Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan malware [RESOLVED]


  • This topic is locked This topic is locked

#1
aquevedo831

aquevedo831

    Member

  • Member
  • PipPipPip
  • 215 posts
Hey I have noticed my laptop has been running slow. I have run norton 360 various times to clean my trojan problem but it just keeps popping up and i have not noticed an improvement on my system. Here is my hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:45:30 p.m., on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Streamload\MediaMax XL\StreamloadService.exe
C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Archivos de programa\Startup Faster\sfAgent.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\CheckPoint\ZAForceField\ForceField.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\MI3AA1~1\rapimgr.exe
C:\Archivos de programa\CheckPoint\ZAForceField\ISWMGR.exe
C:\Archivos de programa\CheckPoint\ZAForceField\ISWMGR.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\CheckPoint\ZAForceField\ISWMGR.exe
C:\Archivos de programa\CheckPoint\ZAForceField\ISWMGR.exe
C:\Archivos de programa\CheckPoint\ZAForceField\Plugins\ISWUPDE.exe
C:\Archivos de programa\CheckPoint\ZAForceField\Plugins\ISWUPDE.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Archivos de programa\Archivos comunes\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [StartupFaster] "C:\Archivos de programa\Startup Faster\startuploader.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.co...GenXInstall.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.co.../EconPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARCHIV~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Archivos de programa\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Archivos de programa\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Streamload Service (StreamloadService) - Streamload - C:\Archivos de programa\Streamload\MediaMax XL\StreamloadService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7763 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Rename HijackThis.exe to aque.exe


Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
aquevedo831

aquevedo831

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 215 posts
Here are my logs



ComboFix 08-04-26.3 - Arturo 2008-04-30 13:12:25.1 - NTFSx86
Se ejecuta desde: C:\Documents and Settings\Arturo\Escritorio\ComboFix.exe
Command switches used :: C:\Documents and Settings\Arturo\Escritorio\WindowsXP-KB310994-SP2-Pro-BootDisk-ESN.exe
* Creado un nuevo punto de restauración
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BKUtAJlm.ini
C:\WINDOWS\system32\BKUtAJlm.ini2
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\eigtgkyg.dll
C:\WINDOWS\system32\gykgtgie.ini
C:\WINDOWS\system32\iddswxjf.dll
C:\WINDOWS\system32\kipvemkw.ini
C:\WINDOWS\system32\mlJAtUKB.dll
C:\WINDOWS\system32\mlJBUNGx.dll
C:\WINDOWS\system32\MSDJmnpo.ini
C:\WINDOWS\system32\MSDJmnpo.ini2
C:\WINDOWS\system32\mtfrbpya.ini
C:\WINDOWS\system32\nnnnOiIY.dll
C:\WINDOWS\system32\ojkpatvj.ini
C:\WINDOWS\system32\opnmJDSM.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\urqNEWOh.dll
C:\WINDOWS\system32\urqNEXqo.dll
C:\WINDOWS\system32\utwEOqru.ini
C:\WINDOWS\system32\utwEOqru.ini2
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


(((((((((((((((((( Archivos creados desde 2008-03-28 - 2008-04-30 )))))))))))))))))))))))))))))))))
.

2008-04-29 12:54 . 2008-04-29 12:54 <DIR> d--hs---- C:\Diskeeper
2008-04-29 08:53 . 2008-04-29 08:53 <DIR> d-------- C:\Documents and Settings\Arturo\Datos de programa\CheckPoint
2008-04-29 08:51 . 2008-04-29 08:51 <DIR> d-------- C:\Archivos de programa\CheckPoint
2008-04-29 08:51 . 2008-04-29 08:51 144 --a------ C:\WINDOWS\system32\lkfl.dat
2008-04-29 08:51 . 2008-04-29 08:51 128 --a------ C:\WINDOWS\system32\pdfl.dat
2008-04-29 08:51 . 2008-04-29 08:51 96 --a------ C:\WINDOWS\system32\ibfl.dat
2008-04-28 20:19 . 2008-04-28 20:19 0 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_94591.LOG
2008-04-28 20:19 . 2008-04-28 20:19 0 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT_TU_13813.LOG
2008-04-28 20:19 . 2008-04-28 20:19 0 --ah----- C:\Documents and Settings\Arturo\NTUSER.DAT_TU_15548.LOG
2008-04-28 18:00 . 2008-04-28 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Diskeeper Corporation
2008-04-28 12:46 . 2008-04-28 12:46 <DIR> dr-h----- C:\Documents and Settings\LocalService\Reciente
2008-04-27 17:31 . 2008-04-27 17:31 <DIR> d-------- C:\Documents and Settings\Arturo\Datos de programa\URSoft
2008-04-27 17:31 . 2008-04-27 19:15 <DIR> d-------- C:\Archivos de programa\Startup Faster
2008-04-24 20:59 . 2008-04-25 13:06 1,509,159 ---hs---- C:\WINDOWS\system32\vpkkvcoe.ini
2008-04-24 20:50 . 2008-04-30 10:36 109,743 --a------ C:\WINDOWS\BM67f45701.xml
2008-04-24 20:47 . 2008-04-24 20:47 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2008-04-24 08:34 . 2008-04-30 10:28 <DIR> d-------- C:\Documents and Settings\Arturo\Datos de programa\Hide IP NG
2008-04-24 08:31 . 2008-04-29 13:22 <DIR> d-a------ C:\Documents and Settings\All Users\Datos de programa\TEMP
2008-04-24 08:29 . 2008-04-28 21:26 <DIR> d-------- C:\Archivos de programa\SpeedFan
2008-04-24 08:29 . 2008-04-24 08:29 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-04-19 13:46 . 2008-04-19 13:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 13:46 . 2008-04-19 13:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-15 09:00 . 2008-04-15 09:00 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-04-13 16:56 . 2008-04-13 16:56 <DIR> d-------- C:\Archivos de programa\Microsoft ActiveSync
2008-04-13 16:56 . 2005-10-20 20:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 16:56 . 2005-10-20 20:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 16:49 . 2008-04-13 16:49 <DIR> d-------- C:\Archivos de programa\Windows Mobile Device Handbook
2008-04-11 15:17 . 2008-04-11 15:17 5 --a------ C:\stgs4.temp
2008-04-11 15:17 . 2008-04-11 15:17 5 --a------ C:\stgs1.temp
2008-03-25 12:49 . 2008-03-25 12:49 6,144 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-03-25 12:49 . 2008-03-25 12:49 4,608 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-22 16:54 . 2006-11-25 09:02 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-03-22 16:54 . 2006-11-25 09:02 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-03-21 22:34 . 2008-04-17 07:04 <DIR> d-------- C:\Archivos de programa\XeroBank
2008-03-19 13:40 . 2008-04-18 22:32 <DIR> d-------- C:\Archivos de programa\Thief2
2008-03-19 13:40 . 2008-03-19 13:40 264 --a------ C:\WINDOWS\_delis32.ini
2008-03-14 20:16 . 2004-07-09 08:41 1,237,095 --------- C:\WINDOWS\system32\BCMWLCPL.CPL
2008-03-14 20:16 . 2004-07-09 08:41 913,408 --------- C:\WINDOWS\system32\AegisE5.dll
2008-03-14 20:16 . 2004-07-09 08:41 671,846 --------- C:\WINDOWS\system32\BCMWLTRY.EXE
2008-03-14 20:16 . 2004-07-09 08:41 110,592 --------- C:\WINDOWS\system32\AegisI5.exe
2008-03-14 20:16 . 2004-07-09 08:41 81,920 --------- C:\WINDOWS\system32\wltrynt.dll
2008-03-14 20:16 . 2004-07-09 08:41 69,632 --------- C:\WINDOWS\system32\BCMLogon.dll
2008-03-14 20:16 . 2004-07-09 08:41 45,056 --------- C:\WINDOWS\system32\WLTRYSVC.EXE
2008-03-14 20:16 . 2008-03-14 20:19 15,781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-03-11 12:38 . 2008-03-11 12:38 <DIR> d-------- C:\Archivos de programa\Diskeeper Corporation
2008-03-08 13:17 . 2008-03-08 13:17 0 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_56555.LOG
2008-03-08 13:17 . 2008-03-08 13:17 0 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT_TU_14818.LOG
2008-03-08 13:17 . 2008-03-08 13:17 0 --ah----- C:\Documents and Settings\Arturo\NTUSER.DAT_TU_86567.LOG
2008-03-03 12:42 . 2008-03-03 12:43 <DIR> d-------- C:\Archivos de programa\QuickTime
2008-03-02 20:49 . 2008-03-02 20:51 <DIR> d-------- C:\Archivos de programa\MagicDisc
2008-03-02 20:49 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-03-02 20:25 . 2008-03-02 20:26 <DIR> d-------- C:\Archivos de programa\The Rosetta Stone

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 15:54 --------- d-----w C:\Archivos de programa\Archivos comunes\Symantec Shared
2008-04-29 21:14 --------- d-----w C:\Archivos de programa\Norton 360
2008-04-29 16:20 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\Symantec
2008-04-29 13:43 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\Microsoft Help
2008-04-29 02:59 --------- d-----w C:\Documents and Settings\Arturo\Datos de programa\LimeWire
2008-04-29 02:59 --------- d-----w C:\Documents and Settings\Arturo\Datos de programa\Azureus
2008-04-28 18:22 --------- d-----w C:\Documents and Settings\Arturo\Datos de programa\uTorrent
2008-04-25 20:00 --------- d-----w C:\Archivos de programa\Norton Security Scan
2008-04-25 02:03 2,324,224 ----a-w C:\WINDOWS\system32\TUKernel.exe
2008-04-25 01:47 --------- d-----w C:\Archivos de programa\Styler
2008-04-19 03:32 --------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2008-04-19 03:32 --------- d-----w C:\Archivos de programa\CyberLink
2008-04-19 03:22 --------- d-----w C:\Archivos de programa\Pocket Tanks Deluxe
2008-04-03 02:09 --------- d-----w C:\Archivos de programa\Opera
2008-04-01 17:51 --------- d-----w C:\Archivos de programa\Acoustica MP3 CD Burner
2008-03-25 18:35 --------- d-----w C:\Archivos de programa\Azureus
2008-03-22 15:33 --------- d-----w C:\Documents and Settings\Arturo\Datos de programa\U3
2008-03-20 07:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-09 01:25 --------- d-----w C:\Archivos de programa\MSN Messenger
2008-03-08 17:47 --------- d-----w C:\Archivos de programa\eMule
2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-01 12:58 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:50 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-15 03:34 24,192 ----a-w C:\Documents and Settings\Arturo\usbsermptxp.sys
2008-02-15 03:34 22,768 ----a-w C:\Documents and Settings\Arturo\usbsermpt.sys
2008-01-22 14:30 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-08 18:56 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2007-09-12 03:09 94,080 ----a-w C:\Documents and Settings\Arturo\Datos de programa\ezplay.sys
2007-09-12 03:09 87,608 ----a-w C:\Documents and Settings\Arturo\Datos de programa\ezpinst.exe
2007-09-12 03:08 47,360 ----a-w C:\Documents and Settings\Arturo\Datos de programa\pcouffin.sys
2007-07-29 16:28 348 ----a-w C:\Archivos de programa\explore2fs debug log.txt
2005-04-02 01:02 838,656 ----a-w C:\Archivos de programa\explore2fs.exe
2005-04-02 00:49 5,712 ----a-w C:\Archivos de programa\readme.txt
2005-04-02 00:48 7,073 ----a-w C:\Archivos de programa\changes.txt
1999-07-21 22:45 25,956 ----a-w C:\Archivos de programa\diskio2.dll
1998-06-19 17:29 17,984 ----a-w C:\Archivos de programa\copying.txt
2008-01-10 21:26 8 --sh--r C:\WINDOWS\system32\9484BB0017.sys
2008-01-10 21:26 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vac¡as & entradas leg¡timas predeterminadas no son mostradas

