I installed combo fix and ran the scan. I accidentily forgot to connect my external hard drive before I ran the first scan, so after the 1st one was finished, I connected my external drive and ran a second scan. Below I pasted both of the 'combofix' logs and also a fresh hijackthis log.
1st ComboFix scanComboFix 08-05-21.3 - joes459 2008-05-25 13:50:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.1920 [GMT 9:00]
Running from: C:\Documents and Settings\joes459\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
C:\Documents and Settings\All Users\Start Menu\UUSEE~1.LNK
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM.cfg
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM0.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM1.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM2.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM3.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM4.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM5.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM6.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM7.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM8.che
C:\Documents and Settings\joes459\Local Settings\Temporary Internet Files\SKBGM9.che
C:\vl.com
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\drivers\windf.hlp
C:\WINDOWS\system32\ieso0.dll
C:\WINDOWS\system32\kxvo.exe
C:\xaul0q8u.bat
.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.
2008-05-24 14:30 . 2008-05-24 14:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 22:07 . 2008-05-22 22:07 <DIR> d-------- C:\Program Files\Network Associates
2008-05-13 11:00 . 2008-05-08 13:32 3,804 --a------ C:\WINDOWS\system32\teexcept.dat
2008-05-11 21:36 . 2008-05-11 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application ja_JP
2008-05-11 11:16 . 2008-05-11 11:16 <DIR> d-------- C:\Program Files\Cyworld Music Player
2008-05-10 17:33 . 2008-05-25 13:50 <DIR> d-------- C:\QUARANTINE
2008-05-10 17:09 . 2008-05-10 17:09 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-10 17:09 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-10 17:09 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-10 17:09 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-05-10 17:09 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-05-10 17:09 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-10 17:07 . 2008-05-10 17:09 <DIR> d-------- C:\Program Files\McAfee
2008-05-10 17:07 . 2008-05-10 17:07 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-10 17:07 . 2008-05-10 17:07 <DIR> d-------- C:\Program Files\AVDistribution
2008-05-10 17:07 . 2008-05-10 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-10 17:07 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-10 17:07 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-05-10 16:24 . 2008-05-10 17:19 162,483 -r-hs---- C:\f6d.bat
2008-05-10 10:27 . 2008-05-10 13:31 161,329 -r-hs---- C:\sqtd.exe
2008-05-07 22:11 . 2008-05-08 11:24 161,863 -r-hs---- C:\wk.exe
2008-05-06 11:41 . 2008-05-06 11:41 <DIR> d-------- C:\WINDOWS\Application Data
2008-05-06 11:28 . 2004-08-04 21:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-05 22:02 . 2008-05-05 22:02 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-05 22:02 . 2008-05-05 22:02 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-04 14:48 . 2008-05-04 14:48 1,628 --a------ C:\WINDOWS\system32\p3downasx.asx
2008-05-03 22:27 . 2008-05-13 23:00 404,649 --a------ C:\WINDOWS\system32\nperr.npl
2008-05-03 11:07 . 2004-08-03 22:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-05-03 11:07 . 2001-08-17 12:11 65,278 --a--c--- C:\WINDOWS\system32\dllcache\netflx3.sys
2008-05-03 11:07 . 2001-08-17 22:36 60,480 --a--c--- C:\WINDOWS\system32\dllcache\neo20xx.dll
2008-05-03 11:07 . 2001-08-17 12:50 39,264 --a--c--- C:\WINDOWS\system32\dllcache\neo20xx.sys
2008-05-03 11:05 . 2001-08-17 13:28 797,500 --a--c--- C:\WINDOWS\system32\dllcache\ltsmt.sys
