ComboFix 09-04-01.01 -   2009-04-03 20:56:42.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1251.1.1049.18.1535.1083 [GMT 4:00]
Running from: c:\documents and settings\ \ \ComboFix.exe
Command switches used :: c:\documents and settings\ \ \WindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ \Application Data\BITS
c:\documents and settings\ \Application Data\BITS\BITS.ini
c:\documents and settings\ \Application Data\BITS\DHTTable.dat
c:\documents and settings\ \Application Data\BITS\ProxyList.ini
c:\documents and settings\ \Application Data\BITS\UPnP.ini
c:\recycled\Recycled
c:\windows\autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2009-03-03 to 2009-04-03  )))))))))))))))))))))))))))))))
.

2009-04-03 19:10 . 2009-04-03 19:10	<DIR>	d--------	c:\documents and settings\ \Application Data\Malwarebytes
2009-04-03 19:10 . 2009-03-26 16:49	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-04-03 19:09 . 2009-04-03 19:10	<DIR>	d--------	C:\Malwarebytes' Anti-Malware
2009-04-03 19:09 . 2009-04-03 19:09	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 19:09 . 2009-03-26 16:49	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 13:58 . 2008-10-24 15:21	455,296	-----c---	c:\windows\system32\dllcache\mrxsmb.sys
2009-04-03 13:58 . 2008-12-11 14:57	333,952	-----c---	c:\windows\system32\dllcache\srv.sys
2009-04-03 13:57 . 2008-10-15 20:37	337,408	-----c---	c:\windows\system32\dllcache\netapi32.dll
2009-04-03 01:13 . 2009-04-03 01:14	11,264	--a------	c:\windows\system32\drivers\uzmzntuz.sys
2009-04-03 00:57 . 2009-04-03 00:57	<DIR>	d--------	c:\documents and settings\\DoctorWeb
2009-04-03 00:57 . 2009-04-03 00:57	<DIR>	d--------	c:\documents and settings\\DoctorWeb
2009-04-03 00:47 . 2008-08-31 20:33	<DIR>	d--h-----	c:\documents and settings\\
2009-04-03 00:47 . 2008-08-31 20:33	<DIR>	d--h-----	c:\documents and settings\\
2009-04-03 00:47 . 2008-09-01 00:25	<DIR>	d--------	c:\documents and settings\\ 
2009-04-03 00:47 . 2008-09-01 00:25	<DIR>	d--------	c:\documents and settings\\ 
2009-04-03 00:47 . 2008-09-01 00:25	<DIR>	d--------	c:\documents and settings\\ 
2009-04-03 00:47 . 2008-09-01 00:25	<DIR>	d--------	c:\documents and settings\\ 
2009-04-03 00:47 . 2008-09-01 00:25	<DIR>	dr-------	c:\documents and settings\\ 
2009-04-03 00:47 . 2008-09-01 00:25	<DIR>	dr-------	c:\documents and settings\\ 
2009-04-03 00:47 . 2008-09-01 00:25	<DIR>	d--------	c:\documents and settings\\
2009-04-03 00:47 . 2008-09-01 00:25	<DIR>	d--------	c:\documents and settings\\
2009-04-03 00:47 . 2009-04-03 00:57	<DIR>	d--------	c:\documents and settings\
2009-04-02 20:54 . 2009-04-02 21:21	101,287	--a------	c:\windows\system32\drivers\klin.dat
2009-04-02 20:54 . 2009-04-02 21:21	89,601	--a------	c:\windows\system32\drivers\klick.dat
2009-04-02 20:53 . 2009-04-02 20:53	<DIR>	d--------	c:\program files\Kaspersky Lab
2009-04-02 20:53 . 2009-04-03 21:02	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-02 20:53 . 2009-04-03 21:00	1,903,136	--ahs----	c:\windows\system32\drivers\fidbox.dat
2009-04-02 20:53 . 2009-04-03 21:02	311,328	--ahs----	c:\windows\system32\drivers\fidbox2.dat
2009-04-02 20:53 . 2009-04-03 21:00	16,996	--ahs----	c:\windows\system32\drivers\fidbox.idx
2009-04-02 20:53 . 2009-04-03 21:02	3,192	--ahs----	c:\windows\system32\drivers\fidbox2.idx
2009-04-01 23:59 . 2009-04-02 00:12	<DIR>	d--------	c:\program files\ICQ6.5
2009-04-01 21:14 . 2009-04-01 23:20	<DIR>	d--------	c:\program files\QIP
2009-04-01 21:09 . 2009-04-01 21:09	<DIR>	d--------	c:\documents and settings\ \Application Data\QIP
2009-03-06 14:02 . 2009-04-03 00:05	<DIR>	d--------	c:\program files\HtmlReader

