Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Resilient VIrus/worm modifies hosts file and homepages

Started by dogmaster , May 12 2010 06:14 PM

Please log in to reply

#1
dogmaster

Posted 12 May 2010 - 06:14 PM

New Member

Member
7 posts

Hello, I would greatly appreciate some help regarding my problem.
A description:

Yesterday I arrived home to find the family computer barely working.It previously had some worm that opens chinese sites, but didnt bother removing it as whoever inserted a new usb re infected it.
However this time it was different, Iexplore and add or remove programs were unresponsive, mozilla aparently damaged, among other oddities like they keyboard layout changed to english (I have a spanish keyboard).
I removed some entries with hijackthis, which fixed most of the problems, and Combofix, which also helped a bit.
Afterwards I had troubles when rebooting, random exes with different names would be created by scvhost.exe under win32/tmp.

I had to boot using UBCD and removed what I believe was the offending dll and deleted hosts file, which was immortal and unmodifiable under a normal boot.

The state now is at follows:

I can now reboot normally but get two error messages regarding the removed dll, for the life of me I cannot find who is launching it.
Also, when running hijackthis I get warnings from nod32 regarding a trojan modifying (or trying) to change my hosts file. (which is blank atm). I think this may just be hijackthis trying to create it and nod32 catching it.

Edit: Let hijackthis run with Nod32 off and my hostsfile was modified again with another chinese site for 127.0.0.1,should have believed it.

The annoying part is that my IE homepage keeps getting changed to www.9348.cn/?205486.
I attach got hijackthis and Combofix's Log,along with what nod32 is detecting as a virus.

Some comments:

On the hijackthis log, the entries for homepage are immortal.
On the combofix log, fvhm.dll was the dll I replaced for a blank one.
Finally R0 HFXP2;HFXP2;e:\windows\system32\drivers\hfxp2.sys [3/26/2009 12:29 AM 13824] is a valid program for hiding folders.

The e:\windows\system32\DELETEIT.bat was my attempt to delete said file and the e:\windows\system32\InetDummy.dll is a dummy dll I was going to use to avoid the error message.

Thank you, any help would be really really appreciated.

Attached Thumbnails

Attached Files

ComboFix.txt 26.02KB 329 downloads
hijackthis.txt 3.17KB 202 downloads

#2
RKinner

Posted 13 May 2010 - 09:12 AM

Malware Expert

Expert
24,457 posts

Please do not attach logs. Just copy and paste.

Delete your old Combofix and get a new one as follows:

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Run OTL per step 5 of http://www.geekstogo...uide-t2852.html and post both logs.

Run MBAM per step 1 of http://www.geekstogo...uide-t2852.html and post the log.

Ron

PS Will be off-island until 6 PDT so won't be able to reply until then.

#3
dogmaster

Posted 13 May 2010 - 10:14 AM

New Member

Topic Starter
Member
7 posts

Okay, thank you for the reply. I will follow the steps as soon as I get home from work.

#4
dogmaster

Posted 13 May 2010 - 07:47 PM

New Member

Topic Starter
Member
7 posts

Okay, ran all the steps,and still my IE homepage was changed to the same site, as well as my host fils being funky and trying to overwrite itself when something tries to acess it.

Heres the Combofix Log:

ComboFix 10-05-13.03 - Administrator 05/13/2010 19:35:02.4.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.634 [GMT -5:00]
Running from: e:\documents and settings\Administrator.MEMO.000\Desktop\George.exe
AV: Eset NOD32 antivirus system 2.51 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\windows\system32\8437968.exe2
e:\windows\system32\fvhm.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 )))))))))))))))))))))))))))))))
.

2010-05-12 23:38 . 2010-05-12 23:38 -------- d-----w- e:\documents and settings\Administrator.MEMO.000\Application Data\LolClient
2010-05-12 05:58 . 2010-05-12 05:58 -------- d-----w- e:\documents and settings\Administrator.MEMO.000\Local Settings\Application Data\PMB Files
2010-05-12 05:57 . 2010-05-12 05:57 -------- d-----w- e:\documents and settings\All Users.WINDOWS\Application Data\PMB Files
2010-05-12 05:57 . 2010-05-12 05:57 -------- d-----w- e:\program files\Pando Networks
2010-05-12 05:54 . 2010-05-12 05:54 2560 ----a-w- e:\windows\system32\InetDummy.dll
2010-05-12 03:58 . 2010-05-12 03:58 12 ----a-w- e:\windows\system32\DELETEIT.bat
2010-05-12 02:36 . 2010-05-12 05:48 3584 ----a-w- e:\windows\system32\msimg32.dll
2010-05-12 02:14 . 2004-08-04 17:00 25600 ----a-w- e:\documents and settings\LocalService.NT AUTHORITY\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-05-11 19:12 . 2010-05-11 19:12 86 ----a-w- e:\windows\system32\tempc.bat
2010-05-11 19:12 . 2010-05-11 19:12 56 ----a-w- e:\windows\system32\temp2.bat
2010-05-11 19:12 . 2010-05-11 19:12 0 ----a-w- e:\windows\system32\xzzoip_svr.dat
2010-05-07 03:07 . 2010-05-07 03:07 -------- d-----w- E:\FOUND.000
2010-05-05 02:52 . 2010-05-05 02:52 -------- d-----w- e:\documents and settings\Administrator.MEMO.000\Local Settings\Application Data\Cranium_Consulting_and_Cu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 06:06 . 2009-03-26 02:34 70016 ----a-w- e:\documents and settings\Administrator.MEMO.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-12 05:40 . 2004-08-04 17:00 0 ----a-w- e:\windows\system32\fvhm.dll
2010-03-04 21:07 . 2010-03-04 20:49 680 ----a-w- e:\windows\AUTOLNCH.REG
2010-02-18 00:39 . 2010-03-15 00:50 38784 ----a-w- e:\documents and settings\Admin.MEMO3\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-18 00:39 . 2009-11-01 21:12 38784 ----a-w- e:\documents and settings\Administrator.MEMO.000\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-03-23 01:34 . 2007-01-25 01:05 21952 ---h--w- e:\program files\folder.htt
2006-01-23 15:32 . 2006-01-23 15:32 131072 ----a-w- e:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2006-06-07 19:40 . 2006-06-07 19:40 132848 ----a-w- e:\program files\internet explorer\plugins\LV82ActiveXControl.dll
.

------- Sigcheck -------

[-] 2008-04-13 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . e:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\appmgmts.dll
[-] 2004-08-04 17:00 . E059775F9F25E1AB709FC68D683C3FA3 . 50289 . . [3, 0, 0, 0] . . e:\windows\system32\appmgmts.dll
[7] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . e:\windows\system32\dllcache\appmgmts.dll
[7] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . e:\windows\ERDNT\cache\appmgmts.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="e:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="e:\program files\Eset\nod32kui.exe" [2009-03-24 917504]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"WinVNC"="e:\program files\TightVNC\WinVNC.exe" [2009-03-05 585728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Update 3400C]
2002-02-01 18:33 32768 ----a-w- c:\sj652\hpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Archivos de programa\\Azureus\\Azureus.exe"=
"e:\\Program Files\\Java\\JRE6\\BIN\\javaw.exe"=
"d:\\Program Files\\Ares\\Ares.exe"=
"c:\\Archivos de programa\\LimeWire\\LimeWire.exe"=
"e:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"=
"e:\\Program Files\\MSN Messenger\\livecall.exe"=
"e:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\UltraVNC\\winvnc.exe"=
"e:\\Program Files\\UltraVNC\\vncviewer.exe"=
"e:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"g:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"g:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"6971:TCP"= 6971:TCP:League of Legends Launcher
"6971:UDP"= 6971:UDP:League of Legends Launcher
"6913:TCP"= 6913:TCP:League of Legends Launcher
"6913:UDP"= 6913:UDP:League of Legends Launcher
"6906:TCP"= 6906:TCP:League of Legends Launcher
"6906:UDP"= 6906:UDP:League of Legends Launcher
"6972:TCP"= 6972:TCP:League of Legends Launcher
"6972:UDP"= 6972:UDP:League of Legends Launcher
"6957:TCP"= 6957:TCP:League of Legends Launcher
"6957:UDP"= 6957:UDP:League of Legends Launcher
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"8373:TCP"= 8373:TCP:League of Legends Launcher
"8373:UDP"= 8373:UDP:League of Legends Launcher
"8374:TCP"= 8374:TCP:League of Legends Launcher
"8374:UDP"= 8374:UDP:League of Legends Launcher
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"6890:TCP"= 6890:TCP:League of Legends Launcher
"6890:UDP"= 6890:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"6975:TCP"= 6975:TCP:League of Legends Launcher
"6975:UDP"= 6975:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"6907:TCP"= 6907:TCP:League of Legends Launcher
"6907:UDP"= 6907:UDP:League of Legends Launcher
"6927:TCP"= 6927:TCP:League of Legends Launcher
"6927:UDP"= 6927:UDP:League of Legends Launcher
"6932:TCP"= 6932:TCP:League of Legends Launcher
"6932:UDP"= 6932:UDP:League of Legends Launcher
"6969:TCP"= 6969:TCP:League of Legends Launcher
"6969:UDP"= 6969:UDP:League of Legends Launcher
"6962:TCP"= 6962:TCP:League of Legends Launcher
"6962:UDP"= 6962:UDP:League of Legends Launcher
"2113:TCP"= 2113:TCP
"6900:TCP"= 6900:TCP:League of Legends Launcher
"6900:UDP"= 6900:UDP:League of Legends Launcher
"6937:TCP"= 6937:TCP:League of Legends Launcher
"6937:UDP"= 6937:UDP:League of Legends Launcher
"6986:TCP"= 6986:TCP:League of Legends Launcher
"6986:UDP"= 6986:UDP:League of Legends Launcher
"6955:TCP"= 6955:TCP:League of Legends Launcher
"6955:UDP"= 6955:UDP:League of Legends Launcher
"6922:TCP"= 6922:TCP:League of Legends Launcher
"6922:UDP"= 6922:UDP:League of Legends Launcher
"6948:TCP"= 6948:TCP:League of Legends Launcher
"6948:UDP"= 6948:UDP:League of Legends Launcher
"6905:TCP"= 6905:TCP:League of Legends Launcher
"6905:UDP"= 6905:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"6908:TCP"= 6908:TCP:League of Legends Launcher
"6908:UDP"= 6908:UDP:League of Legends Launcher
"6977:TCP"= 6977:TCP:League of Legends Launcher
"6977:UDP"= 6977:UDP:League of Legends Launcher
"6926:TCP"= 6926:TCP:League of Legends Launcher
"6926:UDP"= 6926:UDP:League of Legends Launcher
"6951:TCP"= 6951:TCP:League of Legends Launcher
"6951:UDP"= 6951:UDP:League of Legends Launcher
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
"6990:TCP"= 6990:TCP:League of Legends Launcher
"6990:UDP"= 6990:UDP:League of Legends Launcher
"6950:TCP"= 6950:TCP:League of Legends Launcher
"6950:UDP"= 6950:UDP:League of Legends Launcher
"6978:TCP"= 6978:TCP:League of Legends Launcher
"6978:UDP"= 6978:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"58293:TCP"= 58293:TCP:Pando Media Booster
"58293:UDP"= 58293:UDP:Pando Media Booster

