Here are the results. (Appreciate the help
)
ComboFix 10-01-29.05 - Jay Juon 9/2010 Fri 23:19:57.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.2045.1792 [GMT -6:00]
Running from: c:\documents and settings\Jay Juon\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
Error: Cfiles.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Jay Juon\Local Settings\Application Data\sbiged
c:\documents and settings\Jay Juon\Local Settings\Application Data\sbiged\jnbhsysguard.exe
c:\documents and settings\Jay Juon\Local Settings\Temporary Internet Files\NPI 및 업무개선 관련 토의_090828.xls
c:\program files\Shared
c:\windows\system32\bepaleju.dll
c:\windows\system32\drivers\E50f3.sys
c:\windows\system32\fuhazepi.dll
c:\windows\system32\jasesuyo.dll
c:\windows\system32\nahatona.dll
c:\windows\system32\rewetuyo.dll
c:\windows\system32\sanotoyi.dll
c:\windows\system32\sijusafo.dll
c:\windows\system32\wehojavi.dll
c:\windows\system32\wojawiho.dll
c:\windows\system32\wutunoyu.dll
c:\windows\system32\zibuvugo.dll
----- BITS: Possible infected sites -----
hxxp://82.98.235.39
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_E50f3
-------\Service_E50f3
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-30 )))))))))))))))))))))))))))))))
.
2010-01-29 03:29 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-29 03:29 . 2010-01-29 03:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-29 02:38 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 23:01 . 2010-01-26 23:01 -------- d-----w- c:\documents and settings\HelpAssistant\EurekaLog
2010-01-25 04:55 . 2010-01-25 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2010-01-24 02:06 . 2010-01-24 02:06 -------- d-----w- c:\documents and settings\Jay Juon\Application Data\Malwarebytes
2010-01-24 02:06 . 2010-01-24 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-24 01:58 . 2010-01-24 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-23 22:23 . 2010-01-23 22:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-01-22 01:04 . 2010-01-22 01:04 0 ----a-w- c:\windows\system32\drivers\.sys
2010-01-21 02:23 . 2010-01-21 02:23 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-05 19:14 . 2010-01-30 05:14 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-01 19:31 . 2010-01-08 02:18 0 ---ha-w- c:\windows\system32\wupd.dat
2010-01-01 18:50 . 2010-01-05 23:29 6435 ----a-w- c:\windows\system32\WORK.DAT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 05:27 . 2009-07-17 11:57 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-29 01:27 . 2009-07-29 00:33 -------- d-----w- c:\documents and settings\Jay Juon\Application Data\StarOffice8
2010-01-29 00:25 . 2009-07-17 03:59 -------- d-----w- c:\program files\lg_swupdate
2010-01-15 03:05 . 2009-07-17 18:07 -------- d-----w- c:\documents and settings\Jay Juon\Application Data\AdobeUM
2010-01-05 00:49 . 2009-08-20 13:18 53352 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-02 19:47 . 2009-11-08 02:45 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-01-02 19:47 . 2009-11-08 02:45 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-01-02 19:47 . 2009-11-08 02:45 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-01-02 19:47 . 2009-11-08 02:45 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-01-02 19:47 . 2009-11-08 02:45 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-01-02 17:53 . 2009-11-08 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-01-01 20:01 . 2009-11-08 02:45 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-12-22 05:42 . 2004-08-04 05:56 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-04 05:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-22 04:12 . 2009-12-22 04:12 1790688 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\Common\NMService.exe
2009-12-22 04:12 . 2009-12-22 04:12 1700584 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\Common\nmconew.dll
2009-12-19 17:28 . 2009-07-17 04:40 58952 ----a-w- c:\documents and settings\Jay Juon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-19 17:06 . 2009-11-08 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2009-12-19 17:06 . 2009-12-19 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
