ComboFix 10-05-10.05 - Administrator 05/12/2010 1:19.3.2 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.625 [GMT -5:00] Running from: e:\documents and settings\Administrator.MEMO.000\Desktop\ComboFix.exe AV: Eset NOD32 antivirus system 2.51 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . e:\windows\system32\fvhm.dll . . . . failed to delete Infected copy of e:\windows\system32\xmlprov.dll was found and disinfected Restored copy from - e:\windows\system32\dllcache\xmlprov.dll Infected copy of e:\windows\system32\ntmssvc.dll was found and disinfected Restored copy from - e:\windows\system32\dllcache\ntmssvc.dll . ((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 ))))))))))))))))))))))))))))))) . 2010-05-12 05:58 . 2010-05-12 05:58 -------- d-----w- e:\documents and settings\Administrator.MEMO.000\Local Settings\Application Data\PMB Files 2010-05-12 05:57 . 2010-05-12 05:57 -------- d-----w- e:\documents and settings\All Users.WINDOWS\Application Data\PMB Files 2010-05-12 05:57 . 2010-05-12 05:57 -------- d-----w- e:\program files\Pando Networks 2010-05-12 05:54 . 2010-05-12 05:54 2560 ----a-w- e:\windows\system32\InetDummy.dll 2010-05-12 03:58 . 2010-05-12 03:58 12 ----a-w- e:\windows\system32\DELETEIT.bat 2010-05-12 02:36 . 2010-05-12 05:48 3584 ----a-w- e:\windows\system32\msimg32.dll 2010-05-11 19:12 . 2010-05-11 19:12 86 ----a-w- e:\windows\system32\tempc.bat 2010-05-11 19:12 . 2010-05-11 19:12 56 ----a-w- e:\windows\system32\temp2.bat 2010-05-11 19:12 . 2010-05-11 19:12 0 ----a-w- e:\windows\system32\xzzoip_svr.dat 2010-05-07 03:07 . 2010-05-07 03:07 -------- d-----w- E:\FOUND.000 2010-05-05 02:52 . 2010-05-05 02:52 -------- d-----w- e:\documents and settings\Administrator.MEMO.000\Local Settings\Application Data\Cranium_Consulting_and_Cu . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-12 06:06 . 2009-03-26 02:34 70016 ----a-w- e:\documents and settings\Administrator.MEMO.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-05-12 05:40 . 2004-08-04 17:00 0 ----a-w- e:\windows\system32\fvhm.dll 2010-03-04 21:07 . 2010-03-04 20:49 680 ----a-w- e:\windows\AUTOLNCH.REG 2010-02-18 00:39 . 2010-03-15 00:50 38784 ----a-w- e:\documents and settings\Admin.MEMO3\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2010-02-18 00:39 . 2009-11-01 21:12 38784 ----a-w- e:\documents and settings\Administrator.MEMO.000\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-03-23 01:34 . 2007-01-25 01:05 21952 ---h--w- e:\program files\folder.htt 2006-01-23 15:32 . 2006-01-23 15:32 131072 ----a-w- e:\program files\internet explorer\plugins\LV80ActiveXControl.dll 2006-06-07 19:40 . 2006-06-07 19:40 132848 ----a-w- e:\program files\internet explorer\plugins\LV82ActiveXControl.dll . ------- Sigcheck ------- [-] 2008-04-13 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . e:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\appmgmts.dll [-] 2004-08-04 17:00 . E059775F9F25E1AB709FC68D683C3FA3 . 50289 . . [3, 0, 0, 0] . . e:\windows\system32\appmgmts.dll [7] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . e:\windows\system32\dllcache\appmgmts.dll [7] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . e:\windows\ERDNT\cache\appmgmts.