2008-05-03 11:04 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-05-03 11:03 . 2004-08-04 00:56 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-05-03 11:02 . 2004-08-03 22:41 1,041,536 --a--c--- C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-05-03 11:01 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-05-03 11:00 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-05-03 10:59 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-05-03 10:58 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-05-03 10:57 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-05-03 10:56 . 2007-02-28 18:10 2,180,352 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-05-02 23:26 . 2008-05-13 23:00 16,627 ---h----- C:\WINDOWS\system32\200805.npl
2008-04-28 22:03 . 2008-04-29 22:22 162,529 -r-hs---- C:\rxub.bat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 01:47 --------- d-----w C:\Program Files\QuoteTracker
2008-05-18 23:17 --------- d-----w C:\Program Files\Certiprep
2008-05-13 13:57 73,728 ----a-w C:\WINDOWS\system32\kdfapi.dll
2008-05-13 13:57 159,744 ----a-w C:\WINDOWS\system32\kdfmgr.exe
2008-05-13 13:45 47,104 ----a-w C:\WINDOWS\system32\Kdfhok.dll
2008-05-11 14:11 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-05-10 08:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 08:07 --------- d-----w C:\Program Files\ToToBrowser
2008-05-10 08:07 --------- d-----w C:\Program Files\SopCast
2008-05-10 08:07 --------- d-----w C:\Program Files\Real Alternative
2008-05-10 08:07 --------- d-----w C:\Program Files\QuickTime
2008-05-10 08:07 --------- d-----w C:\Program Files\Java
2008-05-10 05:11 169,109 ----a-w C:\WINDOWS\system32\drivers\scskusbs.sys
2008-05-10 05:11 11,385 ----a-w C:\WINDOWS\system32\drivers\scskusbf.sys
2008-05-06 02:41 --------- d-----w C:\Program Files\NPKI
2008-05-06 02:41 --------- d-----w C:\Program Files\INITECH
2008-05-05 13:02 --------- d-----w C:\Documents and Settings\joes459\Application Data\Skype
2008-05-05 12:59 --------- d-----w C:\Documents and Settings\joes459\Application Data\skypePM
2008-05-02 05:52 1,705,562 ----a-w C:\WINDOWS\system32\npmon.exe
2008-05-02 05:10 102,461 ----a-w C:\WINDOWS\system32\nphkapi.dll
2008-04-24 12:44 159,745 --sh--r C:\9jjh.com
2008-04-23 03:14 158,316 --sh--r C:\t2mq2a.com
2008-04-23 01:40 374,784 ----a-w C:\WINDOWS\system32\kdfinj.dll
2008-04-20 09:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 03:15 --------- d-----w C:\Documents and Settings\joes459\Application Data\ESTsoft
2008-04-20 02:01 73,728 ----a-w C:\WINDOWS\system32\ISP_INISafeNet.dll
2008-04-20 02:01 708,096 ----a-w C:\WINDOWS\system32\INIcrypto20.dll
2008-04-20 02:01 638,976 ----a-w C:\WINDOWS\system32\ISPPopUpDlg.exe
2008-04-20 02:01 3,137,536 ----a-w C:\WINDOWS\system32\KvpVcmd.dll
2008-04-20 02:01 28,672 ----a-w C:\WINDOWS\system32\ISP_crgen.dll
2008-04-20 02:01 233,472 ----a-w C:\WINDOWS\system32\PubCertDlg.dll
2008-04-20 02:01 154,752 ----a-w C:\WINDOWS\system32\INIWebCrypto.dll
2008-04-20 02:00 --------- d-----w C:\Program Files\INICIS
2008-04-20 00:48 --------- d-----w C:\Program Files\Common Files\AhnLab
2008-04-20 00:48 --------- d-----w C:\Program Files\AhnLab
2008-04-19 09:40 --------- d-----w C:\Program Files\Broadcom
2008-04-19 07:55 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 00:19 --------- d-----w C:\Program Files\Microsoft Works
2008-04-17 00:19 --------- d-----w C:\Program Files\Common Files\L&H
2008-04-16 02:22 --------- d-----w C:\Program Files\Pruna
2008-04-08 01:55 --------- d-----w C:\Program Files\PowerISO
2008-04-07 04:35 953,048 ----a-w C:\WINDOWS\system32\SCSKCORE.dll
2008-04-07 01:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-06 09:48 --------- d-----w C:\Program Files\ESTsoft
2008-04-05 08:45 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-05 08:45 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-05 08:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-05 07:48 --------- d-----w C:\Documents and Settings\joes459\Application Data\Azureus
2008-03-23 12:53 155,716 --sh--r C:\al8u.com