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 17:21	33,808	----a-w	c:\windows\system32\drivers\klbg.sys
2009-04-01 20:11	---------	d--h--w	c:\program files\InstallShield Installation Information
2009-03-28 11:09	---------	d-----w	c:\program files\FlashGet
2009-03-24 20:03	---------	d-----w	c:\documents and settings\ \Application Data\uTorrent
2009-03-10 15:32	---------	d---a-w	c:\documents and settings\All Users\Application Data\TEMP
2009-03-10 10:32	---------	d-----w	c:\documents and settings\ \Application Data\WebMoney
2009-02-04 07:27	3,488,768	----a-w	c:\windows\system32\drivers\ati2mtag.sys
2009-02-04 05:57	11,702,272	----a-w	c:\windows\system32\atioglxx.dll
2009-02-04 05:03	290,816	----a-w	c:\windows\system32\atiok3x2.dll
2009-02-04 04:56	442,368	----a-w	c:\windows\system32\ATIDEMGX.dll
2009-02-04 04:55	324,096	----a-w	c:\windows\system32\ati2dvag.dll
2009-02-04 04:44	196,608	----a-w	c:\windows\system32\atipdlxx.dll
2009-02-04 04:44	155,648	----a-w	c:\windows\system32\Oemdspif.dll
2009-02-04 04:43	43,520	----a-w	c:\windows\system32\ati2edxx.dll
2009-02-04 04:43	26,112	----a-w	c:\windows\system32\Ati2mdxx.exe
2009-02-04 04:43	155,648	----a-w	c:\windows\system32\ati2evxx.dll
2009-02-04 04:41	602,112	----a-w	c:\windows\system32\ati2evxx.exe
2009-02-04 04:40	53,248	----a-w	c:\windows\system32\ATIDDC.DLL
2009-02-04 04:30	3,884,768	----a-w	c:\windows\system32\ati3duag.dll
2009-02-04 04:14	2,645,504	----a-w	c:\windows\system32\ativvaxx.dll
2009-02-04 03:58	49,664	----a-w	c:\windows\system32\amdpcom32.dll
2009-02-04 03:54	471,040	----a-w	c:\windows\system32\atikvmag.dll
2009-02-04 03:53	122,880	----a-w	c:\windows\system32\atiadlxx.dll
2009-02-04 03:52	53,248	----a-w	c:\windows\system32\drivers\ati2erec.dll
2009-02-04 03:52	17,408	----a-w	c:\windows\system32\atitvo32.dll
2009-02-04 03:46	626,688	----a-w	c:\windows\system32\ati2cqag.dll
2009-02-04 03:44	307,200	----a-w	c:\windows\system32\atiiiexx.dll
2009-02-04 02:43	45,056	----a-w	c:\windows\system32\aticalrt.dll
2009-02-04 02:42	45,056	----a-w	c:\windows\system32\aticalcl.dll
2009-02-04 02:40	3,244,032	----a-w	c:\windows\system32\aticaldd.dll
2009-02-03 18:05	593,920	------w	c:\windows\system32\ati2sgag.exe
2008-09-28 17:14	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092820080929\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE" [2003-09-11 99840]
"MOD"="c:\program files\Microangelo\muamgr.exe" [2002-05-29 73728]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-04-02 201992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\⮭ 㫠\ \ணࠬ\⮧㧪\
QuickTV.lnk - c:\program files\AVerTV\QuickTV.exe [2004-02-18 266240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2009-02-27 18:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashGet]
--a------ 2006-09-08 13:56 1400832 c:\program files\FlashGet\flashget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerOff]
--a------ 2006-05-15 09:19 485376 d:\\\PowerOff 53-22 beta R\PowerOff 53-22 beta R.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-04 03:02 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\DC++\\StrongDC.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Program Files\\WebMoney\\WebMoney.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VideoLAN\\vlc.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"d:\\Games\\NHL 09\\NHL 09.exe"=
"d:\\Games\\NHL 09\\NHL09.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R1 uzmzntuz;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzmzntuz.sys [2009-04-03 11264]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 Licensing Service;c:\program files\ABBYY FineReader 9.0\NetworkLicenseServer.exe [2007-09-24 566560]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-03-25 24592]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2008-08-31 35008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b926257a-8d83-11dd-8700-0013d4b35b8f}]
\Shell\AutoRun\command - autorun.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-RaidTool - c:\program files\VIA\RAID\raid_tool.exe
MSConfigStartUp-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
MSConfigStartUp-wmagent - c:\program files\WebMoney Agent\wmagent.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ru/
uInternet Settings,ProxyOverride = *.local
IE: &  Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE:     FlashGet - c:\program files\FlashGet\jc_all.htm
IE:    FlashGet - c:\program files\FlashGet\jc_link.htm
TCP: {9C868D22-8D0E-40A8-B1A6-31F03951751E} = 213.150.64.12 213.150.65.122
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 21:03:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\matlab701\bin\win32\MATLAB.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-03 21:09:48 - machine was rebooted
ComboFix-quarantined-files.txt  2009-04-03 17:09:39

Pre-Run: 9853149184  
Post-Run: 9,795,391,488  

WindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional RU" /noexecute=optin /fastdetect

206