R0 cwwhwh;cwwhwh;e:\windows\system32\drivers\ikajl.sys [8/4/2004 12:00 PM 29696]
R0 HFXP2;HFXP2;e:\windows\system32\drivers\hfxp2.sys [3/26/2009 12:29 AM 13824]
R3 NmPar;Unusable Parallel Port;e:\windows\system32\drivers\NmPar.sys [12/24/2008 5:40 AM 80256]
R3 nmserial;PCI Serial Port;e:\windows\system32\drivers\NmSerial.sys [12/16/2008 6:10 AM 70016]
R3 vuhub;Virtual Usb Hub;e:\windows\system32\drivers\vuhub.sys [9/5/2009 10:39 AM 66432]
S3 ALSysIO;ALSysIO;\??\e:\docume~1\ADMINI~1.000\LOCALS~1\Temp\ALSysIO.sys --> e:\docume~1\ADMINI~1.000\LOCALS~1\Temp\ALSysIO.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\e:\windows\system32\75.tmp --> e:\windows\system32\75.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;e:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 PicUSB;PicUSB Device Driver;e:\windows\system32\drivers\mchpusb.sys [9/4/2009 8:01 PM 61440]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);e:\windows\system32\drivers\s0016bus.sys [7/19/2009 7:14 PM 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;e:\windows\system32\drivers\s0016mdfl.sys [7/19/2009 7:14 PM 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;e:\windows\system32\drivers\s0016mdm.sys [7/19/2009 7:14 PM 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);e:\windows\system32\drivers\s0016mgmt.sys [7/19/2009 7:14 PM 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);e:\windows\system32\drivers\s0016nd5.sys [7/19/2009 7:14 PM 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;e:\windows\system32\drivers\s0016obex.sys [7/19/2009 7:14 PM 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);e:\windows\system32\drivers\s0016unic.sys [7/19/2009 7:14 PM 115752]
S3 uvnc_service;uvnc_service;e:\program files\UltraVNC\winvnc.exe [1/13/2010 5:33 PM 1590216]
S4 sptd;sptd;e:\windows\system32\drivers\sptd.sys [3/29/2009 8:24 PM 717296]
S4 UsbService;Eltima Usb to Ethernet Connector;e:\windows\system32\UsbService.exe [9/5/2009 11:07 AM 768512]
S4 Wibettin32;Wibettin32 System;e:\windows\system32\Wibettin32.exe --> e:\windows\system32\Wibettin32.exe [?]
S4 Wihkep32;Wihkep32 System;e:\windows\system32\Wihke32.exe --> e:\windows\system32\Wihke32.exe [?]
S4 Wiyselp32;Wiyselp32 System;e:\windows\system32\Wiyselp32.exe --> e:\windows\system32\Wiyselp32.exe [?]
S4 xzzoip;xzzoip;e:\windows\system32\xzzoip.exe --> e:\windows\system32\xzzoip.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = www.9348.cn/?205486
mStart Page = www.9348.cn/?205486
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - e:\documents and settings\Administrator.MEMO.000\Application Data\Mozilla\Firefox\Profiles\6uvh8cew.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: e:\documents and settings\Administrator.MEMO.000\Application Data\Mozilla\Firefox\Profiles\6uvh8cew.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: e:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 19:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\e:\windows\system32\75.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-162531612-839522115-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f2,d9,75,7e,15,4a,d6,62,e7,b4,5e,1a,12,90,6b,18,80,2a,70,65,7b,9f,58,
ac,42,9a,57,3f,2c,3e,f3,d4,a0,68,a4,c8,c3,a6,3e,84,7b,22,b4,43,18,47,8b,ec,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2164)
e:\windows\system32\MSIMG32.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
e:\program files\Eset\nod32krn.exe
e:\windows\system32\nvsvc32.exe
e:\program files\TVersity\Media Server\MediaServer.exe
e:\windows\system32\wdfmgr.exe
e:\windows\system32\RUNDLL32.EXE
e:\windows\RTHDCPL.EXE
e:\windows\system32\wscntfy.exe
e:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-13 19:51:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-14 00:51

Pre-Run: 1,456,398,336 bytes free
Post-Run: 1,459,322,880 bytes free

- - End Of File - - BD81162F9BAEFB82B7C880EC399C26D0

Here is the OTL log

OTL logfile created on: 5/13/2010 7:54:08 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = E:\Documents and Settings\Administrator.MEMO.000\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 539.00 Mb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072G:\pagefile.sys 0 0 [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 53.77 Gb Total Space | 4.70 Gb Free Space | 8.74% Space Free | Partition Type: FAT32
Drive D: | 15.63 Gb Total Space | 4.32 Gb Free Space | 27.66% Space Free | Partition Type: NTFS
Drive E: | 20.70 Gb Total Space | 1.38 Gb Free Space | 6.68% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
Drive G: | 133.42 Gb Total Space | 8.75 Gb Free Space | 6.56% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MEMO3
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/13 19:23:50 | 000,570,880 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\OTL.exe
PRC - [2010/04/05 08:37:12 | 000,307,672 | ---- | M] (Mozilla Corporation) -- E:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/05/22 18:34:34 | 000,851,968 | ---- | M] () -- E:\Program Files\TVersity\Media Server\MediaServer.exe
PRC - [2009/03/23 23:31:30 | 000,917,504 | ---- | M] (Eset ) -- E:\Program Files\ESET\nod32kui.exe
PRC - [2009/03/23 23:31:30 | 000,507,904 | ---- | M] (Eset ) -- E:\Program Files\ESET\nod32krn.exe
PRC - [2009/03/05 16:28:08 | 000,585,728 | ---- | M] (TightVNC Group) -- E:\Program Files\TightVNC\WinVNC.exe
PRC - [2004/08/04 12:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/05/13 19:23:50 | 000,570,880 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\OTL.exe
MOD - [2004/08/04 12:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 12:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (xzzoip)
SRV - File not found [Disabled | Stopped] -- -- (Wiyselp32)
SRV - File not found [Disabled | Stopped] -- -- (Wihkep32)
SRV - File not found [Disabled | Stopped] -- -- (Wibettin32)
SRV - [2009/12/07 00:19:00 | 001,590,216 | ---- | M] (UltraVNC) [On_Demand | Stopped] -- E:\Program Files\UltraVNC\WinVNC.exe -- (uvnc_service)
SRV - [2009/09/05 11:07:58 | 000,768,512 | ---- | M] () [Disabled | Stopped] -- E:\WINDOWS\system32\UsbService.exe -- (UsbService)
SRV - [2009/05/22 18:34:34 | 000,851,968 | ---- | M] () [Auto | Running] -- E:\Program Files\TVersity\Media Server\MediaServer.exe -- (TVersityMediaServer)
SRV - [2009/03/23 23:31:30 | 000,507,904 | ---- | M] (Eset ) [Auto | Running] -- E:\Program Files\Eset\nod32krn.exe -- (NOD32krn)
SRV - [2009/03/05 16:28:08 | 000,585,728 | ---- | M] (TightVNC Group) [Auto | Running] -- E:\Program Files\TightVNC\WinVNC.exe -- (winvnc)
SRV - [2007/11/06 15:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [Disabled | Stopped] -- E:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/03/14 20:19:10 | 000,779,824 | ---- | M] (Nero AG) [Disabled | Stopped] -- G:\Archivos de programa\Nero 7\Nero BackItUp\NBService.exe -- (NBService)
SRV - [2007/01/19 12:54:14 | 000,097,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- E:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2009/09/09 13:59:32 | 000,082,380 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- E:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2009/03/29 20:24:20 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- E:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/03/23 23:31:30 | 000,502,368 | ---- | M] (Eset ) [Kernel | Auto | Running] -- E:\WINDOWS\system32\drivers\amon.sys -- (AMON)
DRV - [2009/02/18 14:44:00 | 006,308,224 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/01/20 18:53:06 | 005,027,840 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/12/24 05:40:12 | 000,080,256 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\NmPar.sys -- (NmPar)
DRV - [2008/12/16 06:10:34 | 000,070,016 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\NmSerial.sys -- (nmserial)
DRV - [2008/10/30 21:14:20 | 000,117,888 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/05/16 12:33:14 | 000,115,752 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s0016unic.sys -- (s0016unic) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM)
DRV - [2008/05/16 12:33:14 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s0016nd5.sys -- (s0016nd5) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS)
DRV - [2008/05/16 12:33:14 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s0016mdfl.sys -- (s0016mdfl)
DRV - [2008/05/16 12:33:12 | 000,120,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s0016mdm.sys -- (s0016mdm)
DRV - [2008/05/16 12:33:12 | 000,114,216 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s0016mgmt.sys -- (s0016mgmt) Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM)
DRV - [2008/05/16 12:33:12 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s0016obex.sys -- (s0016obex)
DRV - [2008/05/16 12:33:12 | 000,089,256 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s0016bus.sys -- (s0016bus) Sony Ericsson Device 0016 driver (WDM)
DRV - [2008/05/14 11:27:44 | 000,066,432 | ---- | M] () [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\vuhub.sys -- (vuhub)
DRV - [2007/11/06 15:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2007/04/24 09:33:46 | 000,100,488 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s125mgmt.sys -- (s125mgmt) Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/24 09:33:46 | 000,098,696 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s125obex.sys -- (s125obex)
DRV - [2007/04/24 09:33:44 | 000,108,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s125mdm.sys -- (s125mdm)
DRV - [2007/04/24 09:33:42 | 000,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s125mdfl.sys -- (s125mdfl)
DRV - [2007/04/24 09:33:34 | 000,083,336 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s125bus.sys -- (s125bus) Sony Ericsson Device 125 driver (WDM)
DRV - [2006/11/30 22:21:00 | 000,013,824 | ---- | M] (FSPro Labs) [Kernel | Boot | Running] -- E:\WINDOWS\SYSTEM32\DRIVERS\HFXP2.SYS -- (HFXP2)
DRV - [2006/09/24 08:28:46 | 000,005,248 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Boot | Running] -- E:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/09/05 12:58:26 | 000,061,536 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\se58bus.sys -- (se58bus) Sony Ericsson Device 088 driver (WDM)
DRV - [2005/01/07 17:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/11/22 06:03:56 | 000,061,440 | ---- | M] (Microchip Technology, Inc.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\mchpusb.sys -- (PicUSB)
DRV - [2004/08/04 12:00:00 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2004/08/04 12:00:00 | 000,029,696 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- E:\WINDOWS\system32\drivers\ikajl.sys -- (cwwhwh)
DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/03 23:07:46 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2002/09/16 17:14:32 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- E:\WINDOWS\system32\drivers\PQNTDRV.sys -- (PQNTDrv)
DRV - [1996/04/03 14:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- E:\WINDOWS\system32\giveio.sys -- (giveio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.9348.cn/?205486