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 04:17 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-14 14:37 149,664 --sh--r C:\x8.bat
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-25 05:26 32,768 ----a-w C:\WINDOWS\system32\UbiKeyWin32.dll
2008-02-25 05:26 32,768 ----a-w C:\WINDOWS\system32\UbiKey.dll
2008-01-17 13:19 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAEBE5F2-5E2E-11D8-A251-00D0591C1C61}]
2008-01-11 23:42 36864 --a------ C:\WINDOWS\system32\MSvcprt4.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 21:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 21:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 21:00 59392]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-10-09 10:56 147456]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 21:00 208952]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-10-09 12:06 419120]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-10-12 16:28 1282048]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-11 09:14 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-11 09:14 162584]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-08 20:59 16384512 C:\WINDOWS\RTHDCPL.exe]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 21:00 158208]
"NetClient RC Helper"="C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe" [2007-06-01 00:46 71440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\_ishieldA.sys]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\_ishieldB.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^joes459^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\joes459\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-14 08:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
--a------ 2008-02-17 15:44 500392 C:\Program Files\Common Files\Hnc\HncUtils\HncUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxva]
C:\WINDOWS\system32\kxvo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 01:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kxva"=C:\WINDOWS\system32\kxvo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"NetClient RC Helper"=C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe
"Persistence"=C:\WINDOWS\system32\igfxpers.exe
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\ncipmgr.exe"=
"C:\\WINDOWS\\system32\\skcbgm.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Nexon\\NGM\\NGM.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Nexon\\Common\\NMService.exe"=
"C:\\Program Files\\Pruna\\Pruna.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\ncclient.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\NetChat.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\rc\\DrFtc.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\rc\\NrHost.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 nrdrvnt3;nrdrvnt3;C:\WINDOWS\system32\DRIVERS\nrdrvnt3.sys [2007-06-01 00:46]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-10-09 12:04]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-10-09 12:05]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-10-09 10:56]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-10-09 10:56]
R2 NCClient Agent;NCClient Agent;C:\WINDOWS\system32\NetClient40\ncagent.exe [2003-12-07 01:44]
R2 npkcmsvc;npkcmsvc;C:\WINDOWS\system32\npkcmsvc.exe [2008-01-22 11:57]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 21:00]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-10-09 10:56]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-10-09 10:56]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-10-09 10:56]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-10-09 10:56]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-10-09 10:56]
R3 NCGUARD;DoctorSoft NCGuard;C:\WINDOWS\system32\DRIVERS\NCGUARD.SYS [2007-05-23 09:02]
R3 NCPMon40;NetClient Process detector;C:\WINDOWS\system32\NetClient40\NCPMon40.sys [2003-11-12 10:17]
R3 NSECU;DoctorSoft Network Secu;C:\WINDOWS\system32\DRIVERS\NSECU.SYS [2007-05-15 06:59]
S1 _ishieldA;_ishieldA;C:\WINDOWS\system32\drivers\_ishieldA.sys []
