System32\oiffl
[2010/07/26 16:29:44 | 000,105,472 | ---- | C] () -- C:\WINDOWS\System32\klgd.bmp
[2010/07/26 10:57:20 | 000,001,015 | R--- | C] () -- C:\logFile.xsl
[2010/07/26 10:55:41 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FlipShare.lnk
[2010/07/24 11:13:49 | 005,509,120 | ---- | C] () -- C:\Documents and Settings\shannon1\ntuser.dat
[2008/08/21 14:52:11 | 000,198,144 | ---- | C] () -- C:\WINDOWS\System32\_psisdecd.dll
[2008/02/19 01:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2007/06/01 15:21:29 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2005/07/05 14:34:39 | 000,000,663 | ---- | C] () -- C:\WINDOWS\videoimp.ini
[2005/07/05 14:33:57 | 000,000,021 | ---- | C] () -- C:\WINDOWS\CS_setup.ini
[2005/07/05 13:08:12 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/07/05 02:41:26 | 000,000,476 | ---- | C] () -- C:\WINDOWS\DELLSTAT.INI
[2005/07/05 02:41:11 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbavs.dll
[2005/07/05 02:40:49 | 000,000,177 | ---- | C] () -- C:\WINDOWS\System32\dlbacoin.ini
[2005/07/05 02:36:23 | 000,004,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\bvrp_pci.sys
[2003/08/14 01:54:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

========== LOP Check ==========

[2005/07/05 02:41:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2010/07/26 10:55:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2005/07/05 13:25:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MCA3A.tmp
[2010/08/04 08:41:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/08/11 19:12:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Update
[2005/07/05 19:17:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\shannon1\Application Data\Leadertech

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2005/07/05 01:00:41 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2005/07/07 13:50:55 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2009/04/16 17:55:33 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2005/07/05 01:00:41 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/08/23 22:51:16 | 000,022,513 | ---- | M] () -- C:\DVDimport0.jpg
[2008/08/23 22:51:16 | 000,022,845 | ---- | M] () -- C:\DVDimport1.jpg
[2008/03/17 07:20:23 | 003,113,349 | ---- | M] () -- C:\Fly-in 031.JPG
[2010/08/15 11:28:02 | 535,875,584 | -HS- | M] () -- C:\hiberfil.sys
[2005/07/05 01:00:41 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/07/26 10:57:20 | 000,001,015 | R--- | M] () -- C:\logFile.xsl
[2005/07/05 01:00:41 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2005/07/07 13:39:31 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/08/24 08:19:09 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/08/15 11:28:01 | 803,708,928 | -HS- | M] () -- C:\pagefile.sys
[2008/12/17 16:44:08 | 000,040,960 | -H-- | M] () -- C:\PCM.db
[2003/04/29 12:31:44 | 000,000,386 | ---- | M] () -- C:\Version.txt

< %systemroot%\Fonts\*.com >

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2005/07/05 01:00:19 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2003/02/05 10:06:16 | 000,077,824 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\DLBAPP5C.DLL
[2002/05/14 16:50:34 | 000,011,264 | ---- | M] (BVRP Software) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\wfxprint2000.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2005/07/04 19:19:57 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/07/04 19:19:57 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/07/04 19:19:57 | 000,413,696 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2008/08/24 08:29:21 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-16 08:06:46

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

[TS2009]

