ComboFix 09-04-04.01 -  2009-04-09 17:17:50.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1251.1.1049.18.1015.682 [GMT 4:00]
Running from: c:\documents and settings\\ \ComboFix.exe
Command switches used :: c:\documents and settings\\ \WindowsXP-KB310994-SP2-Home-BootDisk-RUS.exe
FW: Outpost Firewall Pro *disabled*
 * Created a new restore point
.
[color=purple]The following files were disabled during the run:[/color]
c:\program files\Agnitum\Outpost Firewall\wl_hook.dll


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\tmp21.tmp
c:\windows\system32\tmp22.tmp
c:\windows\system32\tmp90.tmp
c:\windows\system32\tmp91.tmp

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


(((((((((((((((((((((((((   Files Created from 2009-03-09 to 2009-04-09  )))))))))))))))))))))))))))))))
.

2009-04-09 11:14 . 2009-04-09 11:14	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2009-04-09 11:14 . 2009-04-09 11:14	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 11:14 . 2009-04-09 11:14	<DIR>	d--------	c:\documents and settings\\Application Data\Malwarebytes
2009-04-09 11:14 . 2009-01-04 18:38	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 11:14 . 2009-01-04 18:38	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-04-09 10:46 . 2009-04-09 10:46	23,927	--a------	c:\documents and settings\catchme.zip
2009-04-09 10:44 . 2009-04-09 10:44	<DIR>	d--------	c:\windows\ERUNT
2009-04-08 12:20 . 2009-04-08 12:27	11,264	--a------	c:\windows\system32\drivers\uzi4mty3.sys
2009-04-03 14:32 . 2009-04-03 14:32	<DIR>	d--------	c:\program files\K-Lite Codec Pack
2009-04-03 14:32 . 2007-01-30 06:03	3,596,288	--a------	c:\windows\system32\qt-dx331.dll
2009-04-03 14:32 . 2007-01-20 21:26	1,565,480	--a------	c:\windows\system32\wmv9vcm.dll
2009-04-03 14:32 . 2007-01-30 06:03	1,044,480	--a------	c:\windows\system32\libdivx.dll
2009-04-03 14:32 . 2006-11-01 14:52	765,952	--a------	c:\windows\system32\xvidcore.dll
2009-04-03 14:32 . 2007-02-01 05:56	639,066	--a------	c:\windows\system32\divx.dll
2009-04-03 14:32 . 2007-01-30 06:03	200,704	--a------	c:\windows\system32\ssldivx.dll
2009-04-03 14:32 . 2007-01-30 05:56	196,608	--a------	c:\windows\system32\dtu100.dll
2009-04-03 14:32 . 2006-11-01 14:54	180,224	--a------	c:\windows\system32\xvidvfw.dll
2009-04-03 14:32 . 2006-05-13 23:16	118,784	--a------	c:\windows\system32\ac3acm.acm
2009-04-03 14:32 . 2007-01-30 05:56	73,728	--a------	c:\windows\system32\dpl100.dll
2009-04-03 14:32 . 2007-01-09 18:46	10,752	--a------	c:\windows\system32\ff_vfw.dll
2009-04-03 14:32 . 2005-02-24 18:56	547	--a------	c:\windows\system32\ff_vfw.dll.manifest
2009-03-23 18:50 . 2009-03-23 18:50	<DIR>	d--------	c:\documents and settings\\DoctorWeb
2009-03-23 18:50 . 2009-03-23 18:50	<DIR>	d--------	c:\documents and settings\\DoctorWeb
2009-03-09 09:58 . 2009-03-09 09:58	42	--a------	c:\windows\Best MP3.pls
2009-03-09 09:56 . 2009-03-09 09:56	42	--a------	c:\windows\mdv736.pls

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 13:13	---------	d-----w	c:\documents and settings\\Application Data\OpenOffice.org2
2009-04-08 14:06	---------	d-----w	c:\program files\Eset
2009-04-03 11:33	---------	d-----w	c:\program files\Light Alloy
2009-03-19 09:12	---------	d--h--w	c:\program files\InstallShield Installation Information
2009-03-19 09:11	---------	d-----w	c:\program files\SoftLogica
2009-02-18 07:12	---------	d-----w	c:\program files\Common Files\NalogoplUL410
2009-02-18 07:12	---------	d-----w	c:\program files\
2009-02-13 08:52	---------	d-----w	c:\documents and settings\\Application Data\Super-Cow
.