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools Lite"="e:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nod32kui"="e:\program files\Eset\nod32kui.exe" [2009-03-24 917504] "NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2009-02-18 13680640] "NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2009-02-18 86016] "RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864] "QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600] "WinVNC"="e:\program files\TightVNC\WinVNC.exe" [2009-03-05 585728] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes] "193.110.109.0,255.255.255.0,192.168.1.253,1"="" "193.24.237.0,255.255.255.0,192.168.1.253,1"="" "193.71.68.0,255.255.255.0,192.168.1.253,1"="" "128.130.60.0,255.255.255.0,192.168.1.253,1"="" "193.66.251.0,255.255.255.0,192.168.1.253,1"="" "162.40.10.0,255.255.255.0,192.168.1.253,1"="" "194.206.126.0,255.255.255.0,192.168.1.253,1"="" "141.202.248.0,255.255.255.0,192.168.1.253,1"="" "150.70.93.0,255.255.255.0,192.168.1.253,1"="" "193.0.6.0,255.255.255.0,192.168.1.253,1"="" "195.137.160.0,255.255.255.0,192.168.1.253,1"="" "188.93.8.0,255.255.255.0,192.168.1.253,1"="" "194.109.142.0,255.255.255.0,192.168.1.253,1"="" "128.111.48.0,255.255.255.0,192.168.1.253,1"="" "139.91.222.0,255.255.255.0,192.168.1.253,1"="" "193.193.194.0,255.255.255.0,192.168.1.253,1"="" "155.35.248.0,255.255.255.0,192.168.1.253,1"="" "128.130.56.0,255.255.255.0,192.168.1.253,1"="" "166.70.98.0,255.255.255.0,192.168.1.253,1"="" "194.0.200.0,255.255.255.0,192.168.1.253,1"="" "149.101.225.0,255.255.255.0,192.168.1.253,1"="" "193.1.193.0,255.255.255.0,192.168.1.253,1"="" "193.17.85.0,255.255.255.0,192.168.1.253,1"="" "165.160.15.0,255.255.255.0,192.168.1.253,1"="" "192.150.94.0,255.255.255.0,192.168.1.253,1"="" "194.33.180.0,255.255.255.0,192.168.1.253,1"="" "18.85.2.0,255.255.255.0,192.168.1.253,1"="" "194.112.106.0,255.255.255.0,192.168.1.253,1"="" "193.69.114.0,255.255.255.0,192.168.1.253,1"="" "195.2.240.0,255.255.255.0,192.168.1.253,1"="" "195.55.72.0,255.255.255.0,192.168.1.253,1"="" "195.146.235.0,255.255.255.0,192.168.1.253,1"="" "195.64.225.0,255.255.255.0,192.168.1.253,1"="" "195.70.37.0,255.255.255.0,192.168.1.253,1"="" "199.203.243.0,255.255.255.0,192.168.1.253,1"="" "195.210.42.0,255.255.255.0,192.168.1.253,1"="" "198.6.49.0,255.255.255.0,192.168.1.253,1"="" "204.14.90.0,255.255.255.0,192.168.1.253,1"="" "203.160.188.0,255.255.255.0,192.168.1.253,1"="" "205.227.136.0,255.255.255.0,192.168.1.253,1"="" "205.178.145.0,255.255.255.0,192.168.1.253,1"="" "207.44.154.0,255.255.255.0,192.168.1.253,1"="" "206.204.52.0,255.255.255.0,192.168.1.253,1"="" "207.46.18.0,255.255.255.0,192.168.1.253,1"="" "207.46.20.0,255.255.255.0,192.168.1.253,1"="" "207.66.0.0,255.255.255.0,192.168.1.253,1"="" "208.79.250.0,255.255.255.0,192.168.1.253,1"="" "207.46.232.0,255.255.255.0,192.168.1.253,1"="" "209.157.69.0,255.255.255.0,192.168.1.253,1"="" "209.124.55.0,255.255.255.0,192.168.1.253,1"="" "209.216.46.0,255.255.255.0,192.168.1.253,1"="" "209.160.22.0,255.255.255.0,192.168.1.253,1"="" "209.51.167.0,255.255.255.0,192.168.1.253,1"="" "209.62.112.0,255.255.255.0,192.168.1.253,1"="" "209.87.209.0,255.255.255.0,192.168.1.253,1"="" "209.62.68.0,255.255.255.0,192.168.1.253,1"="" "212.47.219.0,255.255.255.0,192.168.1.253,1"="" "212.72.62.0,255.255.255.0,192.168.1.253,1"="" "