OTL Extras logfile created on: 8/15/2010 4:14:35 PM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\shannon1\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 208.00 Mb Available Physical Memory | 41.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 49.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 47.62 Gb Free Space | 63.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SHANNON
Current User Name: shannon1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{22D90DD2-8654-4E8A-B2F1-B6B86A2BF390}" = UDF Reader 5.0
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{39CEE1F2-12B6-4C50-9131-04BFCA110578}" = PowerCinema NE for Everio
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 5.0
"{4468EF97-A253-4699-9E1C-88CAE2C6832D}" = ABBYY FineReader 5.0 Sprint
"{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = BACS
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}" = Nikon View 5
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{CF9CD37C-E29A-11D5-AE3D-005004B8E30C}" = Digital Photo Navigator 1.5
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{EDE721EC-870A-11D8-9D75-000129760D75}" = PowerDirector Express
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{FCC07EEA-FA18-4A21-9105-9666603C6885}" = McAfee Virtual Technician
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ArcSoft Software Suite" = ArcSoft Software Suite
"Dell AIO Printer A940" = Dell AIO Printer A940
"ERUNT_is1" = ERUNT 1.1j
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = Broadcom Advanced Control Suite
"InstallWIX_{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"PROSet" = Intel® PRO Network Adapters and Drivers
"QuickTime" = QuickTime
"SpywareBlaster_is1" = SpywareBlaster 4.1
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows XP Service Pack" = Windows XP Service Pack 3
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger Explorer Bar" = Yahoo! Messenger Explorer Bar
"Yahoo! Photos Drag-Drop Uploader 1v6" = Yahoo! Photos Easy Upload Tool 1v6
"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/8/2003 1:54:23 AM | Computer Name = SHANNON | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/8/2003 1:56:28 AM | Computer Name = SHANNON | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/8/2003 1:56:28 AM | Computer Name = SHANNON | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/8/2003 1:56:28 AM | Computer Name = SHANNON | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/8/2003 1:56:28 AM | Computer Name = SHANNON | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/8/2003 1:56:28 AM | Computer Name = SHANNON | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/8/2003 1:56:28 AM | Computer Name = SHANNON | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/8/2003 1:56:28 AM | Computer Name = SHANNON | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/15/2010 11:23:55 AM | Computer Name = SHANNON | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 8/15/2010 11:23:56 AM | Computer Name = SHANNON | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 10/8/2003 1:00:40 AM | Computer Name = SHANNON | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 10/8/2003 1:01:31 AM | Computer Name = SHANNON | Source = W32Time | ID = 39452706
Description = The time service has detected that the system time needs to be changed
by +216293236 seconds. The time service will not change the system time by more
than +54000 seconds. Verify that your time and time zone are correct, and that
the time source time.windows.com (ntp.m|0x1|72.219.15.252:123->207.46.232.182:123)
is working properly.

Error - 10/8/2003 1:02:01 AM | Computer Name = SHANNON | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 10/8/2003 1:48:16 AM | Computer Name = SHANNON | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 10/8/2003 1:48:16 AM | Computer Name = SHANNON | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 10/8/2003 1:48:16 AM | Computer Name = SHANNON | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 8/15/2010 11:51:15 AM | Computer Name = SHANNON | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 8/15/2010 11:51:15 AM | Computer Name = SHANNON | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 8/15/2010 11:56:23 AM | Computer Name = SHANNON | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 8/15/2010 12:28:17 PM | Computer Name = SHANNON | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.


< End of report >

[heir]

Download ComboFix from one of these locations:

Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. Here is a howto for some of the applications.
  They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[TS2009]

Sorry for the delay. Here's the Combo-Fix log


ComboFix 10-08-16.04 - shannon1 08/17/2010 9:45.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.231 [GMT -5:00]
Running from: c:\documents and settings\shannon1\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\program files\Shared
c:\windows\system32\fsc.txt
c:\windows\system32\ide.txt
c:\windows\system32\klgd.bmp
c:\windows\system32\lrg.txt
c:\windows\system32\qks.txt
c:\windows\system32\xef.txt
c:\windows\wiaservim.log