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.9348.cn/?205486
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: [email protected]:4.0.21.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:2.2.280608

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: E:\Program Files\Mozilla Firefox\components [2009/03/24 09:54:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: E:\Program Files\Mozilla Firefox\plugins [2009/03/24 09:54:46 | 000,000,000 | ---D | M]

[2009/03/25 21:34:18 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\Mozilla\Extensions
[2009/03/25 21:34:18 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\Mozilla\Firefox\Profiles\6uvh8cew.default\extensions
[2009/05/30 11:18:16 | 000,000,000 | ---D | M] (IE Tab) -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\Mozilla\Firefox\Profiles\6uvh8cew.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2009/07/14 16:29:24 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\Mozilla\Firefox\Profiles\6uvh8cew.default\extensions\[email protected]
[2010/04/18 02:06:46 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\Mozilla\Firefox\Profiles\6uvh8cew.default\extensions\[email protected]
[2009/03/24 09:54:46 | 000,000,000 | ---D | M] -- E:\Program Files\Mozilla Firefox\extensions

O1 - HOSTS file present but inaccessible!
O4 - HKLM..\Run: [nod32kui] E:\Program Files\Eset\nod32kui.exe (Eset )
O4 - HKLM..\Run: [NvCplDaemon] E:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] E:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [WinVNC] E:\Program Files\TightVNC\WinVNC.exe (TightVNC Group)
O4 - HKCU..\Run: [DAEMON Tools Lite] E:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - G:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - E:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.systemreq...sreqlab_srl.cab (System Requirements Lab Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - E:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - E:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/10/24 15:00:56 | 000,000,358 | -HS- | M] () - C:\AUTOEXEC.BAK -- [ FAT32 ]
O32 - AutoRun File - [2007/10/24 15:00:56 | 000,000,358 | -H-- | M] () - C:\AutoExec.bat -- [ FAT32 ]
O32 - AutoRun File - [2005/08/05 10:06:50 | 000,000,194 | ---- | M] () - C:\AUTOEXEC.NS0 -- [ FAT32 ]
O32 - AutoRun File - [2006/08/17 13:48:56 | 000,000,289 | ---- | M] () - C:\autoexec.nav -- [ FAT32 ]
O32 - AutoRun File - [2007/10/23 22:11:30 | 000,000,378 | -HS- | M] () - C:\AUTOEXEC.WIN -- [ FAT32 ]
O32 - AutoRun File - [2004/08/12 23:39:06 | 000,000,000 | -H-- | M] () - G:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/05/03 20:55:06 | 000,232,448 | ---- | M] () - G:\AutoSHSH-3.1.3+3.2--RC2.exe -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - \6to4.dll ()
NetSvcs: AppMgmt - E:\WINDOWS\system32\appmgmts.dll (Shenzhen QVOD Technology Co.,Ltd)
NetSvcs: Ias - E:\WINDOWS\system32\ias [2009/03/22 22:07:44 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: WmdmPmSN - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16620634377289728)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/13 19:51:36 | 000,000,000 | ---D | C] -- E:\WINDOWS\temp
[2010/05/13 19:30:58 | 000,212,480 | ---- | C] (SteelWerX) -- E:\WINDOWS\SWXCACLS.exe
[2010/05/13 19:30:58 | 000,161,792 | ---- | C] (SteelWerX) -- E:\WINDOWS\SWREG.exe
[2010/05/13 19:30:58 | 000,136,704 | ---- | C] (SteelWerX) -- E:\WINDOWS\SWSC.exe
[2010/05/13 19:30:58 | 000,031,232 | ---- | C] (NirSoft) -- E:\WINDOWS\NIRCMD.exe
[2010/05/13 19:29:47 | 000,000,000 | ---D | C] -- E:\Qoobox
[2010/05/13 19:27:56 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\mbam-setup-1.46.exe
[2010/05/13 19:23:58 | 000,570,880 | ---- | C] (OldTimer Tools) -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\OTL.exe
[2010/05/12 18:58:12 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\fixing
[2010/05/12 18:38:37 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\LolClient
[2010/05/12 00:58:02 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Administrator.MEMO.000\Local Settings\Application Data\PMB Files
[2010/05/12 00:57:57 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users.WINDOWS\Application Data\PMB Files
[2010/05/12 00:57:10 | 000,000,000 | ---D | C] -- E:\Program Files\Pando Networks
[2010/05/11 21:17:45 | 000,049,152 | ---- | C] (Tencent) -- E:\WINDOWS\System32\woaizuguo.ime
[2010/05/11 14:31:02 | 000,000,000 | RH-D | C] -- E:\Documents and Settings\Administrator.MEMO.000\Recent
[2010/05/06 22:07:26 | 000,000,000 | ---D | C] -- E:\FOUND.000
[2010/05/04 21:52:37 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Administrator.MEMO.000\Local Settings\Application Data\Cranium_Consulting_and_Cu
[2010/04/19 20:06:25 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\LoLBaseUploader.1.2.0
[2010/03/12 14:37:33 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users.WINDOWS\Application Data\Real
[2010/03/03 20:20:29 | 000,000,000 | ---D | C] -- E:\MSNCleaner
[2010/03/03 20:05:12 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\backups
[2010/03/03 19:43:50 | 000,000,000 | ---D | C] -- E:\WINDOWS\ERDNT
[2010/03/02 21:38:25 | 000,000,000 | ---D | C] -- E:\Program Files\Sophos
[2010/03/02 19:54:50 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\HijackThis.exe
[2010/02/17 15:20:47 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\Boardingpass.aspx_files
[9 C:\Mis documentos\*.tmp files -> C:\Mis documentos\*.tmp -> ]
[3 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp -> ]
[1 E:\WINDOWS\System32\*.tmp files -> E:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/05/13 19:45:44 | 000,000,227 | ---- | M] () -- E:\WINDOWS\system.ini
[2010/05/13 19:45:18 | 000,213,319 | ---- | M] () -- E:\WINDOWS\System32\nvapps.xml
[2010/05/13 19:44:22 | 000,000,006 | -H-- | M] () -- E:\WINDOWS\tasks\SA.DAT
[2010/05/13 19:44:20 | 000,002,048 | --S- | M] () -- E:\WINDOWS\bootstat.dat
[2010/05/13 19:41:50 | 009,961,472 | -H-- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\NTUSER.DAT
[2010/05/13 19:30:20 | 003,688,866 | R--- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\George.exe
[2010/05/13 19:28:26 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\mbam-setup-1.46.exe
[2010/05/13 19:23:50 | 000,570,880 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\OTL.exe
[2010/05/13 18:51:50 | 000,002,184 | ---- | M] () -- E:\WINDOWS\System32\wpa.dbl
[2010/05/12 08:03:40 | 000,000,543 | ---- | M] () -- E:\Documents and Settings\All Users.WINDOWS\Desktop\Play League of Legends.lnk
[2010/05/12 01:06:24 | 000,070,016 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/12 00:54:06 | 000,002,560 | ---- | M] () -- E:\WINDOWS\System32\InetDummy.dll
[2010/05/12 00:48:16 | 000,003,584 | ---- | M] () -- E:\WINDOWS\System32\msimg32.dll
[2010/05/12 00:48:12 | 000,049,152 | ---- | M] (Tencent) -- E:\WINDOWS\System32\woaizuguo.ime
[2010/05/12 00:40:40 | 000,000,000 | ---- | M] () -- E:\WINDOWS\System32\fvhm.dll
[2010/05/12 00:12:28 | 000,003,584 | ---- | M] () -- E:\WINDOWS\System32\0004C1D5.new
[2010/05/12 00:03:20 | 000,003,584 | ---- | M] () -- E:\WINDOWS\System32\0018A081.new
[2010/05/11 23:23:26 | 000,269,392 | ---- | M] () -- E:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/11 23:20:42 | 000,000,178 | -HS- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\ntuser.ini
[2010/05/11 22:58:40 | 000,000,012 | ---- | M] () -- E:\WINDOWS\System32\DELETEIT.bat
[2010/05/11 22:55:56 | 000,003,584 | ---- | M] () -- E:\WINDOWS\System32\00103D1A.new
[2010/05/11 22:43:08 | 000,003,584 | ---- | M] () -- E:\WINDOWS\System32\00100159.new
[2010/05/11 22:26:02 | 000,003,584 | ---- | M] () -- E:\WINDOWS\System32\00046C91.new
[2010/05/11 21:48:40 | 000,003,584 | ---- | M] () -- E:\WINDOWS\System32\00074880.new
[2010/05/11 21:36:14 | 000,003,584 | ---- | M] () -- E:\WINDOWS\System32\0003FB2A.new
[2010/05/11 21:34:00 | 000,000,069 | ---- | M] () -- E:\WINDOWS\NeroDigital.ini
[2010/05/11 21:31:04 | 000,001,072 | RHS- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\ntuser.pol
[2010/05/11 21:17:48 | 000,003,584 | ---- | M] () -- E:\WINDOWS\System32\00097757.new
[2010/05/11 14:12:46 | 000,000,086 | ---- | M] () -- E:\WINDOWS\System32\tempc.bat
[2010/05/11 14:12:46 | 000,000,056 | ---- | M] () -- E:\WINDOWS\System32\temp2.bat
[2010/05/11 14:12:46 | 000,000,000 | ---- | M] () -- E:\WINDOWS\System32\xzzoip_svr.dat
[2010/05/11 14:11:32 | 000,003,262 | ---- | M] () -- E:\WINDOWS\ÌÔ±¦Íø.ico
[2010/05/10 23:28:28 | 003,888,054 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\pjhreak.bmp
[2010/05/09 19:49:54 | 000,000,183 | ---- | M] () -- E:\WINDOWS\hpbafd.ini
[2010/05/05 22:18:54 | 003,888,054 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\untitled.bmp
[2010/05/04 21:54:08 | 000,564,211 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\SetupiPhoneBrowser.1.93.exe
[2010/05/01 11:57:12 | 000,007,454 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\processCreditCardPayment.do.htm
[2010/04/30 14:06:14 | 000,005,101 | ---- | M] () -- E:\WINDOWS\xnview.ini
[2010/04/30 11:54:18 | 000,022,016 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\PENDIENTES. MEMO AGUILAR.xls
[2010/04/30 08:46:54 | 000,015,872 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\PENDIENTES MEMO AGUILAR.xls
[2010/04/26 15:58:14 | 000,256,512 | ---- | M] () -- E:\WINDOWS\PEV.exe
[2010/04/24 16:20:38 | 000,008,558 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\logo.gif
[2010/04/18 21:38:44 | 006,961,328 | -H-- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Local Settings\Application Data\IconCache.db
[2010/04/08 21:00:32 | 000,184,319 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\powerlevel.JPG
[2010/03/15 21:41:54 | 000,678,535 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\4429654194_567ae6e920_o.jpg
[2010/03/07 23:38:26 | 001,207,677 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\batmanrobw1-6cvr.jpg
[2010/03/06 17:36:00 | 000,019,229 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\templateguy2.jpg
[2010/03/06 17:35:26 | 000,013,592 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\templateguy.jpg
[2010/03/04 16:09:28 | 008,238,193 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\gua.png
[2010/03/04 16:07:36 | 000,000,680 | ---- | M] () -- E:\WINDOWS\AUTOLNCH.REG
[2010/03/02 21:32:24 | 000,000,000 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\settings.dat
[2010/03/02 19:54:50 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\HijackThis.exe
[2010/03/01 10:02:28 | 000,053,850 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\ubicacion antena.JPG
[2010/03/01 10:02:06 | 001,106,262 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\ubiccacion antena.bmp
[2010/02/28 21:01:04 | 000,050,868 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\sandra estefania.jpg
[2010/02/28 20:58:24 | 000,030,622 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\margarita zacarias.jpg