212.8.79.0,255.255.255.0,192.168.1.253,1"="" "213.198.89.0,255.255.255.0,192.168.1.253,1"="" "213.133.34.0,255.255.255.0,192.168.1.253,1"="" "212.67.88.0,255.255.255.0,192.168.1.253,1"="" "213.31.172.0,255.255.255.0,192.168.1.253,1"="" "216.12.145.0,255.255.255.0,192.168.1.253,1"="" "216.246.90.0,255.255.255.0,192.168.1.253,1"="" "213.171.218.0,255.255.255.0,192.168.1.253,1"="" "216.239.122.0,255.255.255.0,192.168.1.253,1"="" "216.99.133.0,255.255.255.0,192.168.1.253,1"="" "216.49.94.0,255.255.255.0,192.168.1.253,1"="" "213.220.100.0,255.255.255.0,192.168.1.253,1"="" "216.10.192.0,255.255.255.0,192.168.1.253,1"="" "217.16.16.0,255.255.255.0,192.168.1.253,1"="" "217.170.21.0,255.255.255.0,192.168.1.253,1"="" "217.174.103.0,255.255.255.0,192.168.1.253,1"="" "217.106.234.0,255.255.255.0,192.168.1.253,1"="" "216.49.88.0,255.255.255.0,192.168.1.253,1"="" "62.14.249.0,255.255.255.0,192.168.1.253,1"="" "216.55.183.0,255.255.255.0,192.168.1.253,1"="" "62.146.66.0,255.255.255.0,192.168.1.253,1"="" "62.213.110.0,255.255.255.0,192.168.1.253,1"="" "62.146.210.0,255.255.255.0,192.168.1.253,1"="" "62.75.216.0,255.255.255.0,192.168.1.253,1"="" "62.189.194.0,255.255.255.0,192.168.1.253,1"="" "38.113.1.0,255.255.255.0,192.168.1.253,1"="" "63.85.36.0,255.255.255.0,192.168.1.253,1"="" "64.128.133.0,255.255.255.0,192.168.1.253,1"="" "64.202.189.0,255.255.255.0,192.168.1.253,1"="" "64.13.134.0,255.255.255.0,192.168.1.253,1"="" "62.75.163.0,255.255.255.0,192.168.1.253,1"="" "64.41.142.0,255.255.255.0,192.168.1.253,1"="" "64.66.190.0,255.255.255.0,192.168.1.253,1"="" "64.246.4.0,255.255.255.0,192.168.1.253,1"="" "65.175.38.0,255.255.255.0,192.168.1.253,1"="" "65.55.184.0,255.255.255.0,192.168.1.253,1"="" "64.78.182.0,255.255.255.0,192.168.1.253,1"="" "64.41.151.0,255.255.255.0,192.168.1.253,1"="" "65.55.240.0,255.255.255.0,192.168.1.253,1"="" "66.249.17.0,255.255.255.0,192.168.1.253,1"="" "66.223.50.0,255.255.255.0,192.168.1.253,1"="" "67.134.208.0,255.255.255.0,192.168.1.253,1"="" "67.15.103.0,255.255.255.0,192.168.1.253,1"="" "67.15.231.0,255.255.255.0,192.168.1.253,1"="" "66.77.70.0,255.255.255.0,192.168.1.253,1"="" "67.192.135.0,255.255.255.0,192.168.1.253,1"="" "67.227.172.0,255.255.255.0,192.168.1.253,1"="" "67.225.206.0,255.255.255.0,192.168.1.253,1"="" "67.19.34.0,255.255.255.0,192.168.1.253,1"="" "69.162.79.0,255.255.255.0,192.168.1.253,1"="" "69.18.148.0,255.255.255.0,192.168.1.253,1"="" "68.177.102.0,255.255.255.0,192.168.1.253,1"="" "69.20.104.0,255.255.255.0,192.168.1.253,1"="" "69.93.226.0,255.255.255.0,192.168.1.253,1"="" "72.232.246.0,255.255.255.0,192.168.1.253,1"="" "69.57.142.0,255.255.255.0,192.168.1.253,1"="" "70.84.211.0,255.255.255.0,192.168.1.253,1"="" "72.32.125.0,255.255.255.0,192.168.1.253,1"="" "72.32.70.0,255.255.255.0,192.168.1.253,1"="" "72.32.149.0,255.255.255.0,192.168.1.253,1"="" "72.3.254.0,255.255.255.0,192.168.1.253,1"="" "74.50.0.0,255.255.255.0,192.168.1.253,1"="" "74.208.158.0,255.255.255.0,192.168.1.253,1"="" "74.125.77.0,255.255.255.0,192.168.1.253,1"="" "74.52.233.0,255.255.255.0,192.168.1.253,1"="" "74.208.20.0,255.255.255.0,192.168.1.253,1"="" "78.108.86.0,255.255.255.0,192.168.1.253,1"="" "74.55.40.0,255.255.255.0,192.168.1.253,1"="" "75.125.82.0,255.255.255.0,192.168.1.253,1"="" "74.53.201.0,255.255