------- Sigcheck -------

2006-03-02 16:00  359040  1745b00fc1141404b28f4b94f69a8871	c:\windows\system32\dllcache\tcpip.sys
2006-03-02 16:00  359040  1745b00fc1141404b28f4b94f69a8871	c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outpost Firewall"="c:\program files\Agnitum\Outpost Firewall\outpost.exe" [2007-01-19 94720]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2007-01-23 335872]
"SDFix"="d:\antivir\SDFix\SDFix\RunThis.bat" [2008-11-06 964661]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"= c_810927.nls
"mixer2"= c_810927.nls
"midi2"= c_810927.nls
"midi1"= c_810927.nls
"wave2"= c_810927.nls
"aux2"= c_810927.nls
"mixer1"= c_810927.nls
"46810958"= 41303838443945392d443638362d343339372d394441322d443546334232464646463946
"46810947"= 7a5bbe42cfb658dad038cb25cdf6fe3323b9a2d911ed511dac2ef23c288709af60830e4b6fcd15c8a83499b1f9386f552c20ca945f8f0038830dae613d133ceffb4e5f3aafe250635f2df44bd08cb9ce44a4c932413f1742b7bc5310b38a477476a43080c623caf3e483de28cbbdf272a8047b39fc6b52a134dde2ad093d879adb0674381975577c32cf76c3ac6a3a3084849d02dac089a7e8a9dc9b972bfb7fefef45142f71fd0605eb87983db3b9332846eccacfdc9aa582b29a24495d199da60856fcdb8b2c6af8c6459be75aba8f849df86caa08a7cc2df72fef03412f67782d77780ebb0bce6e889cf089ff8954a60fa01af7a7f68f6b10a92ddcb845afaf47e4e987a0a918d21965fe604fdbf7d59f5dc1422c9796b53d5ec755492d5a333a9032b526d37c511b815792aaf84e8e468a6ca501e88d1ea38d06e59f4d864f707f60dbe4296da29612569efc31dd2fc0865778a0435d11e52432ea5608201f2e776efa2f8804c7e037fbbd8c81f30a90cecd73ba8d698df48c6a75346d36920c1faf45d03bdb925b5d1b73521b0e00
"46810977"= 333832333464623338323334646233383233346462
"46810957"= 333832333464623338323334646233383233346462
"wave1"= c_810927.nls