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}]
C:\WINDOWS\system32\urqNEWOh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}]
2008-04-28 03:57 453904 --a------ C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE630558-E782-4864-8252-CC259A635594}]
C:\WINDOWS\system32\opnmJDSM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3976CBC-F1F5-4716-BC3D-1D1C5661BF5C}]
C:\WINDOWS\system32\mlJAtUKB.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"= "C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll" [2008-04-28 03:57 453904]

[HKEY_CLASSES_ROOT\clsid\{ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"= C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll [2008-04-28 03:57 453904]

[HKEY_CLASSES_ROOT\clsid\{ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 08:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM67f45701"="C:\WINDOWS\system32\iddswxjf.dll" [ ]
"64c7649d"="C:\WINDOWS\system32\eigtgkyg.dll" [ ]
"combofix"="C:\WINDOWS\system32\CF18145.exe" [2004-08-19 08:42 402944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 08:42 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\WINDOWS\system32\urqNEWOh.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqNEWOh]
urqNEWOh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartupFaster]
--a------ 2007-12-07 21:19 1631456 C:\Archivos de programa\Startup Faster\startuploader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"RemoteRegistry"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec PIF AlertEng"="C:\Archivos de programa\Archivos comunes\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Archivos de programa\Archivos comunes\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Archivos de programa\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Archivos de programa\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Archivos de programa\\Opera\\Opera.exe"=
"C:\\Archivos de programa\\uTorrent\\uTorrent.exe"=
"C:\\Archivos de programa\\LimeWire\\LimeWire.exe"=
"C:\\Archivos de programa\\eMule\\emule.exe"=
"C:\\Archivos de programa\\Azureus\\Azureus.exe"=
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"=
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"=
"C:\\Archivos de programa\\Diskeeper Corporation\\Diskeeper\\Diskeeper.exe"=
"C:\Archivos de programa\Microsoft ActiveSync\rapimgr.exe"= C:\Archivos de programa\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe"= C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Archivos de programa\Microsoft ActiveSync\WCESMgr.exe"= C:\Archivos de programa\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Si3112;Si3112;C:\WINDOWS\system32\drivers\Si3112.sys [2006-12-07 00:06]
R2 IswSvc;ForceField IswSvc;"C:\Archivos de programa\CheckPoint\ZAForceField\IswSvc.exe" [2008-04-28 03:57]
R2 UxTuneUp;TuneUp Ampliación del thema;C:\WINDOWS\System32\svchost.exe [2004-08-19 08:43]
R3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys [2001-12-18 00:54]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 15:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 15:04]
R3 FA312;Controlador de adaptador Fast Ethernet NETGEAR FA330/FA312/FA311;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2006-11-25 03:01]
S3 icsak;icsak;C:\Archivos de programa\CheckPoint\ZAForceField\AK\icsak.sys [2008-04-28 03:57]
S3 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" /service []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-08 13:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a478ba40-3df0-11dc-a188-00904b5a5e56}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae43f400-6869-11dc-a1ef-00904b5a5e56}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b008c520-678c-11dc-a1ed-00904b5a5e56}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdf07135-caf6-11dc-a298-000f20ca7d72}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contenido de carpeta 'Tareas Programadas'
"2008-04-25 22:56:49 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Archivos de programa\TuneUp Utilities 2008\OneClick.exe
"2008-04-28 16:00:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Archivos de programa\Apple Software Update\SoftwareUpdate.exe
"2008-04-25 21:03:14 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Archivos de programa\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 13:28:56
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\Streamload\MediaMax XL\StreamloadService.exe
C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\logon.scr
.
**************************************************************************
.
Tiempo completado: 2008-04-30 13:39:23 - machine was rebooted [Arturo]
ComboFix-quarantined-files.txt 2008-04-30 18:39:10

17 dirs 6,543,970,304 bytes libres
22 dirs 6,516,973,568 bytes libres

WindowsXP-KB310994-SP2-Pro-BootDisk-ESN.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=1H1735 /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=1H1735-BAK
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

278 --- E O F --- 2008-04-17 15:46:55




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:04 p.m., on 30/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
C:\Archivos de programa\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Streamload\MediaMax XL\StreamloadService.exe
C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Opera\Opera.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Archivos de programa\Archivos comunes\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.co...GenXInstall.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8C006E7-2F52-46A4-B15A-DFC5102EC74E}: NameServer = 69.49.208.10 69.7.80.10
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARCHIV~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: urqNEWOh - urqNEWOh.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Archivos de programa\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Archivos de programa\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Streamload Service (StreamloadService) - Streamload - C:\Archivos de programa\Streamload\MediaMax XL\StreamloadService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7834 bytes
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\vpkkvcoe.ini
C:\WINDOWS\BM67f45701.xml
E:\LaunchU3.exe

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a478ba40-3df0-11dc-a188-00904b5a5e56}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae43f400-6869-11dc-a1ef-00904b5a5e56}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b008c520-678c-11dc-a1ed-00904b5a5e56}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdf07135-caf6-11dc-a298-000f20ca7d72}]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\TUKernel.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.



Reboot and post a new HijackThis log
  • 0

#5
aquevedo831

aquevedo831

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 215 posts
Here are my logs:

File TUKernel.exe received on 05.03.2008 04:09:20 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.5.3.0 2008.05.02 -
AntiVir 7.8.0.11 2008.05.02 -
Authentium 4.93.8 2008.05.02 -
Avast 4.8.1169.0 2008.05.03 -
AVG 7.5.0.516 2008.05.03 -
BitDefender 7.2 2008.05.03 -
CAT-QuickHeal 9.50 2008.05.02 -
ClamAV 0.92.1 2008.05.02 -
DrWeb 4.44.0.09170 2008.05.02 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5755 2008.05.03 -
Ewido 4.0 2008.05.02 -
F-Prot 4.4.2.54 2008.05.02 -
F-Secure 6.70.13260.0 2008.05.02 -
FileAdvisor 1 2008.05.03 -
Fortinet 3.14.0.0 2008.05.02 -
Ikarus T3.1.1.26.0 2008.05.03 -
Kaspersky 7.0.0.125 2008.05.03 -
McAfee 5287 2008.05.02 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3072 2008.05.03 -
Norman 5.80.02 2008.05.02 -
Panda 9.0.0.4 2008.05.03 -
Prevx1 V2 2008.05.03 -
Rising 20.42.22.00 2008.04.30 -
Sophos 4.29.0 2008.05.03 -
Sunbelt 3.0.1097.0 2008.05.01 -
Symantec 10 2008.05.03 -
TheHacker 6.2.92.298 2008.04.30 -
VBA32 3.12.6.5 2008.05.02 -
VirusBuster 4.3.26:9 2008.05.02 -
Webwasher-Gateway 6.6.2 2008.05.02 -
Additional information
File size: 2324224 bytes
MD5...: 6a5ed0f0e2dbbc968fe2a679f538bb50
SHA1..: dc4c2743e7be08ceacf8225902472b66ec346cbe
SHA256: 4317e01d473921c7742f612f4ae4329866f68c7986a186f41c8157cc388965e0
SHA512: 3ed8b9cc5a13f07425cac3085e963a7ab40a82ed7d18c82620122cf622ac71cc
327d9b12f0c507705b301e5578cd4d217817044496adad5878d2625664b038c3
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5d5cf6
timedatestamp.....: 0x45e55172 (Wed Feb 28 09:54:58 2007)
machinetype.......: 0x14c (I386)

( 21 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x580 0x71be1 0x71c00 6.62 ea363965bb9c8b6f3c1f2f13c0379e9c
POOLMI 0x72180 0x12b3 0x1300 6.32 b35f76aaa61aacdcbd79da4c5ab00aa8
MISYSPTE 0x73480 0x700 0x700 6.27 edd9962ea2e18becbf32fd9ae7c23c3e
POOLCODE 0x73b80 0x15a0 0x1600 6.41 b2856070ca09ab32663da786c9bce17b
.data 0x75180 0x16d00 0x16d00 0.46 8e9445a1f089bf14cabf1f770e304e9b
PAGE 0x8be80 0xf91bc 0xf9200 6.65 93088e771a476920c6dc0e5a62d3ab6d
PAGELK 0x185080 0xe3d9 0xe400 6.72 734014999565eea4502c9ce324bf230c
PAGEVRFY 0x193480 0xf1cd 0xf200 6.68 8c98d4384180878da0a5b44d85efd3c5
PAGEWMI 0x1a2680 0x17fd 0x1800 6.48 da9d1cedbbb924a11196cfbc039d285a
PAGEKD 0x1a3e80 0x4052 0x4080 6.51 e90a2fc448f65cb35e800bcf54778b32
PAGESPEC 0x1a7f00 0xc43 0xc80 6.32 bbbb608db0966a33d2dd3c6edc5d45e8
PAGEHDLS 0x1a8b80 0x1dd8 0x1e00 6.25 79b9d594fabe67b806e74c67b250158e
.edata 0x1aa980 0xb57d 0xb580 6.01 7640a411c8c7b1740f99fa17cf557566
PAGEDATA 0x1b5f00 0x1558 0x1580 2.72 c51d8ed56ecf02db41104a7abdbb8f12
PAGEKD 0x1b7480 0xc021 0xc080 0.00 1bfa57725018607d4ccc71b6fcab69e5
PAGECONS 0x1c3500 0x18c 0x200 2.14 6743bab2b1df17c0621465e2a45e3c48
PAGEVRFC 0x1c3700 0x3449 0x3480 5.25 beeff017be4d8ca038c11c35bbb12e2e
PAGEVRFD 0x1c6b80 0x648 0x680 2.75 4919acc68846e7f58236dd894856ddfd
INIT 0x1c7200 0x2d838 0x2d880 6.52 a515ef3ec5131750300af906c6bfdd90
.rsrc 0x1f4a80 0x33264 0x33280 3.33 1c08fe6b0dcc210b5639729bdbdc0bda
.reloc 0x227d00 0xf9c0 0xfa00 6.78 a170c20ccdecf1a56ab53b85f9243344