.255.0,192.168.1.253,1"="" "75.125.29.0,255.255.255.0,192.168.1.253,1"="" "78.47.87.0,255.255.255.0,192.168.1.253,1"="" "80.153.193.0,255.255.255.0,192.168.1.253,1"="" "78.137.164.0,255.255.255.0,192.168.1.253,1"="" "80.190.154.0,255.255.255.0,192.168.1.253,1"="" "80.190.130.0,255.255.255.0,192.168.1.253,1"="" "80.86.107.0,255.255.255.0,192.168.1.253,1"="" "79.125.5.0,255.255.255.0,192.168.1.253,1"="" "81.177.31.0,255.255.255.0,192.168.1.253,1"="" "81.176.66.0,255.255.255.0,192.168.1.253,1"="" "82.165.103.0,255.255.255.0,192.168.1.253,1"="" "82.117.238.0,255.255.255.0,192.168.1.253,1"="" "80.237.132.0,255.255.255.0,192.168.1.253,1"="" "83.202.175.0,255.255.255.0,192.168.1.253,1"="" "82.98.86.0,255.255.255.0,192.168.1.253,1"="" "81.24.35.0,255.255.255.0,192.168.1.253,1"="" "82.151.107.0,255.255.255.0,192.168.1.253,1"="" "83.222.31.0,255.255.255.0,192.168.1.253,1"="" "84.40.30.0,255.255.255.0,192.168.1.253,1"="" "85.255.19.0,255.255.255.0,192.168.1.253,1"="" "85.17.210.0,255.255.255.0,192.168.1.253,1"="" "87.106.242.0,255.255.255.0,192.168.1.253,1"="" "85.12.57.0,255.255.255.0,192.168.1.253,1"="" "87.230.79.0,255.255.255.0,192.168.1.253,1"="" "87.242.79.0,255.255.255.0,192.168.1.253,1"="" "87.242.72.0,255.255.255.0,192.168.1.253,1"="" "89.108.66.0,255.255.255.0,192.168.1.253,1"="" "83.222.23.0,255.255.255.0,192.168.1.253,1"="" "85.31.222.0,255.255.255.0,192.168.1.253,1"="" "83.223.117.0,255.255.255.0,192.168.1.253,1"="" "87.106.254.0,255.255.255.0,192.168.1.253,1"="" "88.221.119.0,255.255.255.0,192.168.1.253,1"="" "85.214.106.0,255.255.255.0,192.168.1.253,1"="" "89.202.149.0,255.255.255.0,192.168.1.253,1"="" "90.156.159.0,255.255.255.0,192.168.1.253,1"="" "89.202.157.0,255.255.255.0,192.168.1.253,1"="" "87.242.74.0,255.255.255.0,192.168.1.253,1"="" "91.121.97.0,255.255.255.0,192.168.1.253,1"="" "89.111.176.0,255.255.255.0,192.168.1.253,1"="" "91.209.196.0,255.255.255.0,192.168.1.253,1"="" "92.53.106.0,255.255.255.0,192.168.1.253,1"="" "87.238.48.0,255.255.255.0,192.168.1.253,1"="" "94.236.0.0,255.255.255.0,192.168.1.253,1"="" "93.191.13.0,255.255.255.0,192.168.1.253,1"="" "91.199.212.0,255.255.255.0,192.168.1.253,1"="" "174.120.186.0,255.255.255.0,192.168.1.253,1"="" "93.184.71.0,255.255.255.0,192.168.1.253,1"="" "74.55.74.0,255.255.255.0,192.168.1.253,1"="" "90.183.101.0,255.255.255.0,192.168.1.253,1"="" "92.123.155.0,255.255.255.0,192.168.1.253,1"="" "95.140.225.0,255.255.255.0,192.168.1.253,1"="" "208.43.71.0,255.255.255.0,192.168.1.253,1"="" "94.23.206.0,255.255.255.0,192.168.1.253,1"="" "74.54.139.0,255.255.255.0,192.168.1.253,1"="" "74.53.70.0,255.255.255.0,192.168.1.253,1"="" "174.120.185.0,255.255.255.0,192.168.1.253,1"="" "74.86.232.0,255.255.255.0,192.168.1.253,1"="" "75.125.185.0,255.255.255.0,192.168.1.253,1"="" "174.120.184.0,255.255.255.0,192.168.1.253,1"="" "74.54.46.0,255.255.255.0,192.168.1.253,1"="" "75.125.43.0,255.255.255.0,192.168.1.253,1"="" "174.133.38.0,255.255.255.0,192.168.1.253,1"="" "83.102.130.0,255.255.255.0,192.168.1.253,1"="" "74.54.130.0,255.255.255.0,192.168.1.253,1"="" "74.86.125.0,255.255.255.0,192.168.1.253,1"="" "75.125.212.0,255.255.255.0,192.168.1.253,1"="" "207.44.254.0,255.255.255.0,192.168.1.253,1"="" "75.125.189.0,255.255.255.0,192.168.1.253,1"="" "87.242.75.0,255.255.255.0,192.168.1.253,1"="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Update 