Infected with MultiPacked.Multi.Generic Malware!

**ruffryder2k7** · #1 23rd Jun 2009, 10:38

I recently downloaded a theme application. Upon installation, Kaspersky prompted an alert saying computer is infected with MultiPacked.Multi.Generic malware. My Kaspersky stopped working and my windows theme is gone- I'm stuck with windows classic. Help please!

**evilfantasy** · #2 23rd Jun 2009, 11:25

Try getting me any of the logs you can from here. http://www.computer-juice.com/forums...-posting-7476/

**evilfantasy** · #3 24th Jun 2009, 11:44

Looks like the forums had a glitch. Please post these DDS logs.

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

**ruffryder2k7** · #4 24th Jun 2009, 13:55

DDS (Ver_09-05-14.01) - NTFSx86
Run by Mouse at 16:53:23.36 on Wed 06/24/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1294 [GMT -4:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Mouse\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [RCSystem] "c:\program files\creative\shared files\module loader\DLLML.exe" RCSystem * -Startup
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://portal.apogentech.com/vdesk/terminal/InstallerControl.cab
DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} - hxxps://w3s.webmoney.ru/WMAcceptor.dll
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - hxxps://portal.apogentech.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2008,0904,1939
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - hxxps://portal.apogentech.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2008,0904,1947
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra ~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kaspe r~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-10-31 112144]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 klif;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-4-18 213520]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 55024]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2008-5-12 14592]
R2 avp;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe -r --> c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe -r [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-7 24652]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 9968]
S2 Cubase32;Cubase32;c:\windows\system32\drivers\Cuba se32.sys [2009-4-5 11808]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;c:\windows\syste m32\drivers\IlvMoney1215.sys [2008-8-21 30080]

=============== Created Last 30 ================

2009-06-17 13:58 <DIR> --d----- c:\program files\LSoft Technologies
2009-06-13 12:32 <DIR> --d----- c:\program files\iPod
2009-06-13 12:32 <DIR> --d----- c:\program files\iTunes

==================== Find3M ====================

============= FINISH: 16:54:12.42 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/12/2008 2:38:20 PM
System Uptime: 6/24/2009 12:33:35 PM (4 hours ago)

Motherboard: http://www.abit.com.tw/ | | IP35 PRO(P35+ICH9R)
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Socket 775 | 3024/216mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 60.146 GiB free.
D: is FIXED (NTFS) - 69 GiB total, 60.479 GiB free.
E: is CDROM (CDFS)
F: is CDROM (CDFS)
G: is FIXED (NTFS) - 245 GiB total, 138.326 GiB free.
H: is CDROM ()
I: is CDROM ()
J: is CDROM ()
K: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8167&SUBSYS_1083147B&REV_10\4&BB2 9FA6&0&00F0
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8169/8110 Family Gigabit Ethernet NIC #3
PNP Device ID: PCI\VEN_10EC&DEV_8167&SUBSYS_1083147B&REV_10\4&BB2 9FA6&0&00F0
Service: RTL8023xp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: MAC Bridge Miniport
Device ID: ROOT\MS_BRIDGEMP\0000
Manufacturer: Microsoft
Name: MAC Bridge Miniport
PNP Device ID: ROOT\MS_BRIDGEMP\0000
Service: BridgeMP

