ComboFix 09-01-21.04 - Alexander 2009-01-27 15:01:04.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1251.1.1049.18.2047.1610 [GMT 2:00]
Running from: c:\documents and settings\Alexander\ \ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated)
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp80.tmp
c:\windows\system32\tmp81.tmp

.
(((((((((((((((((((((((((   Files Created from 2008-12-27 to 2009-01-27  )))))))))))))))))))))))))))))))
.

2009-01-27 15:04 . 2009-01-27 15:04	<DIR>	d--------	c:\temp\WPDNSE
2009-01-27 15:04 . 2009-01-27 15:04	53,248	--a------	c:\temp\catchme.dll
2009-01-27 14:39 . 2009-01-27 14:39	<DIR>	d--------	c:\windows\ERUNT
2009-01-27 14:38 . 2009-01-27 14:49	<DIR>	d--------	C:\SDFix
2009-01-27 00:53 . 2009-01-27 00:53	83	--a------	c:\windows\wwp.INI
2009-01-26 15:38 . 2009-01-26 15:38	<DIR>	d--------	c:\program files\Trend Micro
2009-01-26 12:23 . 2009-01-26 14:16	<DIR>	d--------	c:\documents and settings\Alexander\DoctorWeb
2009-01-24 12:03 . 2009-01-24 12:03	<DIR>	dr-h-----	c:\documents and settings\Alexander\Application Data\SecuROM
2009-01-24 12:03 . 2009-01-24 12:03	107,888	--a------	c:\windows\system32\CmdLineExt.dll
2009-01-24 11:51 . 2009-01-27 15:04	<DIR>	d--------	c:\temp\{98AED1C3-5806-4150-9AE8-FFF07EC68F79}
2009-01-24 11:51 . 2009-01-24 11:51	<DIR>	d--------	c:\documents and settings\Alexander\Application Data\InstallShield
2009-01-21 23:10 . 2009-01-27 14:43	<DIR>	d--------	c:\temp\is-RL2LM.tmp
2009-01-21 01:19 . 2009-01-21 01:19	<DIR>	d--------	c:\program files\TechSmith
2009-01-18 22:53 . 2009-01-18 22:53	<DIR>	d--------	c:\documents and settings\Alexander\Application Data\Simply Super Software
2009-01-18 10:52 . 2009-01-27 14:43	<DIR>	d--------	c:\temp\{BF9E9991-5094-4B7A-ACFB-AF422AE5C422}
2009-01-17 17:46 . 2009-01-27 14:43	<DIR>	d--------	c:\temp\{E56849F0-7F95-4D1D-8D04-DE9CE97B1463}
2009-01-17 17:44 . 2009-01-27 14:43	<DIR>	d--------	c:\temp\{7BE7DF0E-447A-4543-8A8A-A8D8F19C0574}
2009-01-14 20:19 . 2009-01-14 20:23	<DIR>	d--------	c:\documents and settings\Alexander\Application Data\TranslateIt6.5
2009-01-09 22:42 . 2009-01-23 15:47	<DIR>	d--------	c:\documents and settings\Alexander\Application Data\Skype
2009-01-09 21:40 . 2009-01-09 23:49	<DIR>	d--------	c:\documents and settings\Alexander\Application Data\TeamViewer
2009-01-08 00:00 . 2009-01-08 00:08	<DIR>	d--------	c:\program files\uTorrent