( 3 imports )
> BOOTVID.dll: VidInitialize, VidDisplayString, VidSetTextColor, VidSolidColorFill, VidBitBlt, VidBufferToScreenBlt, VidScreenToBufferBlt, VidResetDisplay, VidCleanUp, VidSetScrollRegion
> HAL.dll: HalReportResourceUsage, HalAllProcessorsStarted, HalQueryRealTimeClock, HalAllocateAdapterChannel, KeStallExecutionProcessor, HalTranslateBusAddress, KfReleaseSpinLock, KfAcquireSpinLock, HalGetBusDataByOffset, HalSetBusDataByOffset, KeQueryPerformanceCounter, HalReturnToFirmware, READ_PORT_UCHAR, READ_PORT_USHORT, READ_PORT_ULONG, WRITE_PORT_UCHAR, WRITE_PORT_USHORT, WRITE_PORT_ULONG, HalInitializeProcessor, HalCalibratePerformanceCounter, HalSetRealTimeClock, HalHandleNMI, HalBeginSystemInterrupt, HalEndSystemInterrupt, KeRaiseIrqlToSynchLevel, KeAcquireInStackQueuedSpinLockRaiseToSynch, HalInitSystem, HalDisableSystemInterrupt, HalEnableSystemInterrupt, KeRaiseIrql, KeLowerIrql, HalClearSoftwareInterrupt, KeReleaseSpinLock, KeAcquireSpinLock, ExTryToAcquireFastMutex, KeAcquireSpinLockRaiseToSynch, KeFlushWriteBuffer, HalProcessorIdle, HalReadDmaCounter, IoMapTransfer, IoFreeMapRegisters, IoFreeAdapterChannel, IoFlushAdapterBuffers, HalFreeCommonBuffer, HalAllocateCommonBuffer, HalAllocateCrashDumpRegisters, HalGetAdapter, HalSetTimeIncrement, HalGetEnvironmentVariable, HalSetEnvironmentVariable, KfRaiseIrql, HalGetInterruptVector, KeGetCurrentIrql, HalRequestSoftwareInterrupt, KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock, ExAcquireFastMutex, ExReleaseFastMutex, KeRaiseIrqlToDpcLevel, HalSystemVectorDispatchEntry, KfLowerIrql, HalStartProfileInterrupt, HalSetProfileInterval, HalStopProfileInterrupt
> KDCOM.dll: KdD0Transition, KdD3Transition, KdRestore, KdReceivePacket, KdDebuggerInitialize0, KdSave, KdDebuggerInitialize1, KdSendPacket