[2010/02/28 20:57:40 | 000,023,326 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\andres freyria.jpg
[2010/02/28 20:57:14 | 000,013,815 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\guillermo aguilar.jpg
[2010/02/28 03:30:54 | 003,888,054 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\winscreen2.bmp
[2010/02/26 00:28:08 | 000,181,864 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\winscreen.JPG
[2010/02/25 20:42:32 | 000,002,137 | ---- | M] () -- E:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2010/02/17 15:22:52 | 000,003,395 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\Boardingpass2.aspx.htm
[2010/02/17 15:20:50 | 000,019,388 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\Boardingpass.aspx.htm
[2010/02/17 14:22:24 | 000,029,184 | ---- | M] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\FormuladeExcel.xls
[9 C:\Mis documentos\*.tmp files -> C:\Mis documentos\*.tmp -> ]
[3 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp -> ]
[1 E:\WINDOWS\System32\*.tmp files -> E:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/13 19:30:58 | 000,256,512 | ---- | C] () -- E:\WINDOWS\PEV.exe
[2010/05/13 19:30:58 | 000,098,816 | ---- | C] () -- E:\WINDOWS\sed.exe
[2010/05/13 19:30:58 | 000,080,412 | ---- | C] () -- E:\WINDOWS\grep.exe
[2010/05/13 19:30:58 | 000,077,312 | ---- | C] () -- E:\WINDOWS\MBR.exe
[2010/05/13 19:30:58 | 000,068,096 | ---- | C] () -- E:\WINDOWS\zip.exe
[2010/05/13 19:22:14 | 003,688,866 | R--- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\George.exe
[2010/05/12 08:03:39 | 000,000,543 | ---- | C] () -- E:\Documents and Settings\All Users.WINDOWS\Desktop\Play League of Legends.lnk
[2010/05/12 00:54:22 | 000,002,560 | ---- | C] () -- E:\WINDOWS\System32\InetDummy.dll
[2010/05/11 22:58:15 | 000,000,012 | ---- | C] () -- E:\WINDOWS\System32\DELETEIT.bat
[2010/05/11 22:12:08 | 000,002,184 | ---- | C] () -- E:\WINDOWS\System32\wpa.dbl
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\msimg32.dll
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\0018A081.new
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\00103D1A.new
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\00100159.new
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\00074880.new
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\0004C1D5.new
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\00046C91.new
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\0003FB2A.new
[2010/05/11 21:30:30 | 000,001,072 | RHS- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\ntuser.pol
[2010/05/11 14:12:45 | 000,000,086 | ---- | C] () -- E:\WINDOWS\System32\tempc.bat
[2010/05/11 14:12:45 | 000,000,056 | ---- | C] () -- E:\WINDOWS\System32\temp2.bat
[2010/05/11 14:12:45 | 000,000,000 | ---- | C] () -- E:\WINDOWS\System32\xzzoip_svr.dat
[2010/05/11 14:11:30 | 000,003,262 | ---- | C] () -- E:\WINDOWS\ÌÔ±¦Íø.ico
[2010/05/10 23:28:23 | 003,888,054 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\pjhreak.bmp
[2010/05/05 22:18:49 | 003,888,054 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\untitled.bmp
[2010/05/04 21:54:07 | 000,564,211 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\SetupiPhoneBrowser.1.93.exe
[2010/05/01 11:57:09 | 000,007,454 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\processCreditCardPayment.do.htm
[2010/04/30 11:54:17 | 000,022,016 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\PENDIENTES. MEMO AGUILAR.xls
[2010/04/30 08:47:01 | 000,015,872 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\PENDIENTES MEMO AGUILAR.xls
[2010/04/08 21:00:30 | 000,184,319 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\powerlevel.JPG
[2010/03/15 21:41:52 | 000,678,535 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\4429654194_567ae6e920_o.jpg
[2010/03/07 23:38:24 | 001,207,677 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\batmanrobw1-6cvr.jpg
[2010/03/06 17:35:57 | 000,019,229 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\templateguy2.jpg
[2010/03/06 17:35:23 | 000,013,592 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\templateguy.jpg
[2010/03/04 16:08:51 | 008,238,193 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\gua.png
[2010/03/04 15:49:58 | 000,000,680 | ---- | C] () -- E:\WINDOWS\AUTOLNCH.REG
[2010/03/02 21:32:23 | 000,000,000 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\settings.dat
[2010/03/01 10:02:27 | 000,053,850 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\ubicacion antena.JPG
[2010/03/01 10:02:03 | 001,106,262 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\ubiccacion antena.bmp
[2010/02/28 21:00:38 | 000,050,868 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\sandra estefania.jpg
[2010/02/28 20:58:21 | 000,030,622 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\margarita zacarias.jpg
[2010/02/28 20:57:37 | 000,023,326 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\andres freyria.jpg
[2010/02/28 20:57:11 | 000,013,815 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\guillermo aguilar.jpg
[2010/02/28 03:30:49 | 003,888,054 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\winscreen2.bmp
[2010/02/26 00:28:06 | 000,181,864 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\winscreen.JPG
[2010/02/17 15:22:50 | 000,003,395 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\Boardingpass2.aspx.htm
[2010/02/17 15:20:47 | 000,019,388 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\Boardingpass.aspx.htm
[2010/02/17 14:22:34 | 000,029,184 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\FormuladeExcel.xls
[2009/12/28 22:44:16 | 000,000,262 | ---- | C] () -- E:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/09/09 20:34:33 | 000,000,183 | ---- | C] () -- E:\WINDOWS\hpbafd.ini
[2009/09/05 10:39:14 | 000,066,432 | ---- | C] () -- E:\WINDOWS\System32\drivers\vuhub.sys
[2009/08/05 21:15:07 | 000,000,151 | ---- | C] () -- E:\WINDOWS\PhotoSnapViewer.INI
[2009/06/28 14:22:44 | 000,007,680 | ---- | C] () -- E:\WINDOWS\System32\ff_vfw.dll
[2009/06/28 14:22:44 | 000,000,547 | ---- | C] () -- E:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/05/25 17:43:11 | 000,005,101 | ---- | C] () -- E:\WINDOWS\xnview.ini
[2009/05/05 12:59:02 | 000,000,023 | ---- | C] () -- E:\WINDOWS\BlendSettings.ini
[2009/04/20 19:45:30 | 000,000,020 | ---- | C] () -- E:\WINDOWS\hppsapp.INI
[2009/04/20 19:15:41 | 000,101,376 | ---- | C] () -- E:\WINDOWS\System32\hpgt34.dll
[2009/04/20 19:15:09 | 000,306,688 | ---- | C] () -- E:\WINDOWS\System32\Lffpx7.dll
[2009/04/20 19:15:09 | 000,095,232 | ---- | C] () -- E:\WINDOWS\System32\Lfkodak.dll
[2009/03/29 11:50:44 | 000,000,069 | ---- | C] () -- E:\WINDOWS\NeroDigital.ini
[2009/03/24 00:18:44 | 000,168,448 | ---- | C] () -- E:\WINDOWS\System32\unrar.dll
[2009/02/18 14:44:00 | 001,724,416 | ---- | C] () -- E:\WINDOWS\System32\nvwdmcpl.dll
[2009/02/18 14:44:00 | 001,507,328 | ---- | C] () -- E:\WINDOWS\System32\nview.dll
[2009/02/18 14:44:00 | 001,101,824 | ---- | C] () -- E:\WINDOWS\System32\nvwimg.dll
[2009/02/18 14:44:00 | 000,466,944 | ---- | C] () -- E:\WINDOWS\System32\nvshell.dll
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- E:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- E:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- E:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- E:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- E:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- E:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- E:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- E:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- E:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- E:\WINDOWS\System32\AgCPanelFrench.dll
[2008/08/01 16:13:40 | 000,303,104 | ---- | C] () -- E:\WINDOWS\System32\ShowHCRemCfgWnd.dll
[2008/08/01 14:24:58 | 000,032,768 | ---- | C] () -- E:\WINDOWS\System32\RemoteCfgRes_CHI.dll
[2008/08/01 14:24:08 | 000,032,768 | ---- | C] () -- E:\WINDOWS\System32\RemoteCfgRes_TRAD.dll
[2008/08/01 14:23:32 | 000,045,056 | ---- | C] () -- E:\WINDOWS\System32\RemoteCfgRes_ENG.dll
[2008/08/01 10:32:10 | 000,040,960 | ---- | C] () -- E:\WINDOWS\System32\Language.dll
[2008/07/30 14:36:00 | 000,356,352 | ---- | C] () -- E:\WINDOWS\System32\HCNetSDK.dll
[2008/07/30 11:17:34 | 000,417,792 | ---- | C] () -- E:\WINDOWS\System32\playm4.dll
[2007/11/06 15:19:28 | 000,053,299 | ---- | C] () -- E:\WINDOWS\System32\pthreadVC.dll
[2004/08/04 12:00:00 | 000,027,440 | ---- | C] () -- E:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/04 12:00:00 | 000,000,000 | ---- | C] () -- E:\WINDOWS\System32\fvhm.dll
[2004/08/03 20:55:30 | 000,006,432 | ---- | C] () -- E:\WINDOWS\System32\drivers\26E62FDE.sys
[2001/11/17 13:25:08 | 000,094,274 | ---- | C] () -- E:\WINDOWS\System32\HPBHEALR.DLL
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- E:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2009/03/25 08:34:02 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus!
[2009/03/25 12:34:54 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users.WINDOWS\Application Data\1.0.0.0
[2009/03/25 22:09:00 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users.WINDOWS\Application Data\Azureus
[2009/03/29 20:26:50 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users.WINDOWS\Application Data\DAEMON Tools Lite
[2009/05/05 09:04:18 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users.WINDOWS\Application Data\KSP
[2009/05/12 23:26:40 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users.WINDOWS\Application Data\Soulseek
[2009/07/29 21:00:36 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/09/05 11:07:34 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2010/01/13 16:01:22 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/05/12 00:57:58 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users.WINDOWS\Application Data\PMB Files
[2009/03/25 22:08:56 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\Azureus
[2009/03/25 22:21:38 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\LimeWire
[2009/03/29 20:24:10 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\DAEMON Tools Lite
[2009/03/29 20:27:44 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\DAEMON Tools Pro
[2009/03/29 20:27:44 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\DAEMON Tools
[2009/03/29 21:17:26 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\Bioshock
[2009/04/24 15:32:50 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\DMCache
[2009/05/20 21:31:58 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\BSplayer
[2009/05/20 21:31:58 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\BSplayer Pro
[2009/05/21 20:42:20 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\Orbit
[2009/11/01 23:31:52 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
[2009/12/29 15:36:06 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\Softland
[2010/05/12 18:38:38 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Administrator.MEMO.000\Application Data\LolClient