2009-01-08 00:00 . 2009-01-26 01:00	<DIR>	d--------	c:\documents and settings\Alexander\Application Data\uTorrent
2009-01-07 22:19 . 2009-01-07 22:19	<DIR>	d--------	c:\documents and settings\Alexander\Application Data\Ahead
2009-01-02 18:55 . 2009-01-20 15:38	<DIR>	d--------	c:\documents and settings\Alexander\Application Data\Thinstall
2008-12-29 22:36 . 2008-12-29 22:36	<DIR>	d--------	c:\windows\system32\LogFiles
2008-12-29 22:35 . 2009-01-27 15:04	<DIR>	d--h-----	c:\temp\NccTemp
2008-12-29 22:34 . 2009-01-27 15:04	<DIR>	d--h-----	c:\temp\NGLATempNokia
2008-12-29 22:31 . 2008-12-29 22:31	<DIR>	d--------	c:\program files\PC Connectivity Solution
2008-12-29 22:31 . 2008-12-29 22:31	<DIR>	d--------	c:\program files\Common Files\Nokia
2008-12-29 22:31 . 2008-08-26 09:26	18,816	--a------	c:\windows\system32\drivers\pccsmcfd.sys
2008-12-29 13:49 . 2004-08-03 23:08	25,600	--a------	c:\windows\system32\drivers\usbser.sys
2008-12-29 13:49 . 2004-08-03 23:08	25,600	--a--c---	c:\windows\system32\dllcache\usbser.sys
2008-12-29 13:48 . 2008-03-21 13:57	14,640	---------	c:\windows\system32\spmsgXP_2k3.dll
2008-12-29 13:48 . 2008-12-29 13:48	0	--ah-----	c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-29 13:48 . 2008-12-29 13:48	0	--ah-----	c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2008-12-29 13:42 . 2008-12-29 13:42	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Nokia
2008-12-29 13:40 . 2008-09-15 07:29	1,112,288	--a------	c:\windows\system32\wdfcoinstaller01007.dll
2008-12-29 13:40 . 2008-09-15 07:56	659,968	--a------	c:\windows\system32\nmwcdcocls.dll
2008-12-29 13:40 . 2008-09-15 07:56	22,016	--a------	c:\windows\system32\drivers\ccdcmbo.sys
2008-12-29 13:40 . 2008-09-15 07:56	17,664	--a------	c:\windows\system32\drivers\ccdcmb.sys
2008-12-29 13:40 . 2008-09-15 07:56	8,064	--a------	c:\windows\system32\drivers\usbser_lowerfltj.sys
2008-12-29 13:40 . 2008-09-15 07:56	8,064	--a------	c:\windows\system32\drivers\usbser_lowerflt.sys
2008-12-29 13:39 . 2008-02-01 15:17	138,112	--a------	c:\windows\system32\drivers\nmwcdnsu.sys
2008-12-29 13:39 . 2008-02-01 15:17	8,320	--a------	c:\windows\system32\drivers\nmwcdnsuc.sys
2008-12-29 13:38 . 2008-12-29 13:38	<DIR>	d--------	c:\program files\MSXML 6.0
2008-12-29 13:37 . 2008-12-29 22:29	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Installations
2008-12-29 12:52 . 2008-12-29 23:17	<DIR>	d--------	c:\documents and settings\Alexander\Application Data\Nokia