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ ^^^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\ \\\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ ^^^HP LaserJet Director.lnk]
path=c:\documents and settings\All Users\ \\\HP LaserJet Director.lnk
backup=c:\windows\pss\HP LaserJet Director.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ ^^^  .lnk]
path=c:\documents and settings\All Users\ \\\  .lnk
backup=c:\windows\pss\  .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^ ^^^  Canon LASER SHOT LBP-1120.LNK]
path=c:\documents and settings\All Users\ \\\  Canon LASER SHOT LBP-1120.LNK
backup=c:\windows\pss\  Canon LASER SHOT LBP-1120.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^^ ^^^QuickTV.lnk]
path=c:\documents and settings\\ \\\QuickTV.lnk
backup=c:\windows\pss\QuickTV.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAP3ON]
--a------ 2002-07-29 19:00 22528 c:\windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2006-03-02 16:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2007-11-08 11:56 166424 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP AutoIndexer]
--a------ 2002-04-22 12:57 90112 c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP SchedIndexer]
--a------ 2002-04-22 12:56 94208 c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2007-11-08 11:56 141848 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-17 16:17 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
-ra------ 2007-11-08 11:56 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 14:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-10-25 07:57 16855552 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2007-10-11 07:04 1826816 c:\windows\SkyTel.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 SandBox;Outpost Firewall Sandbox Driver;c:\program files\Agnitum\Outpost Firewall\Kernel\SandBox.sys [2008-07-17 329928]
R1 uzi4mty3;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzi4mty3.sys [2009-04-08 11264]
R1 VFILT;Outpost Firewall Kernel Driver;c:\program files\Agnitum\Outpost Firewall\Kernel\filtnt.sys [2008-07-17 163328]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2008-07-17 25216]
S2 AudioSrvRpcLocator;Windows Audio AudioSrvRpcLocator; srv -->  srv [?]
S2 Microsoft Memory Driver;Microsoft Memory Driver;"c:\windows\iedr.exe" --> c:\windows\iedr.exe [?]
S2 RSVPMSDTC;QoS RSVP RSVPMSDTC; srv -->  srv [?]
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\adblock.dll [2008-07-17 33568]
S3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\arp.dll [2008-07-17 17408]
S3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-07-16 30720]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\content.dll [2008-07-17 4896]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\dnscache.dll [2008-07-17 14464]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\ftpfilt.dll [2008-07-17 9248]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\htmlfilt.dll [2008-07-17 11552]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\httpfilt.dll [2008-07-17 13216]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\imapfilt.dll [2008-07-17 7168]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\mailfilt.dll [2008-07-17 14880]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\nntpfilt.dll [2008-07-17 6752]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\pop3filt.dll [2008-07-17 10048]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\protect.dll [2008-07-17 15200]
S3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\secret.dll [2008-07-17 12928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbf20470-e397-11dd-a401-001fc6373e0a}]
\Shell\open\Command - rundll32.exe .\\cpmsnap.dll,InstallM
.
- - - - ORPHANS REMOVED - - - -

BHO-{07F4238E-96CD-483D-A49D-DDE509575BDD} - c:\windows\system32\cabine.dll
SafeBoot-ati0pvxx.sys
SafeBoot-ati0sxxx.sys
SafeBoot-ati1joxx.sys
SafeBoot-ati2puxx.sys
SafeBoot-ati5otxx.sys
SafeBoot-ati7joxx.sys
SafeBoot-ati8joxx.sys
SafeBoot-Ekq85.sys
SafeBoot-Winag63.sys
SafeBoot-Winbh84.sys
SafeBoot-Winci41.sys
SafeBoot-Winci74.sys
SafeBoot-Windj41.sys
SafeBoot-Windk85.sys
SafeBoot-Winho74.sys
SafeBoot-Winjp30.sys
SafeBoot-Winlr06.sys
SafeBoot-Winlr28.sys
SafeBoot-Winls84.sys
SafeBoot-Winpv30.sys
SafeBoot-Winqw41.sys
SafeBoot-Winrx41.sys
SafeBoot-Winub74.sys
SafeBoot-Winvc52.sys
SafeBoot-Winwd30.sys
SafeBoot-Winxe73.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ya.ru/
IE:     FlashGet - d:\program files\FlashGet\jc_all.htm
IE:    FlashGet - d:\program files\FlashGet\jc_link.htm
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 17:22:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\program files\Agnitum\Outpost Firewall\wl_hook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CAP3RSK.EXE
c:\windows\system32\spool\drivers\w32x86\3\CAP3SWK.EXE
c:\windows\system32\spool\drivers\w32x86\3\CAP3SWK.EXE
c:\windows\system32\spool\drivers\w32x86\3\CAP3SWK.EXE
c:\windows\system32\spool\drivers\w32x86\3\CAP3SWK.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-09 17:23:32 - machine was rebooted
ComboFix-quarantined-files.txt  2009-04-09 13:23:29

Pre-Run: 7355195392  
Post-Run: 7,329,538,048  

WindowsXP-KB310994-SP2-Home-BootDisk-RUS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition RU" /noexecute=optin /fastdetect

225