==== System Restore Points ===================

RP202: 3/26/2009 6:14:01 PM - System Checkpoint
RP203: 3/27/2009 9:06:08 PM - System Checkpoint
RP204: 3/30/2009 12:43:20 PM - System Checkpoint
RP205: 4/1/2009 5:11:23 PM - System Checkpoint
RP206: 4/3/2009 3:31:49 PM - System Checkpoint
RP207: 4/6/2009 11:30:33 AM - System Checkpoint
RP208: 4/8/2009 1:48:55 AM - Removed MapleStory GL.
RP209: 4/8/2009 1:49:05 AM - Installed MapleStory.
RP210: 4/8/2009 2:00:33 AM - Removed MapleStory.
RP211: 4/8/2009 2:12:11 AM - Installed MapleStory.
RP212: 4/9/2009 1:53:58 PM - System Checkpoint
RP213: 4/11/2009 6:22:36 AM - System Checkpoint
RP214: 4/14/2009 11:18:28 AM - System Checkpoint
RP215: 4/15/2009 5:50:23 PM - Software Distribution Service 3.0
RP216: 4/18/2009 1:32:37 AM - System Checkpoint
RP217: 4/21/2009 2:37:36 PM - System Checkpoint
RP218: 4/22/2009 5:07:27 PM - System Checkpoint
RP219: 4/24/2009 2:41:28 PM - System Checkpoint
RP220: 4/25/2009 10:07:27 PM - System Checkpoint
RP221: 4/28/2009 6:48:10 AM - Installed Java(TM) 6 Update 13
RP222: 5/2/2009 7:23:06 PM - System Checkpoint
RP223: 5/3/2009 11:36:18 PM - System Checkpoint
RP224: 5/5/2009 2:29:10 PM - System Checkpoint
RP225: 5/6/2009 8:29:33 PM - System Checkpoint
RP226: 5/7/2009 3:00:17 AM - Software Distribution Service 3.0
RP227: 5/7/2009 11:16:03 AM - Installed Windows XP WgaNotify.
RP228: 5/9/2009 11:12:42 AM - System Checkpoint
RP229: 5/10/2009 5:10:12 PM - System Checkpoint
RP230: 5/11/2009 9:02:07 PM - System Checkpoint
RP231: 5/13/2009 12:26:07 AM - Software Distribution Service 3.0
RP232: 5/14/2009 2:28:00 PM - Removed ZU-ONLINE
RP233: 5/15/2009 2:47:49 PM - System Checkpoint
RP234: 5/17/2009 1:28:31 AM - System Checkpoint
RP235: 5/17/2009 4:58:00 PM - Installed LG USB Modem driver
RP236: 5/19/2009 11:34:48 AM - System Checkpoint
RP237: 5/20/2009 12:47:48 PM - System Checkpoint
RP238: 5/23/2009 10:08:08 AM - System Checkpoint
RP239: 6/1/2009 10:03:10 AM - System Checkpoint
RP240: 6/2/2009 10:03:30 AM - System Checkpoint
RP241: 6/3/2009 11:47:56 AM - System Checkpoint
RP242: 6/5/2009 11:10:53 PM - System Checkpoint
RP243: 6/7/2009 2:46:24 PM - System Checkpoint
RP244: 6/9/2009 11:32:41 AM - System Checkpoint
RP245: 6/10/2009 5:52:30 PM - System Checkpoint
RP246: 6/10/2009 11:00:09 PM - Software Distribution Service 3.0
RP247: 6/12/2009 12:14:34 PM - System Checkpoint
RP248: 6/13/2009 1:12:33 PM - System Checkpoint
RP249: 6/14/2009 9:20:14 PM - System Checkpoint
RP250: 6/15/2009 9:53:46 PM - System Checkpoint
RP251: 6/17/2009 12:27:01 AM - System Checkpoint
RP252: 6/21/2009 7:28:06 PM - System Checkpoint
RP253: 6/22/2009 8:08:50 PM - System Checkpoint
RP254: 6/23/2009 2:54:41 PM - Removed Garmin City Navigator North America NT 2009 Update
RP255: 6/23/2009 2:58:20 PM - Removed palmOne
RP256: 6/24/2009 3:58:18 PM - System Checkpoint

==== Installed Programs ======================

==== Event Viewer Messages From Past Week ========

==== End Of File ===========================

**evilfantasy** · #5 24th Jun 2009, 14:05

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

DDS::
uInternet Settings,ProxyOverride = *.local
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} - hxxps://w3s.webmoney.ru/WMAcceptor.dll

Driver::
Viewpoint Manager Service

Folder::
c:\program files\viewpoint

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

**ruffryder2k7** · #6 25th Jun 2009, 08:45

ComboFix 09-06-23.01 - Mouse 06/24/2009 17:18.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1452 [GMT -4:00]
Running from: c:\documents and settings\Mouse\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mouse\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\viewpoint
c:\recycler\S-1-5-21-1957994488-1801674531-1177238915-1004
c:\recycler\S-1-5-21-789336058-2025429265-1644491937-1003
c:\windows\system32\drivers\kl1.sys
c:\program files\messenger\msmsgs.exe
c:\program files\viewpoint\Common\ViewpointService.exe
c:\program files\viewpoint\Common\VistaBoot.sdll
c:\program files\viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\viewpoint\Viewpoint Media Player\ComponentMgr.dll
c:\program files\viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\viewpoint\Viewpoint Media Player\NewComponents\AOLUserShell.dll
c:\program files\viewpoint\Viewpoint Media Player\NewComponents\Cursors.dll
c:\program files\viewpoint\Viewpoint Media Player\NewComponents\JpegReader.dll
c:\program files\viewpoint\Viewpoint Media Player\NewComponents\Mts3Reader.dll
c:\program files\viewpoint\Viewpoint Media Player\NewComponents\SceneComponent.dll
c:\program files\viewpoint\Viewpoint Media Player\NewComponents\SreeDMMX.dll
c:\program files\viewpoint\Viewpoint Media Player\NewComponents\SWFView.dll
c:\program files\viewpoint\Viewpoint Media Player\NewComponents\VETScriptInterpreter.dll
c:\program files\viewpoint\Viewpoint Media Player\NewComponents\VMPSpeech.dll
c:\program files\viewpoint\Viewpoint Media Player\NewComponents\VMPVideo2.dll
c:\program files\viewpoint\Viewpoint Media Player\npViewpoint.dll
c:\program files\viewpoint\Viewpoint Media Player\npViewpoint.xpt
c:\recycler\S-1-5-21-1957994488-1801674531-1177238915-1004\desktop.ini
c:\recycler\S-1-5-21-1957994488-1801674531-1177238915-1004\INFO2
c:\recycler\S-1-5-21-789336058-2025429265-1644491937-1003\desktop.ini
c:\recycler\S-1-5-21-789336058-2025429265-1644491937-1003\INFO2
c:\windows\emMON.exe
c:\windows\system32\Codecs\7zAES.dll
c:\windows\system32\Codecs\AES.dll
c:\windows\system32\Codecs\Branch.dll
c:\windows\system32\Codecs\BZip2.dll
c:\windows\system32\Codecs\Copy.dll
c:\windows\system32\Codecs\Deflate.dll
c:\windows\system32\Codecs\LZMA.dll
c:\windows\system32\Codecs\PPMd.dll
c:\windows\system32\Codecs\Rar29.dll
c:\windows\system32\Codecs\Swap.dll
c:\windows\system32\drivers\ctoss2k.sys
c:\windows\system32\Formats\7z.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ILVMONEYDRIVER53
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_IlvMoneyDRIVER53
-------\Service_Viewpoint Manager Service
-------\Legacy_ossrv
-------\Service_ossrv