S1 _ishieldB;_ishieldB;C:\WINDOWS\system32\drivers\_ishieldB.sys []
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-10-09 10:56]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2007-10-09 10:56]
S3 ncpflt;ncpflt;C:\WINDOWS\system32\Drivers\ncpflt.sys [2007-06-15 08:11]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-17 13:17]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\oalvm.com
\Shell\explore\Command - C:\oalvm.com
\Shell\open\Command - C:\oalvm.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE /AUTORUN
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3712f160-d623-11dc-8a43-001d4fa4ed19}]
\Shell\AutoRun\command - G:\f6d.bat
\Shell\explore\Command - G:\f6d.bat
\Shell\open\Command - G:\f6d.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42f17b91-c1ac-11dc-89f4-001d4fa4ed19}]
\Shell\AutoRun\command - F:\6krxwx.cmd
\Shell\explore\Command - F:\6krxwx.cmd
\Shell\open\Command - F:\6krxwx.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6443b5af-c0d9-11dc-89f1-001d4fa4ed19}]
\Shell\AutoRun\command - F:\3bqqnkd.bat
\Shell\explore\Command - F:\3bqqnkd.bat
\Shell\open\Command - F:\3bqqnkd.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0d59ce8-c234-11dc-89f5-001d4fa4ed19}]
\Shell\AutoRun\command - F:\vl.com
\Shell\explore\Command - F:\vl.com
\Shell\open\Command - F:\vl.com
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 04:17:29 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-05-12 00:18:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-05-25 13:51:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-25 13:52:10
ComboFix-quarantined-files.txt 2008-05-25 04:52:06
Pre-Run: 3,255,758,848 bytes free
Post-Run: 3,425,402,880 bytes free
286
2nd combox fix scanComboFix 08-05-21.3 - joes459 2008-05-25 13:56:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.1916 [GMT 9:00]
Running from: C:\Documents and Settings\joes459\Desktop\ComboFix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
G:\Autorun.inf
G:\xaul0q8u.bat
.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.
2008-05-24 14:30 . 2008-05-24 14:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 22:07 . 2008-05-22 22:07 <DIR> d-------- C:\Program Files\Network Associates
2008-05-13 11:00 . 2008-05-08 13:32 3,804 --a------ C:\WINDOWS\system32\teexcept.dat
2008-05-11 21:36 . 2008-05-11 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application ja_JP
2008-05-11 11:16 . 2008-05-11 11:16 <DIR> d-------- C:\Program Files\Cyworld Music Player
2008-05-10 17:33 . 2008-05-25 13:56 <DIR> d-------- C:\QUARANTINE
2008-05-10 17:09 . 2008-05-10 17:09 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-10 17:09 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-10 17:09 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-10 17:09 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-05-10 17:09 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-05-10 17:09 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-10 17:07 . 2008-05-10 17:09 <DIR> d-------- C:\Program Files\McAfee
2008-05-10 17:07 . 2008-05-10 17:07 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-10 17:07 . 2008-05-10 17:07 <DIR> d-------- C:\Program Files\AVDistribution
2008-05-10 17:07 . 2008-05-10 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-10 17:07 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-10 17:07 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-05-10 16:24 . 2008-05-10 17:19 162,483 -r-hs---- C:\f6d.bat
2008-05-10 10:27 . 2008-05-10 13:31 161,329 -r-hs---- C:\sqtd.exe
2008-05-07 22:11 . 2008-05-08 11:24 161,863 -r-hs---- C:\wk.exe
2008-05-06 11:41 . 2008-05-06 11:41 <DIR> d-------- C:\WINDOWS\Application Data
2008-05-06 11:28 . 2004-08-04 21:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-05 22:02 . 2008-05-05 22:02 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-05 22:02 . 2008-05-05 22:02 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-04 14:48 . 2008-05-04 14:48 1,628 --a------ C:\WINDOWS\system32\p3downasx.asx
2008-05-03 22:27 . 2008-05-13 23:00 404,649 --a------ C:\WINDOWS\system32\nperr.npl