2009-12-09 01:56 . 2009-12-09 01:56 -------- d-----w- c:\documents and settings\Jay Juon\Application Data\Nexon
2009-11-21 16:36 . 2004-08-04 05:56 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 17:23 . 2009-11-14 17:23 45056 ----a-r- c:\documents and settings\Jay Juon\Application Data\Microsoft\Installer\{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}\MapleStory.exe1_A6CCAEF5F1414BBEA6DAEA8A8362C7A6.exe
2009-11-14 17:23 . 2009-11-14 17:23 45056 ----a-r- c:\documents and settings\Jay Juon\Application Data\Microsoft\Installer\{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}\MapleStory.exe_A6CCAEF5F1414BBEA6DAEA8A8362C7A6.exe
2009-11-14 17:23 . 2009-11-14 17:23 10134 ----a-r- c:\documents and settings\Jay Juon\Application Data\Microsoft\Installer\{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}\ARPPRODUCTICON.exe
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\lelutayo.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c42da175-cdb4-4ca8-b1c2-7b3c7220f162}]
1601-01-01 00:03 55296 --sha-w- c:\windows\system32\lelutayo.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Yahoo!Mini"="c:\program files\Yahoo!\Mini\YMiniUpdat2.exe" [2009-09-01 777728]
"cdloader"="c:\documents and settings\Jay Juon\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-01 2935480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"LG Intelligent Update"="c:\program files\lg_swupdate\autoupdate.exe" [2008-07-17 126976]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-11 13594624]
"nwiz"="nwiz.exe" [2009-02-11 1657376]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"LG Magnifier"="c:\program files\LG Software\LG Magnifier\MagnifyingGlass.exe" [2008-02-28 851968]
"KeybdUtility"="c:\program files\LG Software\On Screen Display\HotKey.exe" [2009-01-10 2830336]
"zOSD"="c:\program files\LG Software\On Screen Display\HotKey.exe" [2009-01-10 2830336]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-10-06 161096]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\Jay Juon\Start Menu\Programs\Startup\
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2008-1-21 122880]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-20 576104]
EmEditor v3.lnk - c:\program files\EmEditor3\EMEDTRAY.EXE [2001-12-13 49152]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2009-8-5 6144]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\IDOCTOR\\PLUSUP_2.9\\AGENT\\ServiceiDoctorPro.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Documents and Settings\\Jay Juon\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Nexon\\DFO\\DFO.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"56682:TCP"= 56682:TCP:Pando Media Booster
"56682:UDP"= 56682:UDP:Pando Media Booster
"59026:TCP"= 59026:TCP:Pando Media Booster
"59026:UDP"= 59026:UDP:Pando Media Booster
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [7/16/2009 10:09 PM 158720]
S1 {C166FB67-755A-446A-B788-301F84B7FA76};{C166FB67-755A-446A-B788-301F84B7FA76};\??\c:\windows\system32\drivers\Services\Tcpip\Parameters\Interfaces\{C166FB67-755A-446A-B788-301F84B7FA76}.sys --> c:\windows\system32\drivers\Services\Tcpip\Parameters\Interfaces\{C166FB67-755A-446A-B788-301F84B7FA76}.sys [?]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [8/22/2006 12:00 AM 316992]
S2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\SRS Labs\WOWHD and TSXT Driver\SRS_PostInstaller.exe [8/10/2007 8:37 AM 69632]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [7/26/2009 7:26 AM 12672]
S3 npkakl;npkakl;\??\c:\windows\system32\npkakl.sys --> c:\windows\system32\npkakl.sys [?]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [7/16/2009 10:04 PM 41376]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/7/2008 11:23 AM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [5/9/2008 10:08 AM 174336]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/6/2004 4:56 PM 173392]
S3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [8/10/2007 8:35 AM 22528]
.