((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-23 18:47 . 2009-06-24 16:37 117760 ----a-w- c:\documents and settings\Mouse\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-06-17 17:58 . 2009-06-17 18:10 -------- d-----w- c:\program files\LSoft Technologies
2009-06-13 16:32 . 2009-06-13 16:32 -------- d-----w- c:\program files\iPod
2009-06-13 16:32 . 2009-06-13 16:32 -------- d-----w- c:\program files\iTunes
2009-06-13 16:28 . 2009-06-13 16:29 -------- d-----w- c:\program files\QuickTime
2009-06-13 16:23 . 2009-06-13 16:23 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 23:14 . 2001-08-18 02:36 462848 -c--a-w- c:\windows\system32\dllcache\a3dapi.dll
2009-06-10 23:14 . 2001-08-18 02:36 462848 ----a-w- c:\windows\system32\a3dapi.dll
2009-06-10 23:13 . 2009-06-11 07:20 -------- d-----w- C:\Descent3
2009-06-10 23:13 . 2009-06-10 23:13 -------- d-----w- C:\Games
2009-06-10 20:13 . 2009-05-07 15:32 345600 -c----w- c:\windows\system32\dllcache\localspl.dll
2009-06-10 20:13 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-24 23:25 . 2008-05-16 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-24 21:26 . 2008-05-16 03:35 761888 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-24 21:26 . 2008-05-16 03:35 64388 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-24 21:26 . 2008-05-16 03:35 4571424 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-24 21:26 . 2008-05-16 03:35 29696 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-24 21:09 . 2008-05-17 00:25 -------- d-----w- c:\documents and settings\Mouse\Application Data\LimeWire
2009-06-24 16:37 . 2008-05-19 02:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-23 19:00 . 2008-10-16 02:40 -------- d-----w- c:\program files\Pando Networks
2009-06-23 18:59 . 2008-11-29 18:36 -------- d-----w- c:\program files\palmOne
2009-06-21 23:00 . 2009-02-09 03:50 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-21 23:00 . 2009-02-09 03:50 183112 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-18 22:35 . 2008-06-17 15:40 -------- d-----w- c:\program files\Diablo II
2009-06-18 22:31 . 2008-06-02 00:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-17 22:51 . 2008-05-15 04:41 -------- d-----w- c:\documents and settings\Mouse\Application Data\uTorrent
2009-06-13 16:32 . 2008-08-19 04:10 -------- d-----w- c:\program files\Common Files\Apple
2009-05-20 16:16 . 2008-05-16 03:36 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-20 16:16 . 2008-05-16 03:36 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-17 20:58 . 2009-05-17 20:58 -------- d-----w- c:\program files\LG Electronics
2009-05-17 20:58 . 2008-05-12 09:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-17 20:57 . 2008-05-12 09:20 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2003-03-31 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2008-05-16 21:18 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-28 10:48 . 2008-05-17 00:24 -------- d-----w- c:\program files\Java
2009-04-28 10:47 . 2009-04-28 10:47 152576 ----a-w- c:\documents and settings\Mouse\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-26 01:13 . 2009-04-26 00:43 -------- d-----w- c:\documents and settings\Mouse\Application Data\Move Networks
2009-04-17 12:26 . 2003-03-31 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2003-03-31 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-08 06:13 . 2009-04-08 06:13 45056 ----a-r- c:\documents and settings\Mouse\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0 F06A2CCC5374.exe
2009-04-08 06:13 . 2009-04-08 06:13 45056 ----a-r- c:\documents and settings\Mouse\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F 06A2CCC5374_1.exe
2009-04-08 06:13 . 2009-04-08 06:13 10134 ----a-r- c:\documents and settings\Mouse\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2009-04-05 23:39 . 2008-05-16 02:24 23032 ----a-w- c:\documents and settings\Mouse\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 23:27 . 2009-04-05 23:28 5433520 ----a-w- c:\windows\system32\SpoonUninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 122880]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-05-03 86016]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-05 201992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-02-21 19456]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-02-21 19968]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-01-01 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-01 04:29 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommo n Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StyleXPService"=2 (0x2)
"PLFlash DeviceIoControl Service"=2 (0x2)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"MDM"=2 (0x2)
"ZuneNetworkSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"npkcmsvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Diablo 2
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"58398:TCP"= 58398:TCP:Pando Media Booster
"58398:UDP"= 58398:UDP:Pando Media Booster