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2007/09/27 12:13:22 | 000,005,596 | ---- | M] () -- E:\_OOKIE~1.MOZ
[2007/09/27 12:13:22 | 000,001,253 | ---- | M] () -- E:\sessionstore.js.moztmp
[2007/12/18 22:57:38 | 000,003,734 | ---- | M] () -- E:\Bin 1.plb
[2009/03/23 23:24:38 | 000,000,010 | ---- | M] () -- E:\csb.log
[2009/08/26 00:40:32 | 1608,126,464 | -HS- | M] () -- E:\pagefile.sys
[2010/05/13 19:51:36 | 000,015,308 | ---- | M] () -- E:\ComboFix.txt
[2007/12/22 21:30:34 | 000,000,218 | -HS- | M] () -- E:\boot.inibkp
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\appmgmts.dll
[2009/03/24 21:14:42 | 000,000,244 | -H-- | M] () -- E:\sqmnoopt00.sqm
[2008/11/29 11:15:06 | 000,002,575 | ---- | M] () -- E:\odbcconf.log
[2009/03/24 21:14:42 | 000,000,268 | -H-- | M] () -- E:\sqmdata00.sqm
[2009/03/25 10:28:34 | 000,000,244 | -H-- | M] () -- E:\sqmnoopt01.sqm
[2009/03/25 10:28:34 | 000,000,268 | -H-- | M] () -- E:\sqmdata01.sqm
[2009/03/25 21:24:46 | 000,000,268 | -H-- | M] () -- E:\sqmdata06.sqm
[2009/03/25 12:45:40 | 000,000,244 | -H-- | M] () -- E:\sqmnoopt02.sqm
[2009/03/25 12:45:40 | 000,000,268 | -H-- | M] () -- E:\sqmdata02.sqm
[2009/03/25 13:18:50 | 000,000,244 | -H-- | M] () -- E:\sqmnoopt03.sqm
[2009/03/25 13:18:50 | 000,000,268 | -H-- | M] () -- E:\sqmdata03.sqm
[2009/03/25 16:00:48 | 000,000,244 | -H-- | M] () -- E:\sqmnoopt04.sqm
[2009/03/25 16:00:48 | 000,000,268 | -H-- | M] () -- E:\sqmdata04.sqm
[2009/03/25 19:18:56 | 000,000,244 | -H-- | M] () -- E:\sqmnoopt05.sqm
[2009/03/25 19:18:56 | 000,000,268 | -H-- | M] () -- E:\sqmdata05.sqm
[2009/03/25 21:24:46 | 000,000,244 | -H-- | M] () -- E:\sqmnoopt06.sqm
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\shsvcs.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\mspmsnsv.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\xmlprov.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\ntmssvc.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\upnphost.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\qmgr.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\mswsock.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\browser.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\cryptsvc.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\pchsvc.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\schedsvc.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\6to4.dll
[2010/05/11 22:38:48 | 000,000,886 | ---- | M] () -- E:\avenger.txt

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/05/12 00:40:40 | 000,000,000 | ---- | M] () Unable to obtain MD5 -- E:\WINDOWS\system32\fvhm.dll
[1 E:\WINDOWS\system32\*.tmp files -> E:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/03/23 20:23:20 | 000,905,216 | ---- | M] () -- E:\WINDOWS\system32\config\system.sav
[2009/03/23 20:23:20 | 000,659,456 | ---- | M] () -- E:\WINDOWS\system32\config\software.sav
[2009/03/23 20:23:20 | 000,094,208 | ---- | M] () -- E:\WINDOWS\system32\config\default.sav