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 13:04	---------	d-----w	c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-01-27 13:02	6,044	--sha-w	c:\windows\system32\drivers\fidbox2.idx
2009-01-27 13:02	532,512	--sha-w	c:\windows\system32\drivers\fidbox2.dat
2009-01-27 13:02	4,150,304	--sha-w	c:\windows\system32\drivers\fidbox.dat
2009-01-27 13:02	36,648	--sha-w	c:\windows\system32\drivers\fidbox.idx
2009-01-26 21:55	---------	d-----w	c:\documents and settings\Alexander\Application Data\XnView
2009-01-24 13:14	---------	d-----w	c:\program files\Common Files\Adobe
2009-01-24 10:19	413,696	----a-w	c:\windows\system32\wrap_oal.dll
2009-01-24 10:19	110,592	----a-w	c:\windows\system32\OpenAL32.dll
2009-01-24 10:19	---------	d-----w	c:\program files\OpenAL
2009-01-24 09:52	---------	d--h--w	c:\program files\InstallShield Installation Information
2009-01-21 21:10	---------	d-----w	c:\program files\QIP
2009-01-11 09:44	---------	d-----w	c:\program files\docXConverter
2008-12-29 20:35	---------	d-----w	c:\documents and settings\All Users\Application Data\PC Suite
2008-12-29 20:31	---------	d-----w	c:\program files\Nokia
2008-12-29 20:31	---------	d-----w	c:\program files\Common Files\PCSuite
2008-12-29 20:28	---------	d-----w	c:\documents and settings\All Users\Application Data\Downloaded Installations
2008-12-29 10:53	---------	d-----w	c:\documents and settings\Alexander\Application Data\PC Suite
2008-12-23 07:20	---------	d-----w	c:\program files\Common Files\DirectX
2008-12-11 12:10	1,186	----a-w	c:\documents and settings\All Users\Application Data\firstlsp.reg.dat
2008-12-09 15:23	---------	d-----w	c:\documents and settings\Alexander\Application Data\QIP
2008-12-09 09:20	---------	d-----w	c:\documents and settings\Alexander\Application Data\Canon
2008-12-04 13:06	134	---ha-w	c:\documents and settings\Alexander\Application Data\brara1985.sys
2008-12-04 12:56	137	---ha-w	c:\documents and settings\Alexander\Application Data\lakerda1967.sys
2008-12-04 12:55	360,580	----a-w	c:\windows\eSellerateEngine.dll
2008-12-04 12:55	---------	d-----w	c:\program files\Common Files\eSellerate
2008-12-01 10:30	---------	d-----w	c:\documents and settings\Alexander\Application Data\DivX
2008-12-01 10:29	---------	d-----w	c:\program files\DivX
2008-12-01 10:09	---------	d-----w	c:\program files\GIF Movie Gear
2008-10-29 09:24	831,048	----a-w	c:\windows\system32\WudfUpdate_01005.dll
2008-10-28 22:36	823,296	----a-w	c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36	823,296	----a-w	c:\windows\system32\divx_xx07.dll
2008-10-28 22:35	815,104	----a-w	c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35	802,816	----a-w	c:\windows\system32\divx_xx11.dll
2008-10-28 22:35	684,032	----a-w	c:\windows\system32\DivX.dll
2008-10-28 22:06	52,736	----a-w	c:\windows\ipuninst.exe
2007-07-26 20:47	66,408	----a-w	c:\program files\mozilla firefox\components\jar50.dll
2007-07-26 20:47	54,112	----a-w	c:\program files\mozilla firefox\components\jsd3250.dll
2007-07-26 20:47	34,688	----a-w	c:\program files\mozilla firefox\components\myspell.dll
2007-07-26 20:47	46,456	----a-w	c:\program files\mozilla firefox\components\spellchk.dll
2007-07-26 20:47	171,880	----a-w	c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-19 19:09	16,384	--sha-w	c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-10-19 19:09	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-10-19 19:09	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101920081020\index.dat
2008-10-19 19:09	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2006-10-14 22:38  360576  bb4d3a8e6f7eb1d370bc4ad27ab23368	c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-18 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 2658304]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-18 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IE7_011"="shell32" [X]
"IE7_012"="advpack.dll" [2007-08-17 c:\windows\system32\advpack.dll]
"IE7_013"="rebuild.exe" [2007-07-05 c:\windows\system32\rebuild.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Start_NotifyNewApps"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"Start_NotifyNewApps"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ ^^^  Adobe Reader.lnk]
path=c:\documents and settings\All Users\ \\\  Adobe Reader.lnk
backup=c:\windows\pss\  Adobe Reader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-12-29 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-12-29 8320]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{beae8dd6-bae2-11dd-8fdb-00e06fcc8345}]
\Shell\AutoRun\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe
\Shell\open\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\lin32.exe
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://meta.ua/
uInternet Settings,ProxyOverride = *.local
IE: &  Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 15:04:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-01-27 15:05:47 - machine was rebooted
ComboFix-quarantined-files.txt  2009-01-27 13:05:44

Pre-Run: 24380952576  
Post-Run: 24,380,063,744  

203