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 55024]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [5/12/2008 5:23 AM 14592]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [12/13/2007 1:28 PM 24592]
S2 Cubase32;Cubase32;c:\windows\system32\drivers\Cuba se32.sys [4/5/2009 7:02 PM 11808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-06-24 c:\windows\Tasks\Malwarebytes' Anti-Malware.job
- c:\progra~1\MALWAR~1\mbam.exe [2008-05-19 00:52]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard

.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} - hxxps://w3s.webmoney.ru/WMAcceptor.dll
FF - ProfilePath -
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 19:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4 B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00 ,eb,16,2b,de,ff,66,8f,81,d1,
34,d2,d9,c8,28,51,af,b0,29,a3,98,a9,c3,a8,8a,5e,d3 ,39,87,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98 A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66 ,8b,46,0d,96,c2,c2,dc,e4,a8,
65,45,2e,71,3b,04,66,8b,46,0d,96,21,7c,aa,e9,a8,42 ,2f,c4,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373F B-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e ,55,20,c9,26,eb,a7,df,4d,25,
c2,62,83,25,da,ec,7e,55,20,c9,26,a3,f2,65,ed,80,3e ,e4,f6,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CC D-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0 ,57,5a,93,61,f2,a1,b4,61,82,
bb,ab,d5,3e,1e,9e,e0,57,5a,93,61,6f,0e,5c,ae,ec,4f ,e7,8d,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F 9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9 ,a6,33,6c,cd,91,d7,7a,29,97,
c7,40,4b,cd,44,cd,b9,a6,33,6c,cd,49,19,95,11,6f,ac ,43,68,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E 8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62 ,78,6b,cf,c8,7e,4a,d5,24,8d,
3a,49,c4,b0,18,ed,a7,3f,8d,37,a4,29,b5,53,9a,d3,4a ,02,51,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30 B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba ,b1,f8,68,02,09,d4,0b,f3,53,
bc,62,26,31,77,e1,ba,b1,f8,68,02,77,c3,de,c6,98,79 ,54,2c,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654C A-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc ,e8,04,4a,f1,df,00,d5,43,ff,
f8,0f,f3,83,6c,56,8b,a0,85,96,ab,d5,19,39,90,da,30 ,2a,05,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E 8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58 ,98,5b,89,c9,6a,ea,f8,c4,82,
1a,7f,d8,51,fa,6e,91,28,9e,14,cc,82,ac,7a,83,eb,90 ,81,c6,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE 5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26 ,2d,45,aa,78,0b,ba,41,78,8a,
c9,90,04,b1,cd,45,5a,a8,c4,f8,b9,6b,c6,a2,44,8d,59 ,a6,f5,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02AD D-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5 ,b9,7f,41,e7,5d,45,06,19,5e,
30,20,e6,e3,0e,66,d5,eb,bc,2f,6b,e1,69,31,ac,dd,ba ,7f,02,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE 2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f ,d4,3b,6b,70,a5,97,0a,6e,8a,
cf,52,73,fa,ea,66,7f,d4,3b,6b,70,30,24,ea,79,a1,7b ,08,64,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Installer\UserData\LocalSystem\Componen ts\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(3748)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\CTxfispi.exe
.
************************************************** ************************
.
Completion time: 2009-06-24 19:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 23:29
ComboFix2.txt 2008-05-20 17:05

Pre-Run: 65,511,231,488 bytes free
Post-Run: 67,799,437,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
335 --- E O F --- 2009-06-11 03:03

**evilfantasy** · #7 25th Jun 2009, 09:58

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4  B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98  A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373F  B-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CC  D-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F  9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E  8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30  B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654C  A-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E  8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE  5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02AD  D-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE  2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr  entVersion\Installer\UserData\LocalSystem\Componen  ts\h–€|ÿÿÿÿ¤•€|ù•A~*]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Also let me know how the computer is running now.

.