< %systemroot%\system32\drivers\*.sys /90 >
< End of report >

Here is the OTL extras log

OTL Extras logfile created on: 5/13/2010 7:54:08 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = E:\Documents and Settings\Administrator.MEMO.000\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 539.00 Mb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072G:\pagefile.sys 0 0 [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 53.77 Gb Total Space | 4.70 Gb Free Space | 8.74% Space Free | Partition Type: FAT32
Drive D: | 15.63 Gb Total Space | 4.32 Gb Free Space | 27.66% Space Free | Partition Type: NTFS
Drive E: | 20.70 Gb Total Space | 1.38 Gb Free Space | 6.68% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
Drive G: | 133.42 Gb Total Space | 8.75 Gb Free Space | 6.56% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MEMO3
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- E:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "G:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- E:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- E:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Directory [TVersity] -- "E:\Program Files\TVersity\Media Server\GUILaunch.exe" -type "folder" -url "%1" -title "" -tags "" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"58293:TCP" = 58293:TCP:*:Enabled:Pando Media Booster
"58293:UDP" = 58293:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"8370:TCP" = 8370:TCP:*:Enabled:League of Legends Launcher
"8370:UDP" = 8370:UDP:*:Enabled:League of Legends Launcher
"8372:TCP" = 8372:TCP:*:Enabled:League of Legends Launcher
"8372:UDP" = 8372:UDP:*:Enabled:League of Legends Launcher
"6971:TCP" = 6971:TCP:*:Enabled:League of Legends Launcher
"6971:UDP" = 6971:UDP:*:Enabled:League of Legends Launcher
"6913:TCP" = 6913:TCP:*:Enabled:League of Legends Launcher
"6913:UDP" = 6913:UDP:*:Enabled:League of Legends Launcher
"6906:TCP" = 6906:TCP:*:Enabled:League of Legends Launcher
"6906:UDP" = 6906:UDP:*:Enabled:League of Legends Launcher
"6972:TCP" = 6972:TCP:*:Enabled:League of Legends Launcher
"6972:UDP" = 6972:UDP:*:Enabled:League of Legends Launcher
"6957:TCP" = 6957:TCP:*:Enabled:League of Legends Launcher
"6957:UDP" = 6957:UDP:*:Enabled:League of Legends Launcher
"5900:TCP" = 5900:TCP:*:Enabled:vnc5900
"5800:TCP" = 5800:TCP:*:Enabled:vnc5800
"8373:TCP" = 8373:TCP:*:Enabled:League of Legends Launcher
"8373:UDP" = 8373:UDP:*:Enabled:League of Legends Launcher
"8374:TCP" = 8374:TCP:*:Enabled:League of Legends Launcher
"8374:UDP" = 8374:UDP:*:Enabled:League of Legends Launcher
"8375:TCP" = 8375:TCP:*:Enabled:League of Legends Launcher
"8375:UDP" = 8375:UDP:*:Enabled:League of Legends Launcher
"6890:TCP" = 6890:TCP:*:Enabled:League of Legends Launcher
"6890:UDP" = 6890:UDP:*:Enabled:League of Legends Launcher
"6881:TCP" = 6881:TCP:*:Enabled:League of Legends Launcher
"6881:UDP" = 6881:UDP:*:Enabled:League of Legends Launcher
"6975:TCP" = 6975:TCP:*:Enabled:League of Legends Launcher
"6975:UDP" = 6975:UDP:*:Enabled:League of Legends Launcher
"8376:TCP" = 8376:TCP:*:Enabled:League of Legends Launcher
"8376:UDP" = 8376:UDP:*:Enabled:League of Legends Launcher
"6907:TCP" = 6907:TCP:*:Enabled:League of Legends Launcher
"6907:UDP" = 6907:UDP:*:Enabled:League of Legends Launcher
"6927:TCP" = 6927:TCP:*:Enabled:League of Legends Launcher
"6927:UDP" = 6927:UDP:*:Enabled:League of Legends Launcher
"6932:TCP" = 6932:TCP:*:Enabled:League of Legends Launcher
"6932:UDP" = 6932:UDP:*:Enabled:League of Legends Launcher
"6969:TCP" = 6969:TCP:*:Enabled:League of Legends Launcher
"6969:UDP" = 6969:UDP:*:Enabled:League of Legends Launcher
"6962:TCP" = 6962:TCP:*:Enabled:League of Legends Launcher
"6962:UDP" = 6962:UDP:*:Enabled:League of Legends Launcher
"2113:TCP" = 2113:TCP
"6900:TCP" = 6900:TCP:*:Enabled:League of Legends Launcher
"6900:UDP" = 6900:UDP:*:Enabled:League of Legends Launcher
"6937:TCP" = 6937:TCP:*:Enabled:League of Legends Launcher
"6937:UDP" = 6937:UDP:*:Enabled:League of Legends Launcher
"6986:TCP" = 6986:TCP:*:Enabled:League of Legends Launcher
"6986:UDP" = 6986:UDP:*:Enabled:League of Legends Launcher
"6955:TCP" = 6955:TCP:*:Enabled:League of Legends Launcher
"6955:UDP" = 6955:UDP:*:Enabled:League of Legends Launcher
"6922:TCP" = 6922:TCP:*:Enabled:League of Legends Launcher
"6922:UDP" = 6922:UDP:*:Enabled:League of Legends Launcher
"6948:TCP" = 6948:TCP:*:Enabled:League of Legends Launcher
"6948:UDP" = 6948:UDP:*:Enabled:League of Legends Launcher
"6905:TCP" = 6905:TCP:*:Enabled:League of Legends Launcher
"6905:UDP" = 6905:UDP:*:Enabled:League of Legends Launcher
"8377:TCP" = 8377:TCP:*:Enabled:League of Legends Launcher
"8377:UDP" = 8377:UDP:*:Enabled:League of Legends Launcher
"6908:TCP" = 6908:TCP:*:Enabled:League of Legends Launcher
"6908:UDP" = 6908:UDP:*:Enabled:League of Legends Launcher
"6977:TCP" = 6977:TCP:*:Enabled:League of Legends Launcher
"6977:UDP" = 6977:UDP:*:Enabled:League of Legends Launcher
"6926:TCP" = 6926:TCP:*:Enabled:League of Legends Launcher
"6926:UDP" = 6926:UDP:*:Enabled:League of Legends Launcher
"6951:TCP" = 6951:TCP:*:Enabled:League of Legends Launcher
"6951:UDP" = 6951:UDP:*:Enabled:League of Legends Launcher
"6929:TCP" = 6929:TCP:*:Enabled:League of Legends Launcher
"6929:UDP" = 6929:UDP:*:Enabled:League of Legends Launcher
"6990:TCP" = 6990:TCP:*:Enabled:League of Legends Launcher
"6990:UDP" = 6990:UDP:*:Enabled:League of Legends Launcher
"6950:TCP" = 6950:TCP:*:Enabled:League of Legends Launcher
"6950:UDP" = 6950:UDP:*:Enabled:League of Legends Launcher
"6978:TCP" = 6978:TCP:*:Enabled:League of Legends Launcher
"6978:UDP" = 6978:UDP:*:Enabled:League of Legends Launcher
"8378:TCP" = 8378:TCP:*:Enabled:League of Legends Launcher
"8378:UDP" = 8378:UDP:*:Enabled:League of Legends Launcher
"58293:TCP" = 58293:TCP:*:Enabled:Pando Media Booster
"58293:UDP" = 58293:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"E:\Program Files\MSN Messenger\livecall.exe" = E:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)
"E:\Program Files\Pando Networks\Media Booster\PMB.exe" = E:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"G:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = G:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Archivos de programa\Azureus\Azureus.exe" = C:\Archivos de programa\Azureus\Azureus.exe:*:Enabled:Azureus -- (Azureus Inc)
"E:\Program Files\Java\JRE6\BIN\javaw.exe" = E:\Program Files\Java\JRE6\BIN\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"D:\Program Files\Ares\Ares.exe" = D:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows -- (Ares Development Group)
"C:\Archivos de programa\LimeWire\LimeWire.exe" = C:\Archivos de programa\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"E:\Program Files\TVersity\Media Server\MediaServer.exe" = E:\Program Files\TVersity\Media Server\MediaServer.exe:*:Disabled:TVersity Media Server -- ()
"E:\Program Files\MSN Messenger\livecall.exe" = E:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)
"E:\Program Files\Ventrilo\Ventrilo.exe" = E:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"E:\Program Files\iTunes\iTunes.exe" = E:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"E:\Program Files\UltraVNC\winvnc.exe" = E:\Program Files\UltraVNC\winvnc.exe:*:Enabled:winvnc.exe -- (UltraVNC)
"E:\Program Files\UltraVNC\vncviewer.exe" = E:\Program Files\UltraVNC\vncviewer.exe:*:Enabled:vncviewer.exe -- (UltraVNC)
"E:\Program Files\Pando Networks\Media Booster\PMB.exe" = E:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"G:\Riot Games\League of Legends\air\LolClient.exe" = G:\Riot Games\League of Legends\air\LolClient.exe:*:Enabled:League of Legends Lobby -- ()
"G:\Riot Games\League of Legends\game\League of Legends.exe" = G:\Riot Games\League of Legends\game\League of Legends.exe:*:Enabled:League of Legends Game Client -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{13C4E8F0-B747-4C7C-9090-884832F9F90A}" = Proteus 7 Professional
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1692CC0E-8798-493A-9580-23555E21C14B}" = Windows Live Messenger
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{43FFE159-3199-4188-A1CD-629166AD1033}" = Nero 7 Ultra Edition
"{45B6180B-DCAB-4093-8EE8-6164457517F0}" = Photosmart 140,240,7200,7600,7700,7900 Series
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PartitionMagic
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{868EC22E-7E82-4760-9265-3F2E705BF24B}" = League of Legends
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{95C5F81D-0779-4932-BE83-32AAF814F4B9}" = League of Legends
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{ABAA2247-78BF-456B-BBE4-64E0397A8977}" = iPhoneBrowser
"{AC76BA86-7AD7-1034-7B44-A91000000001}" = Adobe Reader 9.1 - Español
"{AC76BA86-7AD7-2447-0000-900000000003}" = Chinese Simplified Fonts Support For Adobe Reader 9
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{C1FCDCA1-2759-4E5E-84EE-3A665BB2F513}" = iPhoneBrowser
"{C8A8DBA9-AD57-44BE-BA93-0FB94817482A}" = Client Software
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1" = NOD32 FiX v1.9
"{DD1865F0-AD73-40FB-B23E-1822E02396FF}" = NVIDIA PhysX
"{E280923D-C5D9-4728-8C79-AC9A0DC75875}" = BioShock
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Ares" = Ares 2.1.1
"Azureus" = Azureus
"BSPlayerf" = BS.Player FREE
"CDisplay_is1" = CDisplay 1.8
"CEDP Stealer 6.0 for Messenger" = CEDP Stealer 6.0 for Messenger
"DC++" = DC++ 0.750
"doPDF 7 printer_is1" = doPDF 7.0 printer
"DriverAgent.exe" = DriverAgent by eSupport.com
"eMule" = eMule
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ffdshow_is1" = ffdshow [rev 1723] [2007-12-24]
"Guitar Pro 5_is1" = Guitar Pro 5.2
"Hide Folders XP 2_is1" = Hide Folders XP 2.6.5 for Windows 2000/XP
"HijackThis" = HijackThis 2.0.2
"HP PrecisionScan LTX" = HP PrecisionScan LTX
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PowerQuest PartitionMagic 8.0
"iztscpuchk01_is1" = CPU TrueSpeed 1.8
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.7.0 (Standard)
"Messenger Plus! Live" = Messenger Plus! Live
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"mIRC" = mIRC
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NOD32" = NOD32 antivirus system
"NVIDIA Drivers" = NVIDIA Drivers
"PianoFX STUDIO 4.0_is1" = PianoFX STUDIO 4.0
"RealPlayer 6.0" = RealPlayer
"Recuva" = Recuva
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0
"SpeedFan" = SpeedFan (remove only)
"SystemRequirementsLab" = System Requirements Lab
"TightVNC_is1" = TightVNC 1.3.10
"TVersity Codec Pack" = TVersity Codec Pack 1.2
"TVersity Media Server " = TVersity Media Server 1.6 Beta
"Ultravnc2_is1" = UltraVNC 1.0.8.2
"VLC media player" = VLC media player 0.9.8a
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinPcapInst" = WinPcap 4.0.2
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/11/2010 11:16:51 PM | Computer Name = MEMO3 | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 5/11/2010 11:30:47 PM | Computer Name = MEMO3 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x02886a72.