.
((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-08-15 15:47 . 2010-08-15 15:47 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-08-15 15:47 . 2010-08-15 15:47 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-08-15 15:47 . 2010-08-15 15:47 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-08-15 15:47 . 2010-08-15 15:47 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-08-15 15:47 . 2010-08-15 15:47 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-08-15 15:38 . 2010-08-15 15:38 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-08-15 15:38 . 2010-08-15 15:38 397328 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\oeas.dll
2010-08-15 15:38 . 2010-08-15 15:38 19472 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\kloehk.dll
2010-08-15 15:38 . 2010-08-15 15:38 133648 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-08-15 15:38 . 2010-08-15 15:38 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-08-15 15:38 . 2010-08-15 15:38 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-08-15 15:38 . 2010-08-15 15:38 397328 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\oeas.dll
2010-08-15 15:38 . 2010-08-15 15:38 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-08-15 15:38 . 2010-08-15 15:38 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-08-15 15:38 . 2010-08-15 15:38 17936 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\kloehk.dll
2010-08-15 15:38 . 2010-08-15 15:38 133720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-08-15 15:38 . 2010-08-15 15:38 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-08-13 17:43 . 2010-08-13 17:43 -------- d-----w- c:\windows\FCC07EEAFA184A2191059666603C6885.TMP
2010-08-13 15:07 . 2010-08-13 15:07 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-11 18:45 . 2010-08-13 16:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\xfsmoetnw
2010-08-11 18:45 . 2010-08-12 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-05 04:30 . 2010-08-05 04:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\hnhwuwfuh
2010-08-04 18:02 . 2010-08-04 18:02 -------- d-----w- c:\program files\Microsoft
2010-08-04 18:01 . 2010-08-04 18:01 -------- d-----w- c:\program files\MSN Toolbar
2010-08-04 18:00 . 2010-08-04 18:02 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-08-04 17:59 . 2010-08-04 17:59 12800 ----a-w- c:\documents and settings\shannon1\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5266a383-n\decora-d3d.dll
2010-08-04 17:59 . 2010-08-04 17:59 61440 ----a-w- c:\documents and settings\shannon1\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5266a383-n\decora-sse.dll
2010-08-04 17:59 . 2010-08-04 17:59 503808 ----a-w- c:\documents and settings\shannon1\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-19dfc707-n\msvcp71.dll
2010-08-04 17:59 . 2010-08-04 17:59 499712 ----a-w- c:\documents and settings\shannon1\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-19dfc707-n\jmc.dll
2010-08-04 17:59 . 2010-08-04 17:59 348160 ----a-w- c:\documents and settings\shannon1\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-19dfc707-n\msvcr71.dll
2010-08-04 17:57 . 2010-07-17 10:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 05:28 . 2010-08-03 05:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-08-02 17:44 . 2010-08-02 17:44 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-29 02:00 . 2010-07-29 02:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-26 15:55 . 2010-07-26 15:55 -------- d-----w- c:\program files\3ivx
2010-07-26 15:55 . 2010-07-26 15:55 -------- d-----w- c:\program files\Flip Video
2010-07-26 15:55 . 2010-07-26 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 15:02 . 2003-10-08 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-08-17 13:13 . 2003-10-08 05:55 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-08-17 13:13 . 2003-10-08 05:55 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-08-17 12:26 . 2008-04-03 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-08-15 16:27 . 2005-07-05 00:28 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-08-11 19:29 . 2008-08-21 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-06 22:02 . 2009-04-06 19:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-04 17:59 . 2006-07-07 02:37 -------- d-----w- c:\program files\Common Files\Java
2010-08-04 17:57 . 2006-07-07 02:38 -------- d-----w- c:\program files\Java
2010-08-04 13:41 . 2008-08-22 14:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-03 03:49 . 2010-08-03 06:23 227452 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-06-30 12:31 . 2003-07-16 20:43 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2005-04-27 15:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2003-07-16 20:25 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2003-07-16 20:51 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2003-07-16 20:46 354304 ------w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2003-07-16 20:29 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2005-07-05 05:58 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:41 . 2003-07-16 20:37 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-05-23 01:49 . 2010-05-23 01:49 503808 ----a-w- c:\documents and settings\shannon1\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-146adff6-n\msvcp71.dll
2010-05-23 01:49 . 2010-05-23 01:49 348160 ----a-w- c:\documents and settings\shannon1\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-146adff6-n\msvcr71.dll
2010-05-23 01:49 . 2010-05-23 01:49 499712 ----a-w- c:\documents and settings\shannon1\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-146adff6-n\jmc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-03 68856]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2006-12-19 2465792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 151552]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456]

c:\documents and settings\shannon1\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-7-5 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
NkvMon.exe.lnk - c:\program files\Nikon\NkView5\NkvMon.exe [2005-7-5 212992]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 CLBStor;CyberLink InstantBurn UDF Reader Help Driver;c:\windows\system32\drivers\CLBStor.sys [2/13/2009 8:48 AM 10368]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 CLBUDFR;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDFR.sys [2/13/2009 8:48 AM 183552]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:37 AM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-08-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-03 22:20]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:36]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-KB913433 - c:\windows\system32\MacroMed\Flash\genuinst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-17 10:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1624)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-17 10:10:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 15:09

Pre-Run: 55,236,325,376 bytes free
Post-Run: 57,453,428,736 bytes free

- - End Of File - - C17FFC26F632F5B97E63DEABCE5FA443