**ruffryder2k7** · #8 25th Jun 2009, 16:17

ComboFix 09-06-23.01 - Mouse 06/25/2009 19:04.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1597 [GMT -4:00]
Running from: c:\documents and settings\Mouse\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mouse\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\kl1.sys

.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-24 23:28 . 2009-06-24 23:28 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-23 18:47 . 2009-06-24 16:37 117760 ----a-w- c:\documents and settings\Mouse\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-06-17 17:58 . 2009-06-17 18:10 -------- d-----w- c:\program files\LSoft Technologies
2009-06-13 16:32 . 2009-06-13 16:32 -------- d-----w- c:\program files\iPod
2009-06-13 16:32 . 2009-06-13 16:32 -------- d-----w- c:\program files\iTunes
2009-06-13 16:28 . 2009-06-13 16:29 -------- d-----w- c:\program files\QuickTime
2009-06-13 16:23 . 2009-06-13 16:23 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 23:14 . 2001-08-18 02:36 462848 -c--a-w- c:\windows\system32\dllcache\a3dapi.dll
2009-06-10 23:14 . 2001-08-18 02:36 462848 ----a-w- c:\windows\system32\a3dapi.dll
2009-06-10 23:13 . 2009-06-11 07:20 -------- d-----w- C:\Descent3
2009-06-10 23:13 . 2009-06-10 23:13 -------- d-----w- C:\Games
2009-06-10 20:13 . 2009-05-07 15:32 345600 -c----w- c:\windows\system32\dllcache\localspl.dll
2009-06-10 20:13 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-25 23:11 . 2008-05-16 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-25 23:09 . 2008-05-16 03:35 761888 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-25 23:09 . 2008-05-16 03:35 64388 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-25 23:09 . 2008-05-16 03:35 4571424 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-25 23:09 . 2008-05-16 03:35 29696 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-24 23:59 . 2008-01-29 22:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-06-24 23:59 . 2009-02-05 00:58 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.3 57\klbg.sys
2009-06-24 23:59 . 2008-05-16 03:36 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-24 23:59 . 2008-05-16 03:36 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-24 23:59 . 2008-07-17 23:08 213520 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.3 57\XP\klif.sys
2009-06-24 23:59 . 2008-07-17 23:08 861448 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.3 57\updater.dll
2009-06-24 21:09 . 2008-05-17 00:25 -------- d-----w- c:\documents and settings\Mouse\Application Data\LimeWire
2009-06-24 16:37 . 2008-05-19 02:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-23 19:00 . 2008-10-16 02:40 -------- d-----w- c:\program files\Pando Networks
2009-06-23 18:59 . 2008-11-29 18:36 -------- d-----w- c:\program files\palmOne
2009-06-21 23:00 . 2009-02-09 03:50 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-21 23:00 . 2009-02-09 03:50 183112 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-18 22:35 . 2008-06-17 15:40 -------- d-----w- c:\program files\Diablo II
2009-06-18 22:31 . 2008-06-02 00:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-17 22:51 . 2008-05-15 04:41 -------- d-----w- c:\documents and settings\Mouse\Application Data\uTorrent
2009-06-13 16:32 . 2008-08-19 04:10 -------- d-----w- c:\program files\Common Files\Apple
2009-05-17 20:58 . 2009-05-17 20:58 -------- d-----w- c:\program files\LG Electronics
2009-05-17 20:58 . 2008-05-12 09:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-17 20:57 . 2008-05-12 09:20 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2003-03-31 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2008-05-16 21:18 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-28 10:48 . 2008-05-17 00:24 -------- d-----w- c:\program files\Java
2009-04-28 10:47 . 2009-04-28 10:47 152576 ----a-w- c:\documents and settings\Mouse\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2003-03-31 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2003-03-31 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-08 06:13 . 2009-04-08 06:13 45056 ----a-r- c:\documents and settings\Mouse\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0 F06A2CCC5374.exe
2009-04-08 06:13 . 2009-04-08 06:13 45056 ----a-r- c:\documents and settings\Mouse\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F 06A2CCC5374_1.exe
2009-04-08 06:13 . 2009-04-08 06:13 10134 ----a-r- c:\documents and settings\Mouse\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2009-04-05 23:39 . 2008-05-16 02:24 23032 ----a-w- c:\documents and settings\Mouse\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 23:27 . 2009-04-05 23:28 5433520 ----a-w- c:\windows\system32\SpoonUninstall.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-24_23.25.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-26 00:07 . 2008-03-26 00:07 24592 c:\windows\system32\drivers\klim5.sys
- 2007-12-13 17:28 . 2008-03-26 00:07 24592 c:\windows\system32\drivers\klim5.sys
+ 2009-06-24 23:28 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-24 23:28 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-24 23:28 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-24 23:28 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-24 23:28 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-24 23:28 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-24 23:28 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-24 23:28 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-24 23:28 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-24 23:28 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
- 2008-04-18 17:53 . 2009-02-05 00:58 213520 c:\windows\system32\drivers\klif.sys
+ 2008-04-18 17:53 . 2009-06-24 23:59 213520 c:\windows\system32\drivers\klif.sys
+ 2009-06-24 23:28 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-24 23:28 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-24 23:28 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-24 23:28 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-24 23:28 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-24 23:28 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-24 23:28 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-24 23:28 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-24 23:28 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-24 23:28 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-24 23:28 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-24 23:28 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-24 23:28 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-24 23:28 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 122880]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-05-03 86016]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-05 201992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-02-21 19456]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-02-21 19968]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-01-01 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-01 04:29 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommo n Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StyleXPService"=2 (0x2)
"PLFlash DeviceIoControl Service"=2 (0x2)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"MDM"=2 (0x2)
"ZuneNetworkSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"npkcmsvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Diablo 2
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"58398:TCP"= 58398:TCP:Pando Media Booster
"58398:UDP"= 58398:UDP:Pando Media Booster