2008-05-03 11:07 . 2004-08-03 22:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-05-03 11:07 . 2001-08-17 12:11 65,278 --a--c--- C:\WINDOWS\system32\dllcache\netflx3.sys
2008-05-03 11:07 . 2001-08-17 22:36 60,480 --a--c--- C:\WINDOWS\system32\dllcache\neo20xx.dll
2008-05-03 11:07 . 2001-08-17 12:50 39,264 --a--c--- C:\WINDOWS\system32\dllcache\neo20xx.sys
2008-05-03 11:05 . 2001-08-17 13:28 797,500 --a--c--- C:\WINDOWS\system32\dllcache\ltsmt.sys
2008-05-03 11:04 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-05-03 11:03 . 2004-08-04 00:56 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-05-03 11:02 . 2004-08-03 22:41 1,041,536 --a--c--- C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-05-03 11:01 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-05-03 11:00 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-05-03 10:59 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-05-03 10:58 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-05-03 10:57 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-05-03 10:56 . 2007-02-28 18:10 2,180,352 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-05-02 23:26 . 2008-05-13 23:00 16,627 ---h----- C:\WINDOWS\system32\200805.npl
2008-04-28 22:03 . 2008-04-29 22:22 162,529 -r-hs---- C:\rxub.bat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 01:47 --------- d-----w C:\Program Files\QuoteTracker
2008-05-18 23:17 --------- d-----w C:\Program Files\Certiprep
2008-05-13 13:57 73,728 ----a-w C:\WINDOWS\system32\kdfapi.dll
2008-05-13 13:57 159,744 ----a-w C:\WINDOWS\system32\kdfmgr.exe
2008-05-13 13:45 47,104 ----a-w C:\WINDOWS\system32\Kdfhok.dll
2008-05-11 14:11 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-05-10 08:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 08:07 --------- d-----w C:\Program Files\ToToBrowser
2008-05-10 08:07 --------- d-----w C:\Program Files\SopCast
2008-05-10 08:07 --------- d-----w C:\Program Files\Real Alternative
2008-05-10 08:07 --------- d-----w C:\Program Files\QuickTime
2008-05-10 08:07 --------- d-----w C:\Program Files\Java
2008-05-10 05:11 169,109 ----a-w C:\WINDOWS\system32\drivers\scskusbs.sys
2008-05-10 05:11 11,385 ----a-w C:\WINDOWS\system32\drivers\scskusbf.sys
2008-05-06 02:41 --------- d-----w C:\Program Files\NPKI
2008-05-06 02:41 --------- d-----w C:\Program Files\INITECH
2008-05-05 13:02 --------- d-----w C:\Documents and Settings\joes459\Application Data\Skype
2008-05-05 12:59 --------- d-----w C:\Documents and Settings\joes459\Application Data\skypePM
2008-05-02 05:52 1,705,562 ----a-w C:\WINDOWS\system32\npmon.exe
2008-05-02 05:10 102,461 ----a-w C:\WINDOWS\system32\nphkapi.dll
2008-04-24 12:44 159,745 --sh--r C:\9jjh.com
2008-04-23 03:14 158,316 --sh--r C:\t2mq2a.com
2008-04-23 01:40 374,784 ----a-w C:\WINDOWS\system32\kdfinj.dll
2008-04-20 09:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 03:15 --------- d-----w C:\Documents and Settings\joes459\Application Data\ESTsoft
2008-04-20 02:01 73,728 ----a-w C:\WINDOWS\system32\ISP_INISafeNet.dll
2008-04-20 02:01 708,096 ----a-w C:\WINDOWS\system32\INIcrypto20.dll
2008-04-20 02:01 638,976 ----a-w C:\WINDOWS\system32\ISPPopUpDlg.exe
2008-04-20 02:01 3,137,536 ----a-w C:\WINDOWS\system32\KvpVcmd.dll
2008-04-20 02:01 28,672 ----a-w C:\WINDOWS\system32\ISP_crgen.dll
2008-04-20 02:01 233,472 ----a-w C:\WINDOWS\system32\PubCertDlg.dll
2008-04-20 02:01 154,752 ----a-w C:\WINDOWS\system32\INIWebCrypto.dll
2008-04-20 02:00 --------- d-----w C:\Program Files\INICIS
2008-04-20 00:48 --------- d-----w C:\Program Files\Common Files\AhnLab
2008-04-20 00:48 --------- d-----w C:\Program Files\AhnLab
2008-04-19 09:40 --------- d-----w C:\Program Files\Broadcom
2008-04-19 07:55 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 00:19 --------- d-----w C:\Program Files\Microsoft Works
2008-04-17 00:19 --------- d-----w C:\Program Files\Common Files\L&H
2008-04-16 02:22 --------- d-----w C:\Program Files\Pruna
2008-04-08 01:55 --------- d-----w C:\Program Files\PowerISO
2008-04-07 04:35 953,048 ----a-w C:\WINDOWS\system32\SCSKCORE.dll
2008-04-07 01:26 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-06 09:48 --------- d-----w C:\Program Files\ESTsoft
2008-04-05 08:45 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-05 08:45 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-05 08:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-05 07:48 --------- d-----w C:\Documents and Settings\joes459\Application Data\Azureus
2008-03-23 12:53 155,716 --sh--r C:\al8u.com
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 04:17 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-14 14:37 149,664 --sh--r C:\x8.bat
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-25 05:26 32,768 ----a-w C:\WINDOWS\system32\UbiKeyWin32.dll
2008-02-25 05:26 32,768 ----a-w C:\WINDOWS\system32\UbiKey.dll
2008-01-17 13:19 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAEBE5F2-5E2E-11D8-A251-00D0591C1C61}]
2008-01-11 23:42 36864 --a------ C:\WINDOWS\system32\MSvcprt4.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 21:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 21:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 21:00 59392]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-10-09 10:56 147456]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 21:00 208952]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-10-09 12:06 419120]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-10-12 16:28 1282048]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-11 09:14 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-11 09:14 162584]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-08 20:59 16384512 C:\WINDOWS\RTHDCPL.exe]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 21:00 158208]
"NetClient RC Helper"="C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe" [2007-06-01 00:46 71440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\_ishieldA.sys]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\_ishieldB.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^joes459^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\joes459\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-14 08:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
--a------ 2008-02-17 15:44 500392 C:\Program Files\Common Files\Hnc\HncUtils\HncUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxva]
C:\WINDOWS\system32\kxvo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 01:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kxva"=C:\WINDOWS\system32\kxvo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"NetClient RC Helper"=C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe
"Persistence"=C:\WINDOWS\system32\igfxpers.exe
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\ncipmgr.exe"=
"C:\\WINDOWS\\system32\\skcbgm.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Nexon\\NGM\\NGM.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Nexon\\Common\\NMService.exe"=
"C:\\Program Files\\Pruna\\Pruna.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\ncclient.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\NetChat.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\rc\\DrFtc.exe"=
"C:\\WINDOWS\\system32\\NetClient40\\rc\\NrHost.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 nrdrvnt3;nrdrvnt3;C:\WINDOWS\system32\DRIVERS\nrdrvnt3.sys [2007-06-01 00:46]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-10-09 12:04]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-10-09 12:05]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-10-09 10:56]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-10-09 10:56]
R2 NCClient Agent;NCClient Agent;C:\WINDOWS\system32\NetClient40\ncagent.exe [2003-12-07 01:44]
R2 npkcmsvc;npkcmsvc;C:\WINDOWS\system32\npkcmsvc.exe [2008-01-22 11:57]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 21:00]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-10-09 10:56]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-10-09 10:56]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-10-09 10:56]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-10-09 10:56]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-10-09 10:56]
R3 NCGUARD;DoctorSoft NCGuard;C:\WINDOWS\system32\DRIVERS\NCGUARD.SYS [2007-05-23 09:02]
R3 NCPMon40;NetClient Process detector;C:\WINDOWS\system32\NetClient40\NCPMon40.sys [2003-11-12 10:17]
R3 NSECU;DoctorSoft Network Secu;C:\WINDOWS\system32\DRIVERS\NSECU.SYS [2007-05-15 06:59]
S1 _ishieldA;_ishieldA;C:\WINDOWS\system32\drivers\_ishieldA.sys []
S1 _ishieldB;_ishieldB;C:\WINDOWS\system32\drivers\_ishieldB.sys []
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-10-09 10:56]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2007-10-09 10:56]
S3 ncpflt;ncpflt;C:\WINDOWS\system32\Drivers\ncpflt.sys [2007-06-15 08:11]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-17 13:17]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\oalvm.com
\Shell\explore\Command - C:\oalvm.com
\Shell\open\Command - C:\oalvm.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE /AUTORUN
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42f17b91-c1ac-11dc-89f4-001d4fa4ed19}]
\Shell\AutoRun\command - F:\6krxwx.cmd
\Shell\explore\Command - F:\6krxwx.cmd
\Shell\open\Command - F:\6krxwx.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6443b5af-c0d9-11dc-89f1-001d4fa4ed19}]
\Shell\AutoRun\command - F:\3bqqnkd.bat
\Shell\explore\Command - F:\3bqqnkd.bat
\Shell\open\Command - F:\3bqqnkd.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0d59ce8-c234-11dc-89f5-001d4fa4ed19}]
\Shell\AutoRun\command - F:\vl.com
\Shell\explore\Command - F:\vl.com
\Shell\open\Command - F:\vl.com
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 04:17:29 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-05-12 00:18:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-05-25 13:57:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-25 13:58:01
ComboFix-quarantined-files.txt 2008-05-25 04:57:43
ComboFix2.txt 2008-05-25 04:52:10
Pre-Run: 3,438,747,648 bytes free
Post-Run: 3,422,375,936 bytes free
265
Hijack This ScanLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:23 PM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\NetClient40\ncagent.exe
C:\WINDOWS\system32\NetClient40\ncclient.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: msvcprt4.msvcprt4d - {FAEBE5F2-5E2E-11D8-A251-00D0591C1C61} - C:\WINDOWS\system32\MSvcprt4.dll
O3 - Toolbar: (no name) - {B982A63C-9A5B-4796-80B0-EC809FCDEBF2} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NetClient RC Helper] C:\WINDOWS\system32\NetClient40\rc\NrDeskHlp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone:
http://*.shinhan.comO15 - ESC Trusted Zone:
http://*.update.microsoft.comO16 - DPF: {00001025-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter25 Class) -
http://download.netmarble.com/web/nmsta ... rter25.cabO16 - DPF: {03F49E0E-C43A-4037-BBD6-D681E998A08E} (CodeAx Class) -
http://ep.knou.ac.kr/EP/web/common/cabf ... CodeAx.cabO16 - DPF: {044123B5-35DF-4C4E-BAED-26B8ED964342} (HLiveRobotWeb Control) -
http://fx.hauri.net/HProduct/livesuite/ ... botWeb.cabO16 - DPF: {0A4E624A-F7EA-4313-B721-C5669E0C6266} (TrustSiteAuction Control) -
http://download.auction.co.kr/activexpa ... onCtrl.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {207444C6-E097-4F13-B9C1-F11B15DE78C4} (HackFire Control) -
http://champstudy.com/hackdown/HackFire.cabO16 - DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} (XacsPop Control) -
http://mpi.dacom.net/XMPI/js/xmpi2007.cabO16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) -
http://download.banktown.com/kbstarActiveX/INIS60.cabO16 - DPF: {317642DD-AF52-11D4-BC2A-0050DA8AEE6F} (FileMng Control) -
http://mail.epis.ewha.ac.kr:8884/local/cabs/FileWiz.cabO16 - DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} (INISAFE Updater Control) -
http://img.shinhan.com/shttp/install/down/INIS70.cabO16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) -