3400C] 2002-02-01 18:33 32768 ----a-w- c:\sj652\hpupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "CiSvc"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "g:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Archivos de programa\\Azureus\\Azureus.exe"= "e:\\Program Files\\Java\\JRE6\\BIN\\javaw.exe"= "d:\\Program Files\\Ares\\Ares.exe"= "c:\\Archivos de programa\\LimeWire\\LimeWire.exe"= "e:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"= "e:\\Program Files\\Bonjour\\mDNSResponder.exe"= "e:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"= "e:\\Program Files\\MSN Messenger\\livecall.exe"= "e:\\Program Files\\Ventrilo\\Ventrilo.exe"= "e:\\Program Files\\iTunes\\iTunes.exe"= "e:\\Program Files\\UltraVNC\\winvnc.exe"= "e:\\Program Files\\UltraVNC\\vncviewer.exe"= "e:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8370:TCP"= 8370:TCP:League of Legends Launcher "8370:UDP"= 8370:UDP:League of Legends Launcher "8372:TCP"= 8372:TCP:League of Legends Launcher "8372:UDP"= 8372:UDP:League of Legends Launcher "6971:TCP"= 6971:TCP:League of Legends Launcher "6971:UDP"= 6971:UDP:League of Legends Launcher "6913:TCP"= 6913:TCP:League of Legends Launcher "6913:UDP"= 6913:UDP:League of Legends Launcher "6906:TCP"= 6906:TCP:League of Legends Launcher "6906:UDP"= 6906:UDP:League of Legends Launcher "6972:TCP"= 6972:TCP:League of Legends Launcher "6972:UDP"= 6972:UDP:League of Legends Launcher "6957:TCP"= 6957:TCP:League of Legends Launcher "6957:UDP"= 6957:UDP:League of Legends Launcher "5900:TCP"= 5900:TCP:vnc5900 "5800:TCP"= 5800:TCP:vnc5800 "8373:TCP"= 8373:TCP:League of Legends Launcher "8373:UDP"= 8373:UDP:League of Legends Launcher "8374:TCP"= 8374:TCP:League of Legends Launcher "8374:UDP"= 8374:UDP:League of Legends Launcher "8375:TCP"= 8375:TCP:League of Legends Launcher "8375:UDP"= 8375:UDP:League of Legends Launcher "6890:TCP"= 6890:TCP:League of Legends Launcher "6890:UDP"= 6890:UDP:League of Legends Launcher "6881:TCP"= 6881:TCP:League of Legends Launcher "6881:UDP"= 6881:UDP:League of Legends Launcher "6975:TCP"= 6975:TCP:League of Legends Launcher "6975:UDP"= 6975:UDP:League of Legends Launcher "8376:TCP"= 8376:TCP:League of Legends Launcher "8376:UDP"= 8376:UDP:League of Legends Launcher "6907:TCP"= 6907:TCP:League of Legends Launcher "6907:UDP"= 6907:UDP:League of Legends Launcher "6927:TCP"= 6927:TCP:League of Legends Launcher "6927:UDP"= 6927:UDP:League of Legends Launcher "6932:TCP"= 6932:TCP:League of Legends Launcher "6932:UDP"= 6932:UDP:League of Legends Launcher "6969:TCP"= 6969:TCP:League of Legends Launcher "6969:UDP"= 6969:UDP:League of Legends Launcher "6962:TCP"= 6962:TCP:League of Legends Launcher "6962:UDP"= 6962:UDP:League of Legends Launcher "2113:TCP"= 2113:TCP "6938:TCP"= 6938:TCP:League of Legends Launcher "6938:UDP"= 6938:UDP:League of Legends Launcher "6900:TCP"= 6900:TCP:League of Legends Launcher "6900:UDP"= 6900:UDP:League of Legends Launcher "6937:TCP"= 6937:TCP:League of Legends Launcher "6937:UDP"= 6937:UDP:League of Legends Launcher "6986:TCP"= 6986:TCP:League of Legends Launcher "6986:UDP"= 6986:UDP:League of Legends Launcher "6955:TCP"= 6955:TCP:League of Legends Launcher "6955:UDP"= 6955:UDP:League of Legends Launcher "6922:TCP"= 6922:TCP:League of Legends Launcher "6922:UDP"= 6922:UDP:League of Legends Launcher "6948:TCP"= 6948:TCP:League of Legends Launcher "6948:UDP"= 6948:UDP:League of Legends Launcher "6931:TCP"= 6931:TCP:League of Legends Launcher "6931:UDP"= 6931:UDP:League of Legends Launcher "6905:TCP"= 6905:TCP:League of Legends Launcher "6905:UDP"= 6905:UDP:League of Legends Launcher "8377:TCP"= 8377:TCP:League of Legends Launcher "8377:UDP"= 8377:UDP:League of Legends Launcher "6908:TCP"= 6908:TCP:League of Legends Launcher "6908:UDP"= 6908:UDP:League of Legends Launcher "6977:TCP"= 6977:TCP:League of Legends Launcher "6977:UDP"= 6977:UDP:League of Legends Launcher "6926:TCP"= 6926:TCP:League of Legends Launcher "6926:UDP"= 6926:UDP:League of Legends Launcher "6981:TCP"= 6981:TCP:League of Legends Launcher "6981:UDP"= 6981:UDP:League of Legends Launcher "6921:TCP"= 6921:TCP:League of Legends Launcher "6921:UDP"= 6921:UDP:League of Legends Launcher "6946:TCP"= 6946:TCP:League of Legends Launcher "6946:UDP"= 6946:UDP:League of Legends Launcher "6951:TCP"= 6951:TCP:League of Legends Launcher "6951:UDP"= 6951:UDP:League of Legends Launcher "6929:TCP"= 6929:TCP:League of Legends Launcher "6929:UDP"= 6929:UDP:League of Legends Launcher "6968:TCP"= 6968:TCP:League of Legends Launcher "6968:UDP"= 6968:UDP:League of Legends Launcher "6990:TCP"= 6990:TCP:League of Legends Launcher "6990:UDP"= 6990:UDP:League of Legends Launcher "6950:TCP"= 6950:TCP:League of Legends Launcher "6950:UDP"= 6950:UDP:League of Legends Launcher "6978:TCP"= 6978:TCP:League of Legends Launcher "6978:UDP"= 6978:UDP:League of Legends Launcher "8378:TCP"= 8378:TCP:League of Legends Launcher "8378:UDP"= 8378:UDP:League of Legends Launcher "58293:TCP"= 58293:TCP:Pando Media Booster "58293:UDP"= 58293:UDP:Pando Media Booster R0 cwwhwh;cwwhwh;e:\windows\system32\drivers\ikajl.sys [8/4/2004 12:00 PM 29696] R0 HFXP2;HFXP2;e:\windows\system32\drivers\hfxp2.sys [3/26/2009 12:29 AM 13824] R0 sptd;sptd;e:\windows\system32\drivers\sptd.sys [3/29/2009 8:24 PM 717296] R3 NmPar;Unusable Parallel Port;e:\windows\system32\drivers\NmPar.sys [12/24/2008 5:40 AM 80256] R3 nmserial;PCI Serial Port;e:\windows\system32\drivers\NmSerial.sys [12/16/2008 6:10 AM 70016] R3 vuhub;Virtual Usb Hub;e:\windows\system32\drivers\vuhub.sys [9/5/2009 10:39 AM 66432] S3 ALSysIO;ALSysIO;\??\e:\docume~1\ADMINI~1.000\LOCALS~1\Temp\ALSysIO.sys --> e:\docume~1\ADMINI~1.000\LOCALS~1\Temp\ALSysIO.sys [?] S3 MEMSWEEP2;MEMSWEEP2;\??\e:\windows\system32\75.tmp --> e:\windows\system32\75.tmp [?] S3 NPF;NetGroup Packet Filter Driver;e:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064] S3 PicUSB;PicUSB Device Driver;e:\windows\system32\drivers\mchpusb.sys [9/4/2009 8:01 PM 61440] S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);e:\windows\system32\drivers\s0016bus.sys [7/19/2009 7:14 PM 89256] S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;e:\windows\system32\drivers\s0016mdfl.sys [7/19/2009 7:14 PM 15016] S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;e:\windows\system32\drivers\s0016mdm.sys [7/19/2009 7:14 PM 120744] S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);e:\windows\system32\drivers\s0016mgmt.sys [7/19/2009 7:14 PM 114216] S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);e:\windows\system32\drivers\s0016nd5.sys [7/19/2009 7:14 PM 25512] S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;e:\windows\system32\drivers\s0016obex.sys [7/19/2009 7:14 PM 110632] S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);e:\windows\system32\drivers\s0016unic.sys [7/19/2009 7:14 PM 115752] S3 uvnc_service;uvnc_service;e:\program files\UltraVNC\winvnc.exe [1/13/2010 5:33 PM 1590216] S4 UsbService;Eltima Usb to Ethernet Connector;e:\windows\system32\UsbService.exe [9/5/2009 11:07 AM 768512] S4 Wibettin32;Wibettin32 System;e:\windows\system32\Wibettin32.exe --> e:\windows\system32\Wibettin32.exe [?] S4 Wihkep32;Wihkep32 System;e:\windows\system32\Wihke32.exe --> e:\windows\system32\Wihke32.exe [?] S4 Wiyselp32;Wiyselp32 System;e:\windows\system32\Wiyselp32.exe --> e:\windows\system32\Wiyselp32.exe [?] S4 xzzoip;xzzoip;e:\windows\system32\xzzoip.exe --> e:\windows\system32\xzzoip.exe [?] . . ------- Supplementary Scan ------- . uStart Page = www.9348.cn/?205486 mStart Page = www.9348.cn/?205486 IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - e:\documents and settings\Administrator.MEMO.000\Application Data\Mozilla\Firefox\Profiles\6uvh8cew.default\ FF - prefs.js: browser.startup.homepage - www.google.com FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll FF - plugin: e:\documents and settings\Administrator.MEMO.000\Application Data\Mozilla\Firefox\Profiles\6uvh8cew.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll FF - plugin: e:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-12 01:33 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86DD91F8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf7694fc3 \Driver\ACPI -> ACPI.sys @ 0xf740fcb8 \Driver\atapi -> 0x86dd91f8 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x8058155c \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x8058155c NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7318ba0 PacketIndicateHandler -> NDIS.sys @ 0xf7325b21 SendHandler -> NDIS.sys @ 0xf730387b Warning: possible MBR rootkit infection ! user & kernel MBR OK ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\e:\windows\system32\75.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1547161642-162531612-839522115-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:f2,d9,75,7e,15,4a,d6,62,e7,b4,5e,1a,12,90,6b,18,80,2a,70,65,7b,9f,58, ac,42,9a,57,3f,2c,3e,f3,d4,a0,68,a4,c8,c3,a6,3e,84,7b,22,b4,43,18,47,8b,ec,\ "??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(5784) e:\windows\system32\MSIMG32.dll . ------------------------ Other Running Processes ------------------------ . e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe e:\program files\Eset\nod32krn.exe e:\windows\system32\nvsvc32.exe e:\windows\system32\wdfmgr.exe e:\windows\system32\RUNDLL32.EXE e:\windows\RTHDCPL.EXE e:\windows\system32\wscntfy.exe e:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-05-12 01:38:02 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-12 06:38 ComboFix2.txt 2010-05-12 04:55 Pre-Run: 887,926,784 bytes free Post-Run: 854,155,264 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(2)\WIN2K="Microsoft Windows 2000 Professional" /fastdetect - - End Of File - - F4BCF4107B03E7E28D5A60F24B624E95