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 55024]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [5/12/2008 5:23 AM 14592]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [3/25/2008 8:07 PM 24592]
S2 Cubase32;Cubase32;c:\windows\system32\drivers\Cuba se32.sys [4/5/2009 7:02 PM 11808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-06-25 c:\windows\Tasks\Malwarebytes' Anti-Malware.job
- c:\progra~1\MALWAR~1\mbam.exe [2008-05-19 00:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} - hxxps://w3s.webmoney.ru/WMAcceptor.dll
FF - ProfilePath -
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 19:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4 B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00 ,eb,16,2b,de,ff,66,8f,81,d1,
34,d2,d9,c8,28,51,af,b0,29,a3,98,a9,c3,a8,8a,5e,d3 ,39,87,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98 A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66 ,8b,46,0d,96,c2,c2,dc,e4,a8,
65,45,2e,71,3b,04,66,8b,46,0d,96,21,7c,aa,e9,a8,42 ,2f,c4,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373F B-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e ,55,20,c9,26,eb,a7,df,4d,25,
c2,62,83,25,da,ec,7e,55,20,c9,26,a3,f2,65,ed,80,3e ,e4,f6,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CC D-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0 ,57,5a,93,61,f2,a1,b4,61,82,
bb,ab,d5,3e,1e,9e,e0,57,5a,93,61,6f,0e,5c,ae,ec,4f ,e7,8d,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F 9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9 ,a6,33,6c,cd,91,d7,7a,29,97,
c7,40,4b,cd,44,cd,b9,a6,33,6c,cd,49,19,95,11,6f,ac ,43,68,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E 8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62 ,78,6b,cf,c8,7e,4a,d5,24,8d,
3a,49,c4,b0,18,ed,a7,3f,8d,37,a4,29,b5,53,9a,d3,4a ,02,51,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30 B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba ,b1,f8,68,02,09,d4,0b,f3,53,
bc,62,26,31,77,e1,ba,b1,f8,68,02,77,c3,de,c6,98,79 ,54,2c,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654C A-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc ,e8,04,4a,f1,df,00,d5,43,ff,
f8,0f,f3,83,6c,56,8b,a0,85,96,ab,d5,19,39,90,da,30 ,2a,05,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E 8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58 ,98,5b,89,c9,6a,ea,f8,c4,82,
1a,7f,d8,51,fa,6e,91,28,9e,14,cc,82,ac,7a,83,eb,90 ,81,c6,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE 5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26 ,2d,45,aa,78,0b,ba,41,78,8a,
c9,90,04,b1,cd,45,5a,a8,c4,f8,b9,6b,c6,a2,44,8d,59 ,a6,f5,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02AD D-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5 ,b9,7f,41,e7,5d,45,06,19,5e,
30,20,e6,e3,0e,66,d5,eb,bc,2f,6b,e1,69,31,ac,dd,ba ,7f,02,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE 2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f ,d4,3b,6b,70,a5,97,0a,6e,8a,
cf,52,73,fa,ea,66,7f,d4,3b,6b,70,30,24,ea,79,a1,7b ,08,64,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Installer\UserData\LocalSystem\Componen ts\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(212)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\rundll32.exe
c:\program files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\CTxfispi.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-06-25 19:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-25 23:14
ComboFix2.txt 2009-06-24 23:29
ComboFix3.txt 2008-05-20 17:05

Pre-Run: 67,819,319,296 bytes free
Post-Run: 67,883,995,136 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
310 --- E O F --- 2009-06-11 03:03

**evilfantasy** · #9 25th Jun 2009, 18:13

Sorry I overlooked something.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::
 
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
 
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Also let me know how the computer is running now.

.