( 1486 exports )
CcCanIWrite, CcCopyRead, CcCopyWrite, CcDeferWrite, CcFastCopyRead, CcFastCopyWrite, CcFastMdlReadWait, CcFastReadNotPossible, CcFastReadWait, CcFlushCache, CcGetDirtyPages, CcGetFileObjectFromBcb, CcGetFileObjectFromSectionPtrs, CcGetFlushedValidData, CcGetLsnForFileObject, CcInitializeCacheMap, CcIsThereDirtyData, CcMapData, CcMdlRead, CcMdlReadComplete, CcMdlWriteAbort, CcMdlWriteComplete, CcPinMappedData, CcPinRead, CcPrepareMdlWrite, CcPreparePinWrite, CcPurgeCacheSection, CcRemapBcb, CcRepinBcb, CcScheduleReadAhead, CcSetAdditionalCacheAttributes, CcSetBcbOwnerPointer, CcSetDirtyPageThreshold, CcSetDirtyPinnedData, CcSetFileSizes, CcSetLogHandleForFile, CcSetReadAheadGranularity, CcUninitializeCacheMap, CcUnpinData, CcUnpinDataForThread, CcUnpinRepinnedBcb, CcWaitForCurrentLazyWriterActivity, CcZeroData, CmRegisterCallback, CmUnRegisterCallback, DbgBreakPoint, DbgBreakPointWithStatus, DbgLoadImageSymbols, DbgPrint, DbgPrintEx, DbgPrintReturnControlC, DbgPrompt, DbgQueryDebugFilterState, DbgSetDebugFilterState, ExAcquireFastMutexUnsafe, ExAcquireResourceExclusiveLite, ExAcquireResourceSharedLite, ExAcquireRundownProtection, ExAcquireRundownProtectionEx, ExAcquireSharedStarveExclusive, ExAcquireSharedWaitForExclusive, ExAllocateFromPagedLookasideList, ExAllocatePool, ExAllocatePoolWithQuota, ExAllocatePoolWithQuotaTag, ExAllocatePoolWithTag, ExAllocatePoolWithTagPriority, ExConvertExclusiveToSharedLite, ExCreateCallback, ExDeleteNPagedLookasideList, ExDeletePagedLookasideList, ExDeleteResourceLite, ExDesktopObjectType, ExDisableResourceBoostLite, ExEnumHandleTable, ExEventObjectType, ExExtendZone, ExFreePool, ExFreePoolWithTag, ExFreeToPagedLookasideList, ExGetCurrentProcessorCounts, ExGetCurrentProcessorCpuUsage, ExGetExclusiveWaiterCount, ExGetPreviousMode, ExGetSharedWaiterCount, ExInitializeNPagedLookasideList, ExInitializePagedLookasideList, ExInitializeResourceLite, ExInitializeRundownProtection, ExInitializeZone, ExInterlockedAddLargeInteger, ExInterlockedAddLargeStatistic, ExInterlockedAddUlong, ExInterlockedCompareExchange64, ExInterlockedDecrementLong, ExInterlockedExchangeUlong, ExInterlockedExtendZone, ExInterlockedFlushSList, ExInterlockedIncrementLong, ExInterlockedInsertHeadList, ExInterlockedInsertTailList, ExInterlockedPopEntryList, ExInterlockedPopEntrySList, ExInterlockedPushEntryList, ExInterlockedPushEntrySList, ExInterlockedRemoveHeadList, ExIsProcessorFeaturePresent, ExIsResourceAcquiredExclusiveLite, ExIsResourceAcquiredSharedLite, ExLocalTimeToSystemTime, ExNotifyCallback, ExQueryPoolBlockSize, ExQueueWorkItem, ExRaiseAccessViolation, ExRaiseDatatypeMisalignment, ExRaiseException, ExRaiseHardError, ExRaiseStatus, ExReInitializeRundownProtection, ExRegisterCallback, ExReinitializeResourceLite, ExReleaseFastMutexUnsafe, ExReleaseResourceForThreadLite, ExReleaseResourceLite, ExReleaseRundownProtection, ExReleaseRundownProtectionEx, ExRundownCompleted, ExSemaphoreObjectType, ExSetResourceOwnerPointer, ExSetTimerResolution, ExSystemExceptionFilter, ExSystemTimeToLocalTime, ExUnregisterCallback, ExUuidCreate, ExVerifySuite, ExWaitForRundownProtectionRelease, ExWindowStationObjectType, ExfAcquirePushLockExclusive, ExfAcquirePushLockShared, ExfInterlockedAddUlong, ExfInterlockedCompareExchange64, ExfInterlockedInsertHeadList, ExfInterlockedInsertTailList, ExfInterlockedPopEntryList, ExfInterlockedPushEntryList, ExfInterlockedRemoveHeadList, ExfReleasePushLock, Exfi386InterlockedDecrementLong, Exfi386InterlockedExchangeUlong, Exfi386InterlockedIncrementLong, Exi386InterlockedDecrementLong, Exi386InterlockedExchangeUlong, Exi386InterlockedIncrementLong, FsRtlAcquireFileExclusive, FsRtlAddLargeMcbEntry, FsRtlAddMcbEntry, FsRtlAddToTunnelCache, FsRtlAllocateFileLock, FsRtlAllocatePool, FsRtlAllocatePoolWithQuota, FsRtlAllocatePoolWithQuotaTag, FsRtlAllocatePoolWithTag, FsRtlAllocateResource, FsRtlAreNamesEqual, FsRtlBalanceReads, FsRtlCheckLockForReadAccess, FsRtlCheckLockForWriteAccess, FsRtlCheckOplock, FsRtlCopyRead, FsRtlCopyWrite, FsRtlCreateSectionForDataScan, FsRtlCurrentBatchOplock, FsRtlDeleteKeyFromTunnelCache, FsRtlDeleteTunnelCache, FsRtlDeregisterUncProvider, FsRtlDissectDbcs, FsRtlDissectName, FsRtlDoesDbcsContainWildCards, FsRtlDoesNameContainWildCards, FsRtlFastCheckLockForRead, FsRtlFastCheckLockForWrite, FsRtlFastUnlockAll, FsRtlFastUnlockAllByKey, FsRtlFastUnlockSingle, FsRtlFindInTunnelCache, FsRtlFreeFileLock, FsRtlGetFileSize, FsRtlGetNextFileLock, FsRtlGetNextLargeMcbEntry, FsRtlGetNextMcbEntry, FsRtlIncrementCcFastReadNoWait, FsRtlIncrementCcFastReadNotPossible, FsRtlIncrementCcFastReadResourceMiss, FsRtlIncrementCcFastReadWait, FsRtlInitializeFileLock, FsRtlInitializeLargeMcb, FsRtlInitializeMcb, FsRtlInitializeOplock, FsRtlInitializeTunnelCache, FsRtlInsertPerFileObjectContext, FsRtlInsertPerStreamContext, FsRtlIsDbcsInExpression, FsRtlIsFatDbcsLegal, FsRtlIsHpfsDbcsLegal, FsRtlIsNameInExpression, FsRtlIsNtstatusExpected, FsRtlIsPagingFile, FsRtlIsTotalDeviceFailure, FsRtlLegalAnsiCharacterArray, FsRtlLookupLargeMcbEntry, FsRtlLookupLastLargeMcbEntry, FsRtlLookupLastLargeMcbEntryAndIndex, FsRtlLookupLastMcbEntry, FsRtlLookupMcbEntry, FsRtlLookupPerFileObjectContext, FsRtlLookupPerStreamContextInternal, FsRtlMdlRead, FsRtlMdlReadComplete, FsRtlMdlReadCompleteDev, FsRtlMdlReadDev, FsRtlMdlWriteComplete, FsRtlMdlWriteCompleteDev, FsRtlNormalizeNtstatus, FsRtlNotifyChangeDirectory, FsRtlNotifyCleanup, FsRtlNotifyFilterChangeDirectory, FsRtlNotifyFilterReportChange, FsRtlNotifyFullChangeDirectory, FsRtlNotifyFullReportChange, FsRtlNotifyInitializeSync, FsRtlNotifyReportChange, FsRtlNotifyUninitializeSync, FsRtlNotifyVolumeEvent, FsRtlNumberOfRunsInLargeMcb, FsRtlNumberOfRunsInMcb, FsRtlOplockFsctrl, FsRtlOplockIsFastIoPossible, FsRtlPostPagingFileStackOverflow, FsRtlPostStackOverflow, FsRtlPrepareMdlWrite, FsRtlPrepareMdlWriteDev, FsRtlPrivateLock, FsRtlProcessFileLock, FsRtlRegisterFileSystemFilterCallbacks, FsRtlRegisterUncProvider, FsRtlReleaseFile, FsRtlRemoveLargeMcbEntry, FsRtlRemoveMcbEntry, FsRtlRemovePerFileObjectContext, FsRtlRemovePerStreamContext, FsRtlResetLargeMcb, FsRtlSplitLargeMcb, FsRtlSyncVolumes, FsRtlTeardownPerStreamContexts, FsRtlTruncateLargeMcb, FsRtlTruncateMcb, FsRtlUninitializeFileLock, FsRtlUninitializeLargeMcb, FsRtlUninitializeMcb, FsRtlUninitializeOplock, HalDispatchTable, HalExamineMBR, HalPrivateDispatchTable, HeadlessDispatch, InbvAcquireDisplayOwnership, InbvCheckDisplayOwnership, InbvDisplayString, InbvEnableBootDriver, InbvEnableDisplayString, InbvInstallDisplayStringFilter, InbvIsBootDriverInstalled, InbvNotifyDisplayOwnershipLost, InbvResetDisplay, InbvSetScrollRegion, InbvSetTextColor, InbvSolidColorFill, InitSafeBootMode, InterlockedCompareExchange, InterlockedDecrement, InterlockedExchange, InterlockedExchangeAdd, InterlockedIncrement, InterlockedPopEntrySList, InterlockedPushEntrySList, IoAcquireCancelSpinLock, IoAcquireRemoveLockEx, IoAcquireVpbSpinLock, IoAdapterObjectType, IoAllocateAdapterChannel, IoAllocateController, IoAllocateDriverObjectExtension, IoAllocateErrorLogEntry, IoAllocateIrp, IoAllocateMdl, IoAllocateWorkItem, IoAssignDriveLetters, IoAssignResources, IoAttachDevice, IoAttachDeviceByPointer, IoAttachDeviceToDeviceStack, IoAttachDeviceToDeviceStackSafe, IoBuildAsynchronousFsdRequest, IoBuildDeviceIoControlRequest, IoBuildPartialMdl, IoBuildSynchronousFsdRequest, IoCallDriver, IoCancelFileOpen, IoCancelIrp, IoCheckDesiredAccess, IoCheckEaBufferValidity, IoCheckFunctionAccess, IoCheckQuerySetFileInformation, IoCheckQuerySetVolumeInformation, IoCheckQuotaBufferValidity, IoCheckShareAccess, IoCompleteRequest, IoConnectInterrupt, IoCreateController, IoCreateDevice, IoCreateDisk, IoCreateDriver, IoCreateFile, IoCreateFileSpecifyDeviceObjectHint, IoCreateNotificationEvent, IoCreateStreamFileObject, IoCreateStreamFileObjectEx, IoCreateStreamFileObjectLite, IoCreateSymbolicLink, IoCreateSynchronizationEvent, IoCreateUnprotectedSymbolicLink, IoCsqInitialize, IoCsqInsertIrp, IoCsqRemoveIrp, IoCsqRemoveNextIrp, IoDeleteController, IoDeleteDevice, IoDeleteDriver, IoDeleteSymbolicLink, IoDetachDevice, IoDeviceHandlerObjectSize, IoDeviceHandlerObjectType, IoDeviceObjectType, IoDisconnectInterrupt, IoDriverObjectType, IoEnqueueIrp, IoEnumerateDeviceObjectList, IoEnumerateRegisteredFiltersList, IoFastQueryNetworkAttributes, IoFileObjectType, IoForwardAndCatchIrp, IoForwardIrpSynchronously, IoFreeController, IoFreeErrorLogEntry, IoFreeIrp, IoFreeMdl, IoFreeWorkItem, IoGetAttachedDevice, IoGetAttachedDeviceReference, IoGetBaseFileSystemDeviceObject, IoGetBootDiskInformation, IoGetConfigurationInformation, IoGetCurrentProcess, IoGetDeviceAttachmentBaseRef, IoGetDeviceInterfaceAlias, IoGetDeviceInterfaces, IoGetDeviceObjectPointer, IoGetDeviceProperty, IoGetDeviceToVerify, IoGetDiskDeviceObject, IoGetDmaAdapter, IoGetDriverObjectExtension, IoGetFileObjectGenericMapping, IoGetInitialStack, IoGetLowerDeviceObject, IoGetRelatedDeviceObject, IoGetRequestorProcess, IoGetRequestorProcessId, IoGetRequestorSessionId, IoGetStackLimits, IoGetTopLevelIrp, IoInitializeCrashDump, IoInitializeIrp, IoInitializeRemoveLockEx, IoInitializeTimer, IoInvalidateDeviceRelations, IoInvalidateDeviceState, IoIsFileOriginRemote, IoIsOperationSynchronous, IoIsSystemThread, IoIsValidNameGraftingBuffer, IoIsWdmVersionAvailable, IoMakeAssociatedIrp, IoOpenDeviceInterfaceRegistryKey, IoOpenDeviceRegistryKey, IoPageRead, IoPnPDeliverServicePowerNotification, IoQueryDeviceDescription, IoQueryFileDosDeviceName, IoQueryFileInformation, IoQueryVolumeInformation, IoQueueThreadIrp, IoQueueWorkItem, IoRaiseHardError, IoRaiseInformationalHardError, IoReadDiskSignature, IoReadOperationCount, IoReadPartitionTable, IoReadPartitionTableEx, IoReadTransferCount, IoRegisterBootDriverReinitialization, IoRegisterDeviceInterface, IoRegisterDriverReinitialization, IoRegisterFileSystem, IoRegisterFsRegistrationChange, IoRegisterLastChanceShutdownNotification, IoRegisterPlugPlayNotification, IoRegisterShutdownNotification, IoReleaseCancelSpinLock, IoReleaseRemoveLockAndWaitEx, IoReleaseRemoveLockEx, IoReleaseVpbSpinLock, IoRemoveShareAccess, IoReportDetectedDevice, IoReportHalResourceUsage, IoReportResourceForDetection, IoReportResourceUsage, IoReportTargetDeviceChange, IoReportTargetDeviceChangeAsynchronous, IoRequestDeviceEject, IoReuseIrp, IoSetCompletionRoutineEx, IoSetDeviceInterfaceState, IoSetDeviceToVerify, IoSetFileOrigin, IoSetHardErrorOrVerifyDevice, IoSetInformation, IoSetIoCompletion, IoSetPartitionInformation, IoSetPartitionInformationEx, IoSetShareAccess, IoSetStartIoAttributes, IoSetSystemPartition, IoSetThreadHardErrorMode, IoSetTopLevelIrp, IoStartNextPacket, IoStartNextPacketByKey, IoStartPacket, IoStartTimer, IoStatisticsLock, IoStopTimer, IoSynchronousInvalidateDeviceRelations, IoSynchronousPageWrite, IoThreadToProcess, IoUnregisterFileSystem, IoUnregisterFsRegistrationChange, IoUnregisterPlugPlayNotification, IoUnregisterShutdownNotification, IoUpdateShareAccess, IoValidateDeviceIoControlAccess, IoVerifyPartitionTable, IoVerifyVolume, IoVolumeDeviceToDosName, IoWMIAllocateInstanceIds, IoWMIDeviceObjectToInstanceName, IoWMIExecuteMethod, IoWMIHandleToInstanceName, IoWMIOpenBlock, IoWMIQueryAllData, IoWMIQueryAllDataMultiple, IoWMIQuerySingleInstance, IoWMIQuerySingleInstanceMultiple, IoWMIRegistrationControl, IoWMISetNotificationCallback, IoWMISetSingleInstance, IoWMISetSingleItem, IoWMISuggestInstanceName, IoWMIWriteEvent, IoWriteErrorLogEntry, IoWriteOperationCount, IoWritePartitionTable, IoWritePartitionTableEx, IoWriteTransferCount, IofCallDriver, IofCompleteRequest, KdDebuggerEnabled, KdDebuggerNotPresent, KdDisableDebugger, KdEnableDebugger, KdEnteredDebugger, KdPollBreakIn, KdPowerTransition, Ke386CallBios, Ke386IoSetAccessProcess, Ke386QueryIoAccessMap, Ke386SetIoAccessMap, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeAcquireInterruptSpinLock, KeAcquireSpinLockAtDpcLevel, KeAddSystemServiceTable, KeAreApcsDisabled, KeAttachProcess, KeBugCheck, KeBugCheckEx, KeCancelTimer, KeCapturePersistentThreadState, KeClearEvent, KeConnectInterrupt, KeDcacheFlushCount, KeDelayExecutionThread, KeDeregisterBugCheckCallback, KeDeregisterBugCheckReasonCallback, KeDetachProcess, KeDisconnectInterrupt, KeEnterCriticalRegion, KeEnterKernelDebugger, KeFindConfigurationEntry, KeFindConfigurationNextEntry, KeFlushEntireTb, KeFlushQueuedDpcs, KeGetCurrentThread, KeGetPreviousMode, KeGetRecommendedSharedDataAlignment, KeI386AbiosCall, KeI386AllocateGdtSelectors, KeI386Call16BitCStyleFunction, KeI386Call16BitFunction, KeI386FlatToGdtSelector, KeI386GetLid, KeI386MachineType, KeI386ReleaseGdtSelectors, KeI386ReleaseLid, KeI386SetGdtSelector, KeIcacheFlushCount, KeInitializeApc, KeInitializeDeviceQueue, KeInitializeDpc, KeInitializeEvent, KeInitializeInterrupt, KeInitializeMutant, KeInitializeMutex, KeInitializeQueue, KeInitializeSemaphore, KeInitializeSpinLock, KeInitializeTimer, KeInitializeTimerEx, KeInsertByKeyDeviceQueue, KeInsertDeviceQueue, KeInsertHeadQueue, KeInsertQueue, KeInsertQueueApc, KeInsertQueueDpc, KeIsAttachedProcess, KeIsExecutingDpc, KeLeaveCriticalRegion, KeLoaderBlock, KeNumberProcessors, KeProfileInterrupt, KeProfileInterruptWithSource, KePulseEvent, KeQueryActiveProcessors, KeQueryInterruptTime, KeQueryPriorityThread, KeQueryRuntimeThread, KeQuerySystemTime, KeQueryTickCount, KeQueryTimeIncrement, KeRaiseUserException, KeReadStateEvent, KeReadStateMutant, KeReadStateMutex, KeReadStateQueue, KeReadStateSemaphore, KeReadStateTimer, KeRegisterBugCheckCallback, KeRegisterBugCheckReasonCallback, KeReleaseInStackQueuedSpinLockFromDpcLevel, KeReleaseInterruptSpinLock, KeReleaseMutant, KeReleaseMutex, KeReleaseSemaphore, KeReleaseSpinLockFromDpcLevel, KeRemoveByKeyDeviceQueue, KeRemoveByKeyDeviceQueueIfBusy, KeRemoveDeviceQueue, KeRemoveEntryDeviceQueue, KeRemoveQueue, KeRemoveQueueDpc, KeRemoveSystemServiceTable, KeResetEvent, KeRestoreFloatingPointState, KeRevertToUserAffinityThread, KeRundownQueue, KeSaveFloatingPointState, KeSaveStateForHibernate, KeServiceDescriptorTable, KeSetAffinityThread, KeSetBasePriorityThread, KeSetDmaIoCoherency, KeSetEvent, KeSetEventBoostPriority, KeSetIdealProcessorThread, KeSetImportanceDpc, KeSetKernelStackSwapEnable, KeSetPriorityThread, KeSetProfileIrql, KeSetSystemAffinityThread, KeSetTargetProcessorDpc, KeSetTimeIncrement, KeSetTimeUpdateNotifyRoutine, KeSetTimer, KeSetTimerEx, KeStackAttachProcess, KeSynchronizeExecution, KeTerminateThread, KeTickCount, KeUnstackDetachProcess, KeUpdateRunTime, KeUpdateSystemTime, KeUserModeCallback, KeWaitForMultipleObjects, KeWaitForMutexObject, KeWaitForSingleObject, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, Kei386EoiHelper, KiAcquireSpinLock, KiBugCheckData, KiCoprocessorError, KiDeliverApc, KiDispatchInterrupt, KiEnableTimerWatchdog, KiIpiServiceRoutine, KiReleaseSpinLock, KiUnexpectedInterrupt, Kii386SpinOnSpinLock, LdrAccessResource, LdrEnumResources, LdrFindResourceDirectory_U, LdrFindResource_U, LpcPortObjectType, LpcRequestPort, LpcRequestWaitReplyPort, LsaCallAuthenticationPackage, LsaDeregisterLogonProcess, LsaFreeReturnBuffer, LsaLogonUser, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess, Mm64BitPhysicalAddress, MmAddPhysicalMemory, MmAddVerifierThunks, MmAdjustWorkingSetSize, MmAdvanceMdl, MmAllocateContiguousMemory, MmAllocateContiguousMemorySpecifyCache, MmAllocateMappingAddress, MmAllocateNonCachedMemory, MmAllocatePagesForMdl, MmBuildMdlForNonPagedPool, MmCanFileBeTruncated, MmCommitSessionMappedView, MmCreateMdl, MmCreateSection, MmDisableModifiedWriteOfSection, MmFlushImageSection, MmForceSectionClosed, MmFreeContiguousMemory, MmFreeContiguousMemorySpecifyCache, MmFreeMappingAddress, MmFreeNonCachedMemory, MmFreePagesFromMdl, MmGetPhysicalAddress, MmGetPhysicalMemoryRanges, MmGetSystemRoutineAddress, MmGetVirtualForPhysical, MmGrowKernelStack, MmHighestUserAddress, MmIsAddressValid, MmIsDriverVerifying, MmIsNonPagedSystemAddressValid, MmIsRecursiveIoFault, MmIsThisAnNtAsSystem, MmIsVerifierEnabled, MmLockPagableDataSection, MmLockPagableImageSection, MmLockPagableSectionByHandle, MmMapIoSpace, MmMapLockedPages, MmMapLockedPagesSpecifyCache, MmMapLockedPagesWithReservedMapping, MmMapMemoryDumpMdl, MmMapUserAddressesToPage, MmMapVideoDisplay, MmMapViewInSessionSpace, MmMapViewInSystemSpace, MmMapViewOfSection, MmMarkPhysicalMemoryAsBad, MmMarkPhysicalMemoryAsGood, MmPageEntireDriver, MmPrefetchPages, MmProbeAndLockPages, MmProbeAndLockProcessPages, MmProbeAndLockSelectedPages, MmProtectMdlSystemAddress, MmQuerySystemSize, MmRemovePhysicalMemory, MmResetDriverPaging, MmSectionObjectType, MmSecureVirtualMemory, MmSetAddressRangeModified, MmSetBankedSection, MmSizeOfMdl, MmSystemRangeStart, MmTrimAllSystemPagableMemory, MmUnlockPagableImageSection, MmUnlockPages, MmUnmapIoSpace, MmUnmapLockedPages, MmUnmapReservedMapping, MmUnmapVideoDisplay, MmUnmapViewInSessionSpace, MmUnmapViewInSystemSpace, MmUnmapViewOfSection, MmUnsecureVirtualMemory, MmUserProbeAddress, NlsAnsiCodePage, NlsLeadByteInfo, NlsMbCodePageTag, NlsMbOemCodePageTag, NlsOemCodePage, NlsOemLeadByteInfo, NtAddAtom, NtAdjustPrivilegesToken, NtAllocateLocallyUniqueId, NtAllocateUuids, NtAllocateVirtualMemory, NtBuildNumber, NtClose, NtConnectPort, NtCreateEvent, NtCreateFile, NtCreateSection, NtDeleteAtom, NtDeleteFile, NtDeviceIoControlFile, NtDuplicateObject, NtDuplicateToken, NtFindAtom, NtFreeVirtualMemory, NtFsControlFile, NtGlobalFlag, NtLockFile, NtMakePermanentObject, NtMapViewOfSection, NtNotifyChangeDirectoryFile, NtOpenFile, NtOpenProcess, NtOpenProcessToken, NtOpenProcessTokenEx, NtOpenThread, NtOpenThreadToken, NtOpenThreadTokenEx, NtQueryDirectoryFile, NtQueryEaFile, NtQueryInformationAtom, NtQueryInformationFile, NtQueryInformationProcess, NtQueryInformationThread, NtQueryInformationToken, NtQueryQuotaInformationFile, NtQuerySecurityObject, NtQuerySystemInformation, NtQueryVolumeInformationFile, NtReadFile, NtRequestPort, NtRequestWaitReplyPort, NtSetEaFile, NtSetEvent, NtSetInformationFile, NtSetInformationProcess, NtSetInformationThread, NtSetQuotaInformationFile, NtSetSecurityObject, NtSetVolumeInformationFile, NtShutdownSystem, NtTraceEvent, NtUnlockFile, NtVdmControl, NtWaitForSingleObject, NtWriteFile, ObAssignSecurity, ObCheckCreateObjectAccess, ObCheckObjectAccess, ObCloseHandle, ObCreateObject, ObCreateObjectType, ObDereferenceObject, ObDereferenceSecurityDescriptor, ObFindHandleForObject, ObGetObjectSecurity, ObInsertObject, ObLogSecurityDescriptor, ObMakeTemporaryObject, ObOpenObjectByName, ObOpenObjectByPointer, ObQueryNameString, ObQueryObjectAuditingByHandle, ObReferenceObjectByHandle, ObReferenceObjectByName, ObReferenceObjectByPointer, ObReferenceSecurityDescriptor, ObReleaseObjectSecurity, ObSetHandleAttributes, ObSetSecurityDescriptorInfo, ObSetSecurityObjectByPointer, ObfDereferenceObject, ObfReferenceObject, PfxFindPrefix, PfxInitialize, PfxInsertPrefix, PfxRemovePrefix, PoCallDriver, PoCancelDeviceNotify, PoQueueShutdownWorkItem, PoRegisterDeviceForIdleDetection, PoRegisterDeviceNotify, PoRegisterSystemState, PoRequestPowerIrp, PoRequestShutdownEvent, PoSetHiberRange, PoSetPowerState, PoSetSystemState, PoShutdownBugCheck, PoStartNextPowerIrp, PoUnregisterSystemState, ProbeForRead, ProbeForWrite, PsAssignImpersonationToken, PsChargePoolQuota, PsChargeProcessNonPagedPoolQuota, PsChargeProcessPagedPoolQuota, PsChargeProcessPoolQuota, PsCreateSystemProcess, PsCreateSystemThread, PsDereferenceImpersonationToken, PsDereferencePrimaryToken, PsDisableImpersonation, PsEstablishWin32Callouts, PsGetContextThread, PsGetCurrentProcess, PsGetCurrentProcessId, PsGetCurrentProcessSessionId, PsGetCurrentThread, PsGetCurrentThreadId, PsGetCurrentThreadPreviousMode, PsGetCurrentThreadStackBase, PsGetCurrentThreadStackLimit, PsGetJobLock, PsGetJobSessionId, PsGetJobUIRestrictionsClass, PsGetProcessCreateTimeQuadPart, PsGetProcessDebugPort, PsGetProcessExitProcessCalled, PsGetProcessExitStatus, PsGetProcessExitTime, PsGetProcessId, PsGetProcessImageFileName, PsGetProcessInheritedFromUniqueProcessId, PsGetProcessJob, PsGetProcessPeb, PsGetProcessPriorityClass, PsGetProcessSectionBaseAddress, PsGetProcessSecurityPort, PsGetProcessSessionId, PsGetProcessWin32Process, PsGetProcessWin32WindowStation, PsGetThreadFreezeCount, PsGetThreadHardErrorsAreDisabled, PsGetThreadId, PsGetThreadProcess, PsGetThreadProcessId, PsGetThreadSessionId, PsGetThreadTeb, PsGetThreadWin32Thread, PsGetVersion, PsImpersonateClient, PsInitialSystemProcess, PsIsProcessBeingDebugged, PsIsSystemThread, PsIsThreadImpersonating, PsIsThreadTerminating, PsJobType, PsLookupProcessByProcessId, PsLookupProcessThreadByCid, PsLookupThreadByThreadId, PsProcessType, PsReferenceImpersonationToken, PsReferencePrimaryToken, PsRemoveCreateThreadNotifyRoutine, PsRemoveLoadImageNotifyRoutine, PsRestoreImpersonation, PsReturnPoolQuota, PsReturnProcessNonPagedPoolQuota, PsReturnProcessPagedPoolQuota, PsRevertThreadToSelf, PsRevertToSelf, PsSetContextThread, PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine, PsSetJobUIRestrictionsClass, PsSetLegoNotifyRoutine, PsSetLoadImageNotifyRoutine, PsSetProcessPriorityByClass, PsSetProcessPriorityClass, PsSetProcessSecurityPort, PsSetProcessWin32Process, PsSetProcessWindowStation, PsSetThreadHardErrorsAreDisabled, PsSetThreadWin32Thread, PsTerminateSystemThread, PsThreadType, READ_REGISTER_BUFFER_UCHAR, READ_REGISTER_BUFFER_ULONG, READ_REGISTER_BUFFER_USHORT, READ_REGISTER_UCHAR, READ_REGISTER_ULONG, READ_REGISTER_USHORT, RtlAbsoluteToSelfRelativeSD, RtlAddAccessAllowedAce, RtlAddAccessAllowedAceEx, RtlAddAce, RtlAddAtomToAtomTable, RtlAddRange, RtlAllocateHeap, RtlAnsiCharToUnicodeChar, RtlAnsiStringToUnicodeSize, RtlAnsiStringToUnicodeString, RtlAppendAsciizToString, RtlAppendStringToString, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, RtlAreAllAccessesGranted, RtlAreAnyAccessesGranted, RtlAreBitsClear, RtlAreBitsSet, RtlAssert, RtlCaptureContext, RtlCaptureStackBackTrace, RtlCharToInteger, RtlCheckRegistryKey, RtlClearAllBits, RtlClearBit, RtlClearBits, RtlCompareMemory, RtlCompareMemoryUlong, RtlCompareString, RtlCompareUnicodeString, RtlCompressBuffer, RtlCompressChunks, RtlConvertLongToLargeInteger, RtlConvertSidToUnicodeString, RtlConvertUlongToLargeInteger, RtlCopyLuid, RtlCopyRangeList, RtlCopySid, RtlCopyString, RtlCopyUnicodeString, RtlCreateAcl, RtlCreateAtomTable, RtlCreateHeap, RtlCreateRegistryKey, RtlCreateSecurityDescriptor, RtlCreateSystemVolumeInformationFolder, RtlCreateUnicodeString, RtlCustomCPToUnicodeN, RtlDecompressBuffer, RtlDecompressChunks, RtlDecompressFragment, RtlDelete, RtlDeleteAce, RtlDeleteAtomFromAtomTable, RtlDeleteElementGenericTable, RtlDeleteElementGenericTableAvl, RtlDeleteNoSplay, RtlDeleteOwnersRanges, RtlDeleteRange, RtlDeleteRegistryValue, RtlDescribeChunk, RtlDestroyAtomTable, RtlDestroyHeap, RtlDowncaseUnicodeString, RtlEmptyAtomTable, RtlEnlargedIntegerMultiply, RtlEnlargedUnsignedDivide, RtlEnlargedUnsignedMultiply, RtlEnumerateGenericTable, RtlEnumerateGenericTableAvl, RtlEnumerateGenericTableLikeADirectory, RtlEnumerateGenericTableWithoutSplaying, RtlEnumerateGenericTableWithoutSplayingAvl, RtlEqualLuid, RtlEqualSid, RtlEqualString, RtlEqualUnicodeString, RtlExtendedIntegerMultiply, RtlExtendedLargeIntegerDivide, RtlExtendedMagicDivide, RtlFillMemory, RtlFillMemoryUlong, RtlFindClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, RtlFindFirstRunClear, RtlFindLastBackwardRunClear, RtlFindLeastSignificantBit, RtlFindLongestRunClear, RtlFindMessage, RtlFindMostSignificantBit, RtlFindNextForwardRunClear, RtlFindRange, RtlFindSetBits, RtlFindSetBitsAndClear, RtlFindUnicodePrefix, RtlFormatCurrentUserKeyPath, RtlFreeAnsiString, RtlFreeHeap, RtlFreeOemString, RtlFreeRangeList, RtlFreeUnicodeString, RtlGUIDFromString, RtlGenerate8dot3Name, RtlGetAce, RtlGetCallersAddress, RtlGetCompressionWorkSpaceSize, RtlGetDaclSecurityDescriptor, RtlGetDefaultCodePage, RtlGetElementGenericTable, RtlGetElementGenericTableAvl, RtlGetFirstRange, RtlGetGroupSecurityDescriptor, RtlGetNextRange, RtlGetNtGlobalFlags, RtlGetOwnerSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetSetBootStatusData, RtlGetVersion, RtlHashUnicodeString, RtlImageDirectoryEntryToData, RtlImageNtHeader, RtlInitAnsiString, RtlInitCodePageTable, RtlInitString, RtlInitUnicodeString, RtlInitializeBitMap, RtlInitializeGenericTable, RtlInitializeGenericTableAvl, RtlInitializeRangeList, RtlInitializeSid, RtlInitializeUnicodePrefix, RtlInsertElementGenericTable, RtlInsertElementGenericTableAvl, RtlInsertElementGenericTableFull, RtlInsertElementGenericTableFullAvl, RtlInsertUnicodePrefix, RtlInt64ToUnicodeString, RtlIntegerToChar, RtlIntegerToUnicode, RtlIntegerToUnicodeString, RtlInvertRangeList, RtlIpv4AddressToStringA, RtlIpv4AddressToStringExA, RtlIpv4AddressToStringExW, RtlIpv4AddressToStringW, RtlIpv4StringToAddressA, RtlIpv4StringToAddressExA, RtlIpv4StringToAddressExW, RtlIpv4StringToAddressW, RtlIpv6AddressToStringA, RtlIpv6AddressToStringExA, RtlIpv6AddressToStringExW, RtlIpv6AddressToStringW, RtlIpv6StringToAddressA, RtlIpv6StringToAddressExA, RtlIpv6StringToAddressExW, RtlIpv6StringToAddressW, RtlIsGenericTableEmpty, RtlIsGenericTableEmptyAvl, RtlIsNameLegalDOS8Dot3, RtlIsRangeAvailable, RtlIsValidOemCharacter, RtlLargeIntegerAdd, RtlLargeIntegerArithmeticShift, RtlLargeIntegerDivide, RtlLargeIntegerNegate, RtlLargeIntegerShiftLeft, RtlLargeIntegerShiftRight, RtlLargeIntegerSubtract, RtlLengthRequiredSid, RtlLengthSecurityDescriptor, RtlLengthSid, RtlLockBootStatusData, RtlLookupAtomInAtomTable, RtlLookupElementGenericTable, RtlLookupElementGenericTableAvl, RtlLookupElementGenericTableFull, RtlLookupElementGenericTableFullAvl, RtlMapGenericMask, RtlMapSecurityErrorToNtStatus, RtlMergeRangeLists, RtlMoveMemory, RtlMultiByteToUnicodeN, RtlMultiByteToUnicodeSize, RtlNextUnicodePrefix, RtlNtStatusToDosError, RtlNtStatusToDosErrorNoTeb, RtlNumberGenericTableElements, RtlNumberGenericTableElementsAvl, RtlNumberOfClearBits, RtlNumberOfSetBits, RtlOemStringToCountedUnicodeString, RtlOemStringToUnicodeSize, RtlOemStringToUnicodeString, RtlOemToUnicodeN, RtlPinAtomInAtomTable, RtlPrefetchMemoryNonTemporal, RtlPrefixString, RtlPrefixUnicodeString, RtlQueryAtomInAtomTable, RtlQueryRegistryValues, RtlQueryTimeZoneInformation, RtlRaiseException, RtlRandom, RtlRandomEx, RtlRealPredecessor, RtlRealSuccessor, RtlRemoveUnicodePrefix, RtlReserveChunk, RtlSecondsSince1970ToTime, RtlSecondsSince1980ToTime, RtlSelfRelativeToAbsoluteSD, RtlSelfRelativeToAbsoluteSD2, RtlSetAllBits, RtlSetBit, RtlSetBits, RtlSetDaclSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetOwnerSecurityDescriptor, RtlSetSaclSecurityDescriptor, RtlSetTimeZoneInformation, RtlSizeHeap, RtlSplay, RtlStringFromGUID, RtlSubAuthorityCountSid, RtlSubAuthoritySid, RtlSubtreePredecessor, RtlSubtreeSuccessor, RtlTestBit, RtlTimeFieldsToTime, RtlTimeToElapsedTimeFields, RtlTimeToSecondsSince1970, RtlTimeToSecondsSince1980, RtlTimeToTimeFields, RtlTraceDatabaseAdd, RtlTraceDatabaseCreate, RtlTraceDatabaseDestroy, RtlTraceDatabaseEnumerate, RtlTraceDatabaseFind, RtlTraceDatabaseLock, RtlTraceDatabaseUnlock, RtlTraceDatabaseValidate, RtlUlongByteSwap, RtlUlonglongByteSwap, RtlUnicodeStringToAnsiSize, RtlUnicodeStringToAnsiString, RtlUnicodeStringToCountedOemString, RtlUnicodeStringToInteger, RtlUnicodeStringToOemSize, RtlUnicodeStringToOemString, RtlUnicodeToCustomCPN, RtlUnicodeToMultiByteN, RtlUnicodeToMultiByteSize, RtlUnicodeToOemN, RtlUnlockBootStatusData, RtlUnwind, RtlUpcaseUnicodeChar, RtlUpcaseUnicodeString, RtlUpcaseUnicodeStringToAnsiString, RtlUpcaseUnicodeStringToCountedOemString, RtlUpcaseUnicodeStringToOemString, RtlUpcaseUnicodeToCustomCPN, RtlUpcaseUnicodeToMultiByteN, RtlUpcaseUnicodeToOemN, RtlUpperChar, RtlUpperString, RtlUshortByteSwap, RtlValidRelativeSecurityDescriptor, RtlValidSecurityDescriptor, RtlValidSid, RtlVerifyVersionInfo, RtlVolumeDeviceToDosName, RtlWalkFrameChain, RtlWriteRegistryValue, RtlZeroHeap, RtlZeroMemory, RtlxAnsiStringToUnicodeSize, RtlxOemStringToUnicodeSize, RtlxUnicodeStringToAnsiSize, RtlxUnicodeStringToOemSize, SeAccessCheck, SeAppendPrivileges, SeAssignSecurity, SeAssignSecurityEx, SeAuditHardLinkCreation, SeAuditingFileEvents, SeAuditingFileEventsWithContext, SeAuditingFileOrGlobalEvents, SeAuditingHardLinkEvents, SeAuditingHardLinkEventsWithContext, SeCaptureSecurityDescriptor, SeCaptureSubjectContext, SeCloseObjectAuditAlarm, SeCreateAccessState, SeCreateClientSecurity, SeCreateClientSecurityFromSubjectContext, SeDeassignSecurity, SeDeleteAccessState, SeDeleteObjectAuditAlarm, SeExports, SeFilterToken, SeFreePrivileges, SeImpersonateClient, SeImpersonateClientEx, SeLockSubjectContext, SeMarkLogonSessionForTerminationNotification, SeOpenObjectAuditAlarm, SeOpenObjectForDeleteAuditAlarm, SePrivilegeCheck, SePrivilegeObjectAuditAlarm, SePublicDefaultDacl, SeQueryAuthenticationIdToken, SeQueryInformationToken, SeQuerySecurityDescriptorInfo, SeQuerySessionIdToken, SeRegisterLogonSessionTerminatedRoutine, SeReleaseSecurityDescriptor, SeReleaseSubjectContext, SeSetAccessStateGenericMapping, SeSetSecurityDescriptorInfo, SeSetSecurityDescriptorInfoEx, SeSinglePrivilegeCheck, SeSystemDefaultDacl, SeTokenImpersonationLevel, SeTokenIsAdmin, SeTokenIsRestricted, SeTokenIsWriteRestricted, SeTokenObjectType, SeTokenType, SeUnlockSubjectContext, SeUnregisterLogonSessionTerminatedRoutine, SeValidSecurityDescriptor, VerSetConditionMask, VfFailDeviceNode, VfFailDriver, VfFailSystemBIOS, VfIsVerificationEnabled, WRITE_REGISTER_BUFFER_UCHAR, WRITE_REGISTER_BUFFER_ULONG, WRITE_REGISTER_BUFFER_USHORT, WRITE_REGISTER_UCHAR, WRITE_REGISTER_ULONG, WRITE_REGISTER_USHORT, WmiFlushTrace, WmiGetClock, WmiQueryTrace, WmiQueryTraceInformation, WmiStartTrace, WmiStopTrace, WmiTraceMessage, WmiTraceMessageVa, WmiUpdateTrace, XIPDispatch, ZwAccessCheckAndAuditAlarm, ZwAddBootEntry, ZwAdjustPrivilegesToken, ZwAlertThread, ZwAllocateVirtualMemory, ZwAssignProcessToJobObject, ZwCancelIoFile, ZwCancelTimer, ZwClearEvent, ZwClose, ZwCloseObjectAuditAlarm, ZwConnectPort, ZwCreateDirectoryObject, ZwCreateEvent, ZwCreateFile, ZwCreateJobObject, ZwCreateKey, ZwCreateSection, ZwCreateSymbolicLinkObject, ZwCreateTimer, ZwDeleteBootEntry, ZwDeleteFile, ZwDeleteKey, ZwDeleteValueKey, ZwDeviceIoControlFile, ZwDisplayString, ZwDuplicateObject, ZwDuplicateToken, ZwEnumerateBootEntries, ZwEnumerateKey, ZwEnumerateValueKey, ZwFlushInstructionCache, ZwFlushKey, ZwFlushVirtualMemory, ZwFreeVirtualMemory, ZwFsControlFile, ZwInitiatePowerAction, ZwIsProcessInJob, ZwLoadDriver, ZwLoadKey, ZwMakeTemporaryObject, ZwMapViewOfSection, ZwNotifyChangeKey, ZwOpenDirectoryObject, ZwOpenEvent, ZwOpenFile, ZwOpenJobObject, ZwOpenKey, ZwOpenProcess, ZwOpenProcessToken, ZwOpenProcessTokenEx, ZwOpenSection, ZwOpenSymbolicLinkObject, ZwOpenThread, ZwOpenThreadToken, ZwOpenThreadTokenEx, ZwOpenTimer, ZwPowerInformation, ZwPulseEvent, ZwQueryBootEntryOrder, ZwQueryBootOptions, ZwQueryDefaultLocale, ZwQueryDefaultUILanguage, ZwQueryDirectoryFile, ZwQueryDirectoryObject, ZwQueryEaFile, ZwQueryFullAttributesFile, ZwQueryInformationFile, ZwQueryInformationJobObject, ZwQueryInformationProcess, ZwQueryInformationThread, ZwQueryInformationToken, ZwQueryInstallUILanguage, ZwQueryKey, ZwQueryObject, ZwQuerySection, ZwQuerySecurityObject, ZwQuerySymbolicLinkObject, ZwQuerySystemInformation, ZwQueryValueKey, ZwQueryVolumeInformationFile, ZwReadFile, ZwReplaceKey, ZwRequestWaitReplyPort, ZwResetEvent, ZwRestoreKey, ZwSaveKey, ZwSaveKeyEx, ZwSetBootEntryOrder, ZwSetBootOptions, ZwSetDefaultLocale, ZwSetDefaultUILanguage, ZwSetEaFile, ZwSetEvent, ZwSetInformationFile, ZwSetInformationJobObject, ZwSetInformationObject, ZwSetInformationProcess, ZwSetInformationThread, ZwSetSecurityObject, ZwSetSystemInformation, ZwSetSystemTime, ZwSetTimer, ZwSetValueKey, ZwSetVolumeInformationFile, ZwTerminateJobObject, ZwTerminateProcess, ZwTranslateFilePath, ZwUnloadDriver, ZwUnloadKey, ZwUnmapViewOfSection, ZwWaitForMultipleObjects, ZwWaitForSingleObject, ZwWriteFile, ZwYieldExecution, _CIcos, _CIsin, _CIsqrt, _abnormal_termination, _alldiv, _alldvrm, _allmul, _alloca_probe, _allrem, _allshl, _allshr, _aulldiv, _aulldvrm, _aullrem, _aullshr, _except_handler2, _except_handler3, _global_unwind2, _itoa, _itow, _local_unwind2, _purecall, _snprintf, _snwprintf, _stricmp, _strlwr, _strnicmp, _strnset, _strrev, _strset, _strupr, _vsnprintf, _vsnwprintf, _wcsicmp, _wcslwr, _wcsnicmp, _wcsnset, _wcsrev, _wcsupr, atoi, atol, isdigit, islower, isprint, isspace, isupper, isxdigit, mbstowcs, mbtowc, memchr, memcpy, memmove, memset, qsort, rand, sprintf, srand, strcat, strchr, strcmp, strcpy, strlen, strncat, strncmp, strncpy, strrchr, strspn, strstr, swprintf, tolower, toupper, towlower, towupper, vDbgPrintEx, vDbgPrintExWithPrefix, vsprintf, wcscat, wcschr, wcscmp, wcscpy, wcscspn, wcslen, wcsncat, wcsncmp, wcsncpy, wcsrchr, wcsspn, wcsstr, wcstombs, wctomb