Contents of the 'Scheduled Tasks' folder
2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2010-01-28 c:\windows\Tasks\SyncBackSE Design Works 1.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2009-09-21 20:59]
2010-01-28 c:\windows\Tasks\SyncBackSE OutLook 1.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2009-09-21 20:59]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: Bluetooth 장치로 보내기(&... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Bluetooth로 보내기 - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: lginnotek.com
Trusted Zone: sun.com
TCP: {E8077C1D-21D7-453B-9325-1EA7E4B52FD5} = 10.0.1.1
TCP: {F9BB1889-2F73-4C0A-A2D8-13CF12E5F052} = 10.0.1.1
DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} - hxxp://sso.lginnotek.com/initech/plugin/down/INIS60.cab
DPF: {56B0DCF5-77B9-49F6-AD2F-F367D22A7136} - hxxp://mail0.lginnotek.com/kcols/kcolsresource.nsf/BWordAxU.cab
DPF: {599735FD-7340-487C-AD77-85F9838F2E2C} - hxxp://www.my-lg070.net/gnr_misc/lg_voicetest/LGVoipQualityX.cab
DPF: {6A05EEAE-72F8-4288-A5A2-FAC831DC0AC1} - hxxp://mail0.lginnotek.com/kcols/kcolsresource.nsf/FX-FileUpDnMass.cab
DPF: {80572992-B565-4644-A14F-A6BFDEA55599} - hxxp://pro.i-doctor.co.kr/idoctor/IDLiveU.cab
DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E}
DPF: {A540427E-B803-4842-BC53-9DB140968449} - hxxp://mail0.lginnotek.com/kcols/kcolsresource.nsf/KCOLSAddressBook.cab
DPF: {B6F0F9BC-AF60-41B4-BFB4-897617910207} - hxxp://sso.lginnotek.com/netclient/n5uaEx.CAB
DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC} - hxxp://neis.mest.go.kr/cab/ewsinstaller_full.cab
DPF: {CBEAB323-33C7-43A1-8642-412206DD16DF} - hxxp://mail0.lginnotek.com/kcols/kcolsresource.nsf/FX-FileUpDn.cab
DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} - hxxp://update.nprotect.net/nprotect2007/neisold/npz.cab
FF - ProfilePath - c:\documents and settings\Jay Juon\Application Data\Mozilla\Firefox\Profiles\wob39s4u.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: network.proxy.ftp - webcache.sfbay.sun.com
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - webcache.sfbay.sun.com
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - webcache.sfbay.sun.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.ssl - webcache.sfbay.sun.com
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPJPI142_07.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPGomtvx_nie.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-test - d:\combat.arms.nx_own\Bettler.exe
HKCU-Run-axopcajs - c:\documents and settings\Jay Juon\Local Settings\Application Data\sbiged\jnbhsysguard.exe
HKLM-Run-hekajanade - bepaleju.dll
HKLM-Run-axopcajs - c:\documents and settings\Jay Juon\Local Settings\Application Data\sbiged\jnbhsysguard.exe
HKLM-Run-jujusozan - c:\windows\system32\wojawiho.dll
SharedTaskScheduler-{fa50cb30-b896-43c4-acb1-1c950db10641} - c:\windows\system32\wojawiho.dll
SSODL-gahujudal-{fa50cb30-b896-43c4-acb1-1c950db10641} - c:\windows\system32\wojawiho.dll
SafeBoot-E50f3
SafeBoot-{C166FB67-755A-446A-B788-301F84B7FA76}
SafeBoot-????淀??????
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-29 23:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
Binary file temp00 matches
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot\Minimal\MmIn*?듍m ?*NtfIH?
@="Driver"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot\Network\MmIn*?듍m ?*NtfIH?
@="Driver"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MmIn*?듍m ?*NtfIH?
"ImagePath"=expand:"\\??\\c:\\WINDOWS\\system32\\drivers\\????淀?\02?????.sys"
"Start"=dword:00000001
"Type"=dword:00000001
"ErrorControl"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2010-01-29 23:33:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-30 05:33
Pre-Run: 12,188,938,240 bytes free
Post-Run: 17,377,591,296 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 0EBFB55EE05984EAF897B79F343264BE