**ruffryder2k7** · #10 26th Jun 2009, 00:59

ComboFix 09-06-23.01 - Mouse 06/26/2009 3:47.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1564 [GMT -4:00]
Running from: c:\documents and settings\Mouse\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mouse\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\kl1.sys

.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-24 23:28 . 2009-06-24 23:28 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-23 18:47 . 2009-06-24 16:37 117760 ----a-w- c:\documents and settings\Mouse\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-06-17 17:58 . 2009-06-17 18:10 -------- d-----w- c:\program files\LSoft Technologies
2009-06-13 16:32 . 2009-06-13 16:32 -------- d-----w- c:\program files\iPod
2009-06-13 16:32 . 2009-06-13 16:32 -------- d-----w- c:\program files\iTunes
2009-06-13 16:28 . 2009-06-13 16:29 -------- d-----w- c:\program files\QuickTime
2009-06-13 16:23 . 2009-06-13 16:23 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 23:14 . 2001-08-18 02:36 462848 -c--a-w- c:\windows\system32\dllcache\a3dapi.dll
2009-06-10 23:14 . 2001-08-18 02:36 462848 ----a-w- c:\windows\system32\a3dapi.dll
2009-06-10 23:13 . 2009-06-11 07:20 -------- d-----w- C:\Descent3
2009-06-10 23:13 . 2009-06-10 23:13 -------- d-----w- C:\Games
2009-06-10 20:13 . 2009-05-07 15:32 345600 -c----w- c:\windows\system32\dllcache\localspl.dll
2009-06-10 20:13 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-26 07:54 . 2008-05-16 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-26 07:52 . 2008-05-16 03:35 761888 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-26 07:52 . 2008-05-16 03:35 64388 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-26 07:52 . 2008-05-16 03:35 4571424 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-26 07:52 . 2008-05-16 03:35 29696 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-25 23:24 . 2008-01-29 22:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-06-25 23:24 . 2008-05-16 03:36 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-25 23:24 . 2008-05-16 03:36 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-25 23:24 . 2009-02-05 00:58 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.3 57\klbg.sys
2009-06-25 23:24 . 2008-07-17 23:08 213520 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.3 57\XP\klif.sys
2009-06-25 23:24 . 2008-07-17 23:08 861448 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.3 57\updater.dll
2009-06-24 21:09 . 2008-05-17 00:25 -------- d-----w- c:\documents and settings\Mouse\Application Data\LimeWire
2009-06-24 16:37 . 2008-05-19 02:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-23 19:00 . 2008-10-16 02:40 -------- d-----w- c:\program files\Pando Networks
2009-06-23 18:59 . 2008-11-29 18:36 -------- d-----w- c:\program files\palmOne
2009-06-21 23:00 . 2009-02-09 03:50 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-21 23:00 . 2009-02-09 03:50 183112 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-18 22:35 . 2008-06-17 15:40 -------- d-----w- c:\program files\Diablo II
2009-06-18 22:31 . 2008-06-02 00:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-17 22:51 . 2008-05-15 04:41 -------- d-----w- c:\documents and settings\Mouse\Application Data\uTorrent
2009-06-13 16:32 . 2008-08-19 04:10 -------- d-----w- c:\program files\Common Files\Apple
2009-05-17 20:58 . 2009-05-17 20:58 -------- d-----w- c:\program files\LG Electronics
2009-05-17 20:58 . 2008-05-12 09:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-17 20:57 . 2008-05-12 09:20 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2003-03-31 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2008-05-16 21:18 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-28 10:48 . 2008-05-17 00:24 -------- d-----w- c:\program files\Java
2009-04-28 10:47 . 2009-04-28 10:47 152576 ----a-w- c:\documents and settings\Mouse\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2003-03-31 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2003-03-31 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-08 06:13 . 2009-04-08 06:13 45056 ----a-r- c:\documents and settings\Mouse\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0 F06A2CCC5374.exe
2009-04-08 06:13 . 2009-04-08 06:13 45056 ----a-r- c:\documents and settings\Mouse\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F 06A2CCC5374_1.exe
2009-04-08 06:13 . 2009-04-08 06:13 10134 ----a-r- c:\documents and settings\Mouse\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2009-04-05 23:39 . 2008-05-16 02:24 23032 ----a-w- c:\documents and settings\Mouse\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 23:27 . 2009-04-05 23:28 5433520 ----a-w- c:\windows\system32\SpoonUninstall.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-24_23.25.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-26 00:07 . 2008-03-26 00:07 24592 c:\windows\system32\drivers\klim5.sys
- 2007-12-13 17:28 . 2008-03-26 00:07 24592 c:\windows\system32\drivers\klim5.sys
+ 2009-06-24 23:28 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-24 23:28 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-24 23:28 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-24 23:28 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-24 23:28 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-24 23:28 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-24 23:28 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-24 23:28 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-24 23:28 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-24 23:28 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
- 2008-04-18 17:53 . 2009-02-05 00:58 213520 c:\windows\system32\drivers\klif.sys
+ 2008-04-18 17:53 . 2009-06-25 23:24 213520 c:\windows\system32\drivers\klif.sys
+ 2009-06-24 23:28 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-24 23:28 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-24 23:28 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-24 23:28 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-24 23:28 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-24 23:28 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-24 23:28 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-24 23:28 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-24 23:28 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-24 23:28 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-24 23:28 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-24 23:28 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-24 23:28 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-24 23:28 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 122880]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-05-03 86016]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-05 201992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-02-21 19456]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-02-21 19968]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-01-01 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-01 04:29 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommo n Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StyleXPService"=2 (0x2)
"PLFlash DeviceIoControl Service"=2 (0x2)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"MDM"=2 (0x2)
"ZuneNetworkSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"npkcmsvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Diablo 2
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"58398:TCP"= 58398:TCP:Pando Media Booster
"58398:UDP"= 58398:UDP:Pando Media Booster

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 55024]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [5/12/2008 5:23 AM 14592]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [3/25/2008 8:07 PM 24592]
S2 Cubase32;Cubase32;c:\windows\system32\drivers\Cuba se32.sys [4/5/2009 7:02 PM 11808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-06-26 c:\windows\Tasks\Malwarebytes' Anti-Malware.job
- c:\progra~1\MALWAR~1\mbam.exe [2008-05-19 00:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} - hxxps://w3s.webmoney.ru/WMAcceptor.dll
FF - ProfilePath -
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-26 03:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4 B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00 ,eb,16,2b,de,ff,66,8f,81,d1,
34,d2,d9,c8,28,51,af,b0,29,a3,98,a9,c3,a8,8a,5e,d3 ,39,87,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98 A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66 ,8b,46,0d,96,c2,c2,dc,e4,a8,
65,45,2e,71,3b,04,66,8b,46,0d,96,21,7c,aa,e9,a8,42 ,2f,c4,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373F B-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e ,55,20,c9,26,eb,a7,df,4d,25,
c2,62,83,25,da,ec,7e,55,20,c9,26,a3,f2,65,ed,80,3e ,e4,f6,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CC D-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0 ,57,5a,93,61,f2,a1,b4,61,82,
bb,ab,d5,3e,1e,9e,e0,57,5a,93,61,6f,0e,5c,ae,ec,4f ,e7,8d,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F 9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9 ,a6,33,6c,cd,91,d7,7a,29,97,
c7,40,4b,cd,44,cd,b9,a6,33,6c,cd,49,19,95,11,6f,ac ,43,68,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E 8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62 ,78,6b,cf,c8,7e,4a,d5,24,8d,
3a,49,c4,b0,18,ed,a7,3f,8d,37,a4,29,b5,53,9a,d3,4a ,02,51,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30 B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba ,b1,f8,68,02,09,d4,0b,f3,53,
bc,62,26,31,77,e1,ba,b1,f8,68,02,77,c3,de,c6,98,79 ,54,2c,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654C A-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc ,e8,04,4a,f1,df,00,d5,43,ff,
f8,0f,f3,83,6c,56,8b,a0,85,96,ab,d5,19,39,90,da,30 ,2a,05,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E 8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58 ,98,5b,89,c9,6a,ea,f8,c4,82,
1a,7f,d8,51,fa,6e,91,28,9e,14,cc,82,ac,7a,83,eb,90 ,81,c6,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE 5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26 ,2d,45,aa,78,0b,ba,41,78,8a,
c9,90,04,b1,cd,45,5a,a8,c4,f8,b9,6b,c6,a2,44,8d,59 ,a6,f5,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02AD D-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5 ,b9,7f,41,e7,5d,45,06,19,5e,
30,20,e6,e3,0e,66,d5,eb,bc,2f,6b,e1,69,31,ac,dd,ba ,7f,02,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE 2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f ,d4,3b,6b,70,a5,97,0a,6e,8a,
cf,52,73,fa,ea,66,7f,d4,3b,6b,70,30,24,ea,79,a1,7b ,08,64,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Installer\UserData\LocalSystem\Componen ts\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(288)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\rundll32.exe
c:\program files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\CTxfispi.exe
.
************************************************** ************************
.
Completion time: 2009-06-26 3:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-26 07:57
ComboFix2.txt 2009-06-25 23:14
ComboFix3.txt 2009-06-24 23:29
ComboFix4.txt 2008-05-20 17:05

Pre-Run: 67,824,807,936 bytes free
Post-Run: 67,888,648,192 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
311 --- E O F --- 2009-06-11 03:03

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Multi Desktop Application?	Haun	General Software Chat	6	31st Mar 2009 01:30
Heur Trojan Generic	kathymer	Virus, Spyware & Security	10	29th Nov 2008 12:58
Infected With Heur.trojan.generic Please Help	ruffryder2k7	Virus, Spyware & Security	17	6th Nov 2008 10:39
Multi Monitor ~ Nvidia 5200	gsan	Graphics Cards & Monitors	7	17th Aug 2007 03:37
Are you able to sync a generic mp3 player [not an iPod] with iTunes?	reyrey_angulo	Sound, Speakers & MP3 Players	1	18th Mar 2007 15:39