Error - 5/11/2010 11:42:14 PM | Computer Name = MEMO3 | Source = Userenv | ID = 1508
Description = Windows was unable to load the registry. This is often caused by insufficient
memory or insufficient security rights. DETAIL - The process cannot access the
file because it is being used by another process. for E:\Documents and Settings\Admin.MEMO3\ntuser.dat

Error - 5/11/2010 11:42:16 PM | Computer Name = MEMO3 | Source = Userenv | ID = 1502
Description = Windows cannot load the locally stored profile. Possible causes of
this error include insufficient security rights or a corrupt local profile. If
this problem persists, contact your network administrator. DETAIL - The process
cannot access the file because it is being used by another process.

Error - 5/11/2010 11:42:17 PM | Computer Name = MEMO3 | Source = Userenv | ID = 1515
Description = Windows has backed up this user's profile. Windows will automatically
try to use the backed up profile the next time this user logs on.

Error - 5/11/2010 11:42:17 PM | Computer Name = MEMO3 | Source = Userenv | ID = 1511
Description = Windows cannot find the local profile and is logging you on with a
temporary profile. Changes you make to this profile will be lost when you log off.

Error - 5/12/2010 12:49:04 AM | Computer Name = MEMO3 | Source = TVersityMediaServer | ID = 0
Description =

Error - 5/12/2010 1:07:15 AM | Computer Name = MEMO3 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x00e36a72.

Error - 5/12/2010 6:52:19 AM | Computer Name = MEMO3 | Source = TVersityMediaServer | ID = 0
Description =

Error - 5/12/2010 11:42:48 PM | Computer Name = MEMO3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This operation returned because the timeout period expired.

[ OSession Events ]
Error - 4/25/2009 12:18:50 AM | Computer Name = MEMO3 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 22 seconds with 0 seconds of active time. This session ended with a crash.

Error - 4/25/2009 12:19:33 AM | Computer Name = MEMO3 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 10 seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 5/12/2010 4:14:06 PM | Computer Name = MEMO3 | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 5/12/2010 4:14:51 PM | Computer Name = MEMO3 | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 5/13/2010 7:51:55 PM | Computer Name = MEMO3 | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 5/13/2010 7:52:29 PM | Computer Name = MEMO3 | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 5/13/2010 8:16:55 PM | Computer Name = MEMO3 | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 5/13/2010 8:17:32 PM | Computer Name = MEMO3 | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 5/13/2010 8:34:54 PM | Computer Name = MEMO3 | Source = Service Control Manager | ID = 7034
Description = The TVersityMediaServer service terminated unexpectedly. It has done
this 1 time(s).

Error - 5/13/2010 8:44:28 PM | Computer Name = MEMO3 | Source = ParVdm | ID = 458754
Description = Unable to get device object pointer for port object.

Error - 5/13/2010 8:45:29 PM | Computer Name = MEMO3 | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 5/13/2010 8:47:00 PM | Computer Name = MEMO3 | Source = Service Control Manager | ID = 7022
Description = The NOD32 Kernel Service service hung on starting.

< End of report >

And lastly the MWB log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4098

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

5/13/2010 8:26:35 PM
mbam-log-2010-05-13 (20-26-35).txt

Scan type: Quick scan
Objects scanned: 226505
Time elapsed: 14 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{lms03ab-b707-11d2-9cbd-0000f87a369e} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Refog Software (Refog.Keylogger) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\option_1 (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\option_2 (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\option_3 (Rootkit.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.StartPage) -> Bad: (www.9348.cn/?205486) Good: (http://www.google.com) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.StartPage) -> Bad: (www.9348.cn/?205486) Good: (http://www.google.com) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (www.9348.cn/?205486) Good: (http://www.Google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (www.9348.cn/?205486) Good: (http://www.Google.com/) -> No action taken.

Folders Infected:
E:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> No action taken.

Files Infected:
E:\appmgmts.dll (Trojan.Dropper) -> No action taken.
E:\shsvcs.dll (Trojan.Dropper) -> No action taken.
E:\mspmsnsv.dll (Trojan.Dropper) -> No action taken.
E:\xmlprov.dll (Trojan.Dropper) -> No action taken.
E:\ntmssvc.dll (Trojan.Dropper) -> No action taken.
E:\upnphost.dll (Trojan.Dropper) -> No action taken.
E:\qmgr.dll (Trojan.Dropper) -> No action taken.
E:\mswsock.dll (Trojan.Dropper) -> No action taken.
E:\browser.dll (Trojan.Dropper) -> No action taken.
E:\cryptsvc.dll (Trojan.Dropper) -> No action taken.
E:\pchsvc.dll (Trojan.Dropper) -> No action taken.
E:\schedsvc.dll (Trojan.Dropper) -> No action taken.
E:\6to4.dll (Trojan.Dropper) -> No action taken.
E:\WINDOWS\system32\appmgmts.dll (Trojan.Dropper) -> No action taken.
E:\Documents and Settings\Administrator.MEMO.000\Application Data\Microsoft\Internet Explorer\Quick Launch\Æô¶¯ Internet Explorer ä¯ÀÀÆ÷.lnk (Hijack.Trace) -> No action taken.

Thanks a lot for your time, hope this helps.

#5
RKinner

Posted 13 May 2010 - 11:30 PM

Malware Expert

Expert
24,457 posts

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

File::
e:\windows\system32\drivers\ikajl.sys
e:\windows\system32\drivers\hfxp2.sys
e:\docume~1\ADMINI~1.000\LOCALS~1\Temp\ALSysIO.sys
e:\windows\system32\75.tmp
e:\windows\system32\Wibettin32.exe
e:\windows\system32\Wihke32.exe
e:\windows\system32\Wiyselp32.exe
e:\windows\system32\xzzoip.exe

Driver::
cwwhwh
HFXP2
ALSysIO
MEMSWEEP2
Wibettin32
Wihkep32
Wiyselp32
xzzoip
26E62FDE

Folder::

RootKit::
E:\WINDOWS\System32\drivers\26E62FDE.sys
E:\WINDOWS\System32\fvhm.dll

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Drag it over to george and let it start as before.

Post the new log.

Copy the text between the lines of stars by highlighting (Click once just in front of the :OTL then scroll down to the bottom, hold the Shift key down and click at the end of the last ine before the stars) and Ctrl + c
***************************************************************************************************
:OTL
SRV - File not found [Disabled | Stopped] -- -- (xzzoip)
SRV - File not found [Disabled | Stopped] -- -- (Wiyselp32)
SRV - File not found [Disabled | Stopped] -- -- (Wihkep32)
SRV - File not found [Disabled | Stopped] -- -- (Wibettin32)
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.9348.cn/?205486
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.9348.cn/?205486O32 - AutoRun File - [2007/10/24 15:00:56 |
O32 - AutoRun File - [2005/08/05 10:06:50 | 000,000,194 | ---- | M] () - C:\AUTOEXEC.NS0 -- [ FAT32 ]
O32 - AutoRun File - [2006/08/17 13:48:56 | 000,000,289 | ---- | M] () - C:\autoexec.nav -- [ FAT32 ]
O32 - AutoRun File - [2007/10/23 22:11:30 | 000,000,378 | -HS- | M] () - C:\AUTOEXEC.WIN -- [ FAT32 ]
O32 - AutoRun File - [2004/08/12 23:39:06 | 000,000,000 | -H-- | M] () - G:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/05/03 20:55:06 | 000,232,448 | ---- | M] () - G:\AutoSHSH-3.1.3+3.2--RC2.exe -- [ NTFS ]
NetSvcs: 6to4 - \6to4.dll ()
NetSvcs: AppMgmt - E:\WINDOWS\system32\appmgmts.dll (Shenzhen QVOD Technology Co.,Ltd)
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\0018A081.new
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\00103D1A.new
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\00100159.new
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\00074880.new
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\0004C1D5.new
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\00046C91.new
[2010/05/11 21:36:12 | 000,003,584 | ---- | C] () -- E:\WINDOWS\System32\0003FB2A.new
[2010/05/11 14:12:45 | 000,000,086 | ---- | C] () -- E:\WINDOWS\System32\tempc.bat
[2010/05/11 14:12:45 | 000,000,056 | ---- | C] () -- E:\WINDOWS\System32\temp2.bat
[2010/05/11 14:12:45 | 000,000,000 | ---- | C] () -- E:\WINDOWS\System32\xzzoip_svr.dat
[2010/05/11 14:11:30 | 000,003,262 | ---- | C] () -- E:\WINDOWS\ÌÔ±¦Íø.ico
[2010/05/10 23:28:23 | 003,888,054 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\pjhreak.bmp
[2010/05/05 22:18:49 | 003,888,054 | ---- | C] () -- E:\Documents and Settings\Administrator.MEMO.000\Desktop\untitled.bmp
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\shsvcs.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\mspmsnsv.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\xmlprov.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\ntmssvc.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\upnphost.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\qmgr.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\mswsock.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\browser.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\cryptsvc.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\pchsvc.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\schedsvc.dll
[2004/08/03 20:55:30 | 000,050,289 | ---- | M] (Shenzhen QVOD Technology Co.,Ltd) -- E:\6to4.dll

:Files
E:\WINDOWS\System32\drivers\26E62FDE.sys
E:\WINDOWS\System32\fvhm.dll

:Commands
[purity]
[emptytemp]
[Reboot]

*******************************************************************

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Copy the text in the code box:

/md5start
shsvcs.dll
mspmsnsv.dll
xmlprov.dll
ntmssvc.dll
upnphost.dll
qmgr.dll
mswsock.dll
browser.dll
cryptsvc.dll
pchsvc.dll
schedsvc.dll
6to4.dll
appmgmts.dll 
/md5stop

Open OTL again, paste the above into the custom scan box then click the Quick Scan button. Post the log it produces in your next reply.

Ron

Edited by RKinner, 15 May 2010 - 03:07 PM.

#6
RKinner

Posted 13 May 2010 - 11:41 PM

Malware Expert

Expert
24,457 posts

Since we can't see the hosts file you will need to fix the permissions. Boot into Safe Mode. Then go to:

e:\windows\system32\drivers\etc\hosts and right click on it. Select Properties then Security. Normally we want Administrators and System to have Full Control. If they don't then select one then Edit then check Full Control and OK. Repeat for the other one.

Ron

(I get the feeling you know how to do the above. If you need more instructions let me know.)

#7
dogmaster

Posted 14 May 2010 - 08:40 AM

New Member

Topic Starter
Member
7 posts

Okay, thanks!
I wont have access to the commputer until tomorrow, I will update and tell you what happens.
again thank you for your time Ron

#8
RKinner

Posted 14 May 2010 - 09:03 AM

Malware Expert

Expert
24,457 posts

The hosts file can be edited using notepad once you gain full control. It really only needs one line:

127.0.0.1 localhost

Lines starting with # are comments and are ignored.

Ron

#9
dogmaster

Posted 15 May 2010 - 12:52 PM

New Member

Topic Starter
Member
7 posts

Ok, so followed your first steps for the Combofix script.
It worked wonderfully, I verified my hosts file was now working normally, and that my homepage was no longer being changed.

Hoorray!

But I went on and ran the OTL thing anyway.
This is where it all went to [bleep]

I restarted after the scan and the computer was acting a bit odd, it would stay at a blank screen before launching explorer.exe for some while, and when it started, my internet wasnt working, the network service couldnt be launched, my audio was half uninstalled and there was a new device for drm audio with conflicts.

I tried fixing this by reinstalling both the network and audio devices.
Installed them, restarted

And blue STOP screen.

Now it obviously seems like there was some kind of conflict with the driver installation, but I do not know how that could be, drivers were automatically reinstalled and its the same hardware as ever.

Safe mode returns the same blue screen, as well as last known configuration.

Kind of reminds me of this comic:
http://xkcd.com/349/

Well I figured the only thing that can help me now is a windows XP CD repair, and if that doesnt work, a repair install.

Im on that now.

Im curious though, combofix sais it was making a restore point, is there any way to returning to said point?

I will update on new developments, and thanks.

#10
RKinner

Posted 15 May 2010 - 03:24 PM

Malware Expert

Expert
24,457 posts

If you can get to Safe Mode with Command Prompt you can do a system restore:

1. Restart your computer, and then press and hold F8 during the initial startup to start your computer in safe mode with a Command prompt.
2. Use the arrow keys to select the Safe mode with a Command prompt option.
3. If you are prompted to select an operating system, use the arrow keys to select the appropriate operating system for your computer, and then press ENTER.
4. Log on as an administrator or with an account that has administrator credentials.
5. At the command prompt, type %systemroot%\system32\restore\rstrui.exe, and then press ENTER.
6. Follow the instructions that appear on the screen to restore your computer to a functional state.

I had OTL remove the c:\autoexec.bat file by mistake. If you can burn a bootable CD you can use Avira's Rescue disk
http://www.free-av.c...cue_system.html
to go in and put it back. I think OTL hides the stuff it removes in C:\_OTL. Not sure that's was the problem but worth a shot.

Another possibility that might have annoyed it was this line:
NetSvcs: AppMgmt - E:\WINDOWS\system32\appmgmts.dll (Shenzhen QVOD Technology Co.,Ltd)

There should not be AppMgmt under NetSvcs but the file might be used elsewhere so might be worth putting it back too tho I would find another one rather than the one we pulled.

There is also a way with the rescue disk to revert back to a saved restore point.

http://www.winhelpon...re-snapshot-xp/

Ron

Edited by RKinner, 15 May 2010 - 03:29 PM.

#11
dogmaster

Posted 15 May 2010 - 11:58 PM

New Member

Topic Starter
Member
7 posts

Ok, Updating with newest developments.
Its been one [bleep] of a ride.
That bleep is the forum censoring the opposite of heaven

I told you I was trying to run a repair install, but when the install was executing, I got an error about reading amsms from the cd.
The cd was fine, however I could not interact in any way with this screen since my keyboard and mouse became unresponsive.
I looked around a bit and found out that was a pretty common problem, and everyone solved it in a different way. I tried several methods, copying the files directly, disconnecting drives, other keyboard and mouse, etc to no avail.
Now I couldnt log in normally or in safemode as it tried to always repair install. So I googled the way to clear the repair install "flags" and edited the registry to do this.
This left me with a windows now complaining about lisences, but able to at least start booting.
However the keyboard and mouse problem carried over to safe and normal boots, and the stop errors now happened in a random fashion, so I was pretty much stuck, keyboard wouldnt even listen when trying to cancel the boot up chkdsk.

I then saw your reply and decided to try a way to restore back the registry.

I couldnt use the safe mode console because of the stop errors and the whole not having a keyboard.

So I used a registry restore tool on UBCD, as it is the tool I have handy, and it made my computer bootabe again, with correct network and sound drivers, and midway through the virus removal. Now the only thing that is out of place is a broken daemon tools, but that got broken by combofix and I dont really mind for now.

I got some weird errors on some programs I usually run, and I figured it was due to the registry being older than some files the programs use, so to make everything consistent I ran system restore and is currently running, albeit slowly.

Tomorrow I shall post logs for the OTL and combofix tools to see about at what step we are on the removal, I figure this time it shouldnt be as catastrophic.

Again thank you for your time Ron, you do a great job helping a community that keeps asking for help and Im sure oftentimes does not even appreciate it.

#12
dogmaster

Posted 19 May 2010 - 07:06 PM

New Member

Topic Starter
Member
7 posts

Okay, Got everything fixed and running.

Another pass of combofix cleaned everything up.
For some reason I still ahd to reinstall video drivers, but thats ok.

The error with my programs was due to IExplorer installation being faulty after all the process.

Thank you for your time Ron, you may close the topic now, I hope it helps anyone with the same problem.