ComboFix 08-04-26.3 - Arturo 2008-05-01 20:22:59.2 - NTFSx86
Se ejecuta desde: C:\Documents and Settings\Arturo\Escritorio\ComboFix.exe
Command switches used :: C:\Documents and Settings\Arturo\Escritorio\CFScript.txt
* Creado un nuevo punto de restauración

FILE ::
C:\WINDOWS\BM67f45701.xml
C:\WINDOWS\system32\vpkkvcoe.ini
E:\LaunchU3.exe
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM67f45701.xml
C:\WINDOWS\system32\vpkkvcoe.ini

.
(((((((((((((((((( Archivos creados desde 2008-04-02 - 2008-05-02 )))))))))))))))))))))))))))))))))
.

2008-04-30 13:39 . 2008-04-30 13:39 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraci¾n local
2008-04-30 13:39 . 2008-04-30 13:39 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraci¾n local
2008-04-30 13:39 . 2008-04-30 13:39 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraci¾n local
2008-04-30 13:39 . 2008-04-30 13:39 <DIR> d-------- C:\Documents and Settings\Arturo\Configuraci¾n local
2008-04-30 13:39 . 2008-04-30 13:39 <DIR> d-------- C:\Documents and Settings\Administrador\Configuraci¾n local
2008-04-29 12:54 . 2008-04-29 12:54 <DIR> d--hs---- C:\Diskeeper
2008-04-29 08:53 . 2008-04-29 08:53 <DIR> d-------- C:\Documents and Settings\Arturo\Datos de programa\CheckPoint
2008-04-29 08:51 . 2008-04-29 08:51 <DIR> d-------- C:\Archivos de programa\CheckPoint
2008-04-29 08:51 . 2008-04-29 08:51 144 --a------ C:\WINDOWS\system32\lkfl.dat
2008-04-29 08:51 . 2008-04-29 08:51 128 --a------ C:\WINDOWS\system32\pdfl.dat
2008-04-29 08:51 . 2008-04-29 08:51 96 --a------ C:\WINDOWS\system32\ibfl.dat
2008-04-28 20:19 . 2008-04-28 20:19 0 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_94591.LOG
2008-04-28 20:19 . 2008-04-28 20:19 0 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT_TU_13813.LOG
2008-04-28 20:19 . 2008-04-28 20:19 0 --ah----- C:\Documents and Settings\Arturo\NTUSER.DAT_TU_15548.LOG
2008-04-28 18:00 . 2008-04-28 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Diskeeper Corporation
2008-04-28 12:46 . 2008-04-28 12:46 <DIR> dr-h----- C:\Documents and Settings\LocalService\Reciente
2008-04-27 17:31 . 2008-04-27 17:31 <DIR> d-------- C:\Documents and Settings\Arturo\Datos de programa\URSoft
2008-04-27 17:31 . 2008-04-27 19:15 <DIR> d-------- C:\Archivos de programa\Startup Faster
2008-04-24 20:47 . 2008-04-24 20:47 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2008-04-24 08:34 . 2008-04-30 10:28 <DIR> d-------- C:\Documents and Settings\Arturo\Datos de programa\Hide IP NG
2008-04-24 08:31 . 2008-04-29 13:22 <DIR> d-a------ C:\Documents and Settings\All Users\Datos de programa\TEMP
2008-04-24 08:29 . 2008-04-28 21:26 <DIR> d-------- C:\Archivos de programa\SpeedFan
2008-04-24 08:29 . 2008-04-24 08:29 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-04-19 13:46 . 2008-04-19 13:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 13:46 . 2008-04-19 13:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-15 09:00 . 2008-04-15 09:00 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-04-13 16:56 . 2008-04-13 16:56 <DIR> d-------- C:\Archivos de programa\Microsoft ActiveSync
2008-04-13 16:56 . 2005-10-20 20:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 16:56 . 2005-10-20 20:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 16:49 . 2008-04-13 16:49 <DIR> d-------- C:\Archivos de programa\Windows Mobile Device Handbook
2008-04-11 15:17 . 2008-04-11 15:17 5 --a------ C:\stgs4.temp
2008-04-11 15:17 . 2008-04-11 15:17 5 --a------ C:\stgs1.temp