http://img.shinhan.com/rib/common/keySt ... /scsk4.cabO16 - DPF: {3A90D051-E921-4741-8288-D1B6747A8A51} (Yessign5 Control) -
http://www.giro.or.kr/html/yessign/cab/yessign5.cabO16 - DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} (XPayMPIOCX Control) -
http://mpi.dacom.net/XPayMPI/Xecure_Liv ... MPIOCX.cabO16 - DPF: {53EED863-B547-40F8-B24A-2D6DE807CFE8} (Printmade Control) -
http://img.shinhan.com/rib//ko/print/Printmade.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windows ... 2868270812O16 - DPF: {6531D99C-0D0E-4293-B3CB-A3E1D0D41847} (AhnASP Control) -
http://ahnlabdownload.nefficient.co.kr/ ... AhnASP.cabO16 - DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} (ProWorksGrid Control) -
http://img.shinhan.com/rib/common/ProWorksGrid_78.cabO16 - DPF: {6F517019-0482-4BD2-8AAD-1E3CB01C4148} (MiBookView Control) -
http://asp.lemonbook.co.kr/CabDownLoad/MiBookView.cabO16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) -
http://www.bccard.com/service/individua ... Plugin.cabO16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) -
http://xecure.kbstar.com/xecure/xw_install_v7202.cabO16 - DPF: {8FA8D5F7-7CBA-46D4-9568-68D70C5280E8} (NoPhishingX Control) -
http://www.nophishing.co.kr/softrun/SH02/SRNPSH.cabO16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) -
http://download.netmarble.com/NMChatX/NMTransX.cabO16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) -
http://cafeimg.hanmail.net/activex/dmcc ... n=1,0,0,10O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} (v3d Class) -
https://v3d.kcp.co.kr/file/kcp_ansimclick.cabO16 - DPF: {9D67EBF0-AF1A-4BCE-BAC9-C84A9383E0B3} (SSOCheck Class) -
http://epis.ewha.ac.kr:8880/EP/web/comm ... OCheck.cabO16 - DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} (SG_CAppAtx Control) -
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) -
http://k-defence.kbstar.com/kings/kdfx/ ... fense8.cabO16 - DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} (BankPayEFTCtrl Control) -
http://download.auction.co.kr/activexpa ... PayEFT.cabO16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) -
http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,5O16 - DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC} (EwsLoader Class) -
O16 - DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} (VineTransfer Control) -
http://www.giro.or.kr/html/ubikey/VineTransfer.cabO16 - DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} (SKCInst1 Class) -
http://cyimg7.cyworld.com/cymusic/package/skcinst.cabO16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) -
http://n-protect.kbstar.com/nprotect/module/npx.cabO16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) -
http://update.nprotect.net/keycrypt/kft ... _vista.cabO16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) -
http://plugin.inicis.com/wallet60/INIwallet60.cabO16 - DPF: {D923AE0C-190D-4EDF-B07A-76AC571FBFD4} (SCSKEx Control) -
http://img.shinhan.com/rib/common/keySt ... SCSKEX.cabO16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) -
http://www.congnamul.com/ActiveX/ASPCab ... sp_V23.cabO16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) -
https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cabO16 - DPF: {E831AA9C-C980-4F16-B252-09AAF40D0E9B} (Kdfense9 Control) -
http://k-defence.kbstar.com/kdfx218/kbstar/kdfense9.cabO16 - DPF: {E8FB2BD7-3703-483A-8EC1-43DADAFC7668} (ELauncher Control) -
http://update.folderplus.com/eWebLink/eLauncher.cabO16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) -
http://img.shinhan.com/rib/common/Trust ... tSiteX.cabO16 - DPF: {F61919F5-1292-4447-A904-1943D72ACF04} (CertCheck for KB Control) -
http://img.kbstar.com/cab/certCheck.cabO18 - Protocol: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - C:\Program Files\INITECH\SHTTP\InitechSHTTPInterface.10111.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: iPod ¼ºn½º (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NCClient Agent - DRSOFT - C:\WINDOWS\system32\NetClient40\ncagent.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 10835 bytes