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 01:46 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\Symantec
2008-04-30 15:54 --------- d-----w C:\Archivos de programa\Archivos comunes\Symantec Shared
2008-04-29 21:14 --------- d-----w C:\Archivos de programa\Norton 360
2008-04-29 13:43 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\Microsoft Help
2008-04-29 02:59 --------- d-----w C:\Documents and Settings\Arturo\Datos de programa\LimeWire
2008-04-29 02:59 --------- d-----w C:\Documents and Settings\Arturo\Datos de programa\Azureus
2008-04-28 18:22 --------- d-----w C:\Documents and Settings\Arturo\Datos de programa\uTorrent
2008-04-25 20:00 --------- d-----w C:\Archivos de programa\Norton Security Scan
2008-04-25 01:47 --------- d-----w C:\Archivos de programa\Styler
2008-04-19 03:32 --------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2008-04-19 03:32 --------- d-----w C:\Archivos de programa\Thief2
2008-04-19 03:32 --------- d-----w C:\Archivos de programa\CyberLink
2008-04-19 03:22 --------- d-----w C:\Archivos de programa\Pocket Tanks Deluxe
2008-04-17 12:04 --------- d-----w C:\Archivos de programa\XeroBank
2008-04-03 02:09 --------- d-----w C:\Archivos de programa\Opera
2008-04-01 17:51 --------- d-----w C:\Archivos de programa\Acoustica MP3 CD Burner
2008-03-25 18:35 --------- d-----w C:\Archivos de programa\Azureus
2008-03-22 15:33 --------- d-----w C:\Documents and Settings\Arturo\Datos de programa\U3
2008-03-15 01:19 15,781 ----a-w C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-03-11 17:38 --------- d-----w C:\Archivos de programa\Diskeeper Corporation
2008-03-09 01:25 --------- d-----w C:\Archivos de programa\MSN Messenger
2008-03-08 17:47 --------- d-----w C:\Archivos de programa\eMule
2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-03 17:43 --------- d-----w C:\Archivos de programa\QuickTime
2008-03-03 01:51 --------- d-----w C:\Archivos de programa\MagicDisc
2008-03-03 01:26 --------- d-----w C:\Archivos de programa\The Rosetta Stone
2008-02-15 03:34 24,192 ----a-w C:\Documents and Settings\Arturo\usbsermptxp.sys
2008-02-15 03:34 22,768 ----a-w C:\Documents and Settings\Arturo\usbsermpt.sys
2007-09-12 03:09 94,080 ----a-w C:\Documents and Settings\Arturo\Datos de programa\ezplay.sys
2007-09-12 03:09 87,608 ----a-w C:\Documents and Settings\Arturo\Datos de programa\ezpinst.exe
2007-09-12 03:08 47,360 ----a-w C:\Documents and Settings\Arturo\Datos de programa\pcouffin.sys
2007-07-29 16:28 348 ----a-w C:\Archivos de programa\explore2fs debug log.txt
2005-04-02 01:02 838,656 ----a-w C:\Archivos de programa\explore2fs.exe
2005-04-02 00:49 5,712 ----a-w C:\Archivos de programa\readme.txt
2005-04-02 00:48 7,073 ----a-w C:\Archivos de programa\changes.txt
1999-07-21 22:45 25,956 ----a-w C:\Archivos de programa\diskio2.dll
1998-06-19 17:29 17,984 ----a-w C:\Archivos de programa\copying.txt
2008-01-10 21:26 8 --sh--r C:\WINDOWS\system32\9484BB0017.sys
2008-01-10 21:26 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_13.38.12.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 18:26:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 00:58:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 00:58:58 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_600.dat
.
((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}]
2008-04-28 03:57 453904 --a------ C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"= "C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll" [2008-04-28 03:57 453904]

[HKEY_CLASSES_ROOT\clsid\{ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"= C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll [2008-04-28 03:57 453904]

[HKEY_CLASSES_ROOT\clsid\{ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 08:42 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 08:42 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqNEWOh]
urqNEWOh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartupFaster]
--a------ 2007-12-07 21:19 1631456 C:\Archivos de programa\Startup Faster\startuploader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"RemoteRegistry"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec PIF AlertEng"="C:\Archivos de programa\Archivos comunes\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Archivos de programa\Archivos comunes\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Archivos de programa\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Archivos de programa\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Archivos de programa\\Opera\\Opera.exe"=
"C:\\Archivos de programa\\uTorrent\\uTorrent.exe"=
"C:\\Archivos de programa\\LimeWire\\LimeWire.exe"=
"C:\\Archivos de programa\\eMule\\emule.exe"=
"C:\\Archivos de programa\\Azureus\\Azureus.exe"=
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"=
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"=
"C:\\Archivos de programa\\Diskeeper Corporation\\Diskeeper\\Diskeeper.exe"=
"C:\Archivos de programa\Microsoft ActiveSync\rapimgr.exe"= C:\Archivos de programa\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe"= C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Archivos de programa\Microsoft ActiveSync\WCESMgr.exe"= C:\Archivos de programa\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Si3112;Si3112;C:\WINDOWS\system32\drivers\Si3112.sys [2006-12-07 00:06]
R2 IswSvc;ForceField IswSvc;"C:\Archivos de programa\CheckPoint\ZAForceField\IswSvc.exe" [2008-04-28 03:57]
R3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys [2001-12-18 00:54]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 15:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 15:04]
R3 FA312;Controlador de adaptador Fast Ethernet NETGEAR FA330/FA312/FA311;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2006-11-25 03:01]
S3 icsak;icsak;C:\Archivos de programa\CheckPoint\ZAForceField\AK\icsak.sys [2008-04-28 03:57]
S3 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" /service []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contenido de carpeta 'Tareas Programadas'
"2008-04-25 22:56:49 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Archivos de programa\TuneUp Utilities 2008\OneClick.exe
"2008-04-28 16:00:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Archivos de programa\Apple Software Update\SoftwareUpdate.exe
"2008-04-25 21:03:14 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Archivos de programa\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 20:28:00
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 1

**************************************************************************
.
Tiempo completado: 2008-05-01 20:31:49
ComboFix-quarantined-files.txt 2008-05-02 01:31:41
ComboFix2.txt 2008-04-30 18:39:26

18 dirs 6,332,424,192 bytes libres
22 dirs 6,487,678,976 bytes libres

199 --- E O F --- 2008-04-17 15:46:55


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:13:50 p.m., on 02/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
C:\Archivos de programa\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Streamload\MediaMax XL\StreamloadService.exe
C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Archivos de programa\Archivos comunes\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.co...GenXInstall.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8C006E7-2F52-46A4-B15A-DFC5102EC74E}: NameServer = 69.49.208.10 69.7.80.10
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARCHIV~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: urqNEWOh - urqNEWOh.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Arch
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O20 - Winlogon Notify: urqNEWOh - urqNEWOh.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Reboot and post a new HijackThis log and tell me how your PC is running
  • 0

#7
aquevedo831

aquevedo831

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 215 posts
Here are my new logs:

Malwarebytes' Anti-Malware 1.11
Database version: 711

Scan type: Full Scan (A:\|C:\|D:\|F:\|X:\|)
Objects scanned: 118759
Time elapsed: 1 hour(s), 13 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{81b7f2df-3427-4704-b441-f74a4de94ce1} (Adware.Rightonadz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{2ed7cd5f-aee2-4b09-82f4-c96eb7c02c87} (Adware.Rightonadz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4cde7971-1026-41ae-9818-31a9e5779441} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5dbd13bc-c3f8-4846-ad3e-ba3479a5d3f1} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Rotator.Gizmo2 (Adware.Rightonadz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adssite.ad (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\mlJAtUKB.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\opnmJDSM.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP113\A0123920.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP117\A0124130.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP117\A0124131.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP117\A0125129.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP118\A0125146.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP124\A0126266.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP124\A0126279.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128375.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128376.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128377.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128378.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128379.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128380.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128381.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128382.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128383.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128384.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128385.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128386.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128387.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128388.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128389.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128390.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128391.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128394.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D42FCE12-3392-4A26-B3FC-36188A838FEB}\RP127\A0128397.dll (Trojan.Vundo) -> Quarantined and deleted successfully.














Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:31:32 p.m., on 03/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
C:\Archivos de programa\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Streamload\MediaMax XL\StreamloadService.exe
C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Archivos de programa\Opera\Opera.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Archivos de programa\Archivos comunes\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Archivos de programa\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.co...GenXInstall.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.co.../EconPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8C006E7-2F52-46A4-B15A-DFC5102EC74E}: NameServer = 69.49.208.10 69.7.80.10
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARCHIV~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Archivos de programa\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Archivos de programa\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Streamload Service (StreamloadService) - Streamload - C:\Archivos de programa\Streamload\MediaMax XL\StreamloadService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Archivos de programa\Archivos comunes\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7738 bytes







I can already tell there is a great improvement on my laptop's overall performance. It is not so slow to respond anymore. I will perform some demanding tasks here in a little bit to see how it responds to heavy tasks. Thanks
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#9
aquevedo831

aquevedo831

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 215 posts
Thank you for your help!!! I really appreciate it :)
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP