Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with w32/FakeAlert!!!!


  • This topic is locked This topic is locked
34 replies to this topic

#1 Mr_Llanes

Mr_Llanes

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 15 April 2012 - 03:19 PM

To whom it may concern,

Thanks in advance for your help!

My first question is if it is worth for you and me to spend time to fix my computer or wouldn't it be better to format it and reinstall it completely?

This is the worst infection I've ever had! In the normal login, I do not have access to anything, not even my PC or the command prompt; I have no access to the internet and there is no way I can turn on the firewall.

I am running the PC in safe mode and I am using another computer to download the files to get the logs (as explained in the Preparation Guide) and then I use a USB key to transfer them to the infected PC.

Below you may find the contents of the DDS file and attached you may find both the Attach.txt and the Ark.txt

Please advise if it would be better to format and re-install the PC rather than to try to fix it.

Best regards,

Mr_Llanes

DDS contents below:


.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Administrador at 11:37:21 on 2012-04-15
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.895.686 [GMT -5:00]
.
AV: System Shield *Enabled/Outdated* {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Archivos de programa\Archivos comunes\Authentium\AntiVirus5\vsedsps.exe
C:\Archivos de programa\Archivos comunes\Authentium\AntiVirus5\vseamps.exe
C:\Archivos de programa\iolo\Common\Lib\ioloServiceManager.exe
C:\Archivos de programa\Archivos comunes\Authentium\AntiVirus5\vseqrts.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\datos de programa\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - No File
BHO: CodecC Class: {cd88daf1-29ce-4b00-96db-fd610a48b1cb} - c:\documents and settings\all users\datos de programa\codecc\bhoclass.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\archivos de programa\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\archivos de programa\ask.com\GenericAskToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRunOnce: [NeroHomeFirstStart] "c:\archivos de programa\archivos comunes\nero\lib\NMFirstStart.exe"
mRun: [StartCCC] "c:\archivos de programa\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [SynTPEnh] c:\archivos de programa\synaptics\syntp\SynTPEnh.exe
mRun: [WBMKEYBD] c:\windows\WBMKbdAP.exe
mRun: [HP Software Update] c:\archivos de programa\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\archivos de programa\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [TkBellExe] "c:\archivos de programa\real\realplayer\update\realsched.exe" -osboot
mRunOnce: [4FA12186-8D89-4137-B5DF-B472F6A69F8B]
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\documents and settings\all users\datos de programa\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
mRunOnce: [SMRequiresRestart]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C}
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52}
LSP: c:\archivos de programa\speedbit video accelerator\lsp3.2.2.4\SBLSP.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1324774675375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279578948875
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ra.pasadenaisd.org/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F1F3DA81-9D89-4974-BD82-FEE17BF4026D} : DhcpNameServer = 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\archivos de programa\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\archivos de programa\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ioloSystemService;iolo System Service;c:\archivos de programa\iolo\common\lib\ioloServiceManager.exe [2011-6-17 722616]
R2 vseamps;vseamps;c:\archivos de programa\archivos comunes\authentium\antivirus5\vseamps.exe [2011-9-28 97088]
R2 vsedsps;vsedsps;c:\archivos de programa\archivos comunes\authentium\antivirus5\vsedsps.exe [2011-9-28 97088]
R2 vseqrts;vseqrts;c:\archivos de programa\archivos comunes\authentium\antivirus5\vseqrts.exe [2011-9-28 142144]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2010-5-26 74752]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2010-5-26 6144]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S2 AMP;AMP;c:\windows\system32\drivers\amp.sys [2011-9-28 138048]
S2 AMPSE;AMPSE;c:\windows\system32\drivers\ampse.sys [2011-9-28 1189184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\archivos de programa\secunia\psi\psia.exe [2011-10-14 994360]
S2 Secunia Update Agent;Secunia Update Agent;c:\archivos de programa\secunia\psi\sua.exe [2011-10-14 399416]
S2 VideoAcceleratorService;VideoAcceleratorService;c:\archiv~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\archiv~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 253600]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-4-18 235904]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-19 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2012-04-15 08:24:08 -------- d-----w- C:\FakeAlert Removal
2012-04-15 04:54:07 -------- d-----w- c:\documents and settings\administrador.llanes\datos de programa\Malwarebytes
2012-04-15 04:03:11 -------- d-sh--w- c:\documents and settings\administrador.llanes\PrivacIE
2012-04-15 04:00:21 -------- d-----w- c:\documents and settings\administrador.llanes\datos de programa\iolo
2012-04-15 03:59:36 -------- d-sh--w- c:\documents and settings\administrador.llanes\IETldCache
2012-04-13 03:17:23 239104 ----a-w- c:\documents and settings\all users\datos de programa\Vt9w8IQZxAtnxH.exe
2012-04-02 07:14:28 418464 ---ha-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-28 05:46:29 -------- d--h--w- c:\documents and settings\all users\datos de programa\Premium
2012-03-28 05:44:51 -------- d--h--w- c:\documents and settings\all users\datos de programa\CodecC
2012-03-28 05:44:32 -------- d--h--w- C:\codec-info
2012-03-28 05:44:09 -------- d--h--w- c:\documents and settings\all users\datos de programa\InstallMate
.
==================== Find3M ====================
.
2012-04-04 05:30:36 70304 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:57:03 1860224 ---ha-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9808211A rev.3.02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84A2049F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x84a27740]; MOV EAX, [0x84a278b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x84B3FAB8]
3 CLASSPNP[0xF770FFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000085[0x84B5D9E8]
5 ACPI[0xF7665620] -> nt!IofCallDriver[0x804E37D5] -> [0x84B5DD98]
\Driver\atapi[0x84B4E728] -> IRP_MJ_CREATE -> 0x84A2049F
error: Read Uno de los dispositivos vinculados al sistema no funciona.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x84A202C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:39:08.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 PM

Posted 15 April 2012 - 09:32 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Please do this from the Safe Mode:

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

  • Once the Microsoft Windows Recovery Console is installed click on Yes[/b], to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Mr_Llanes

Mr_Llanes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 16 April 2012 - 02:33 AM

Hello RPMcMurphy!

Thanks a lot for your reply!

From your response, I understand that we should try to fix my computer rather than just format it and re-install it again. I really appreaciate all the effort and help!

It was tough! ComboFix did find a hard infection, below you may find the contents of the log, please let me know what are the next steps.

Best regards,

Mr_Llanes


ComboFix 12-04-15.02 - Administrador 16/04/2012 1:31.3.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.895.709 [GMT -5:00]
Running from: c:\documents and settings\Administrador.LLANES\Escritorio\ComboFix.exe
AV: System Shield *Enabled/Outdated* {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Datos de programa\Vt9w8IQZxAtnxH
c:\windows\system32\dllcache\dlimport.exe
c:\windows\$NtUninstallKB21292$\252102320 . . . . Failed to delete
.
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\afd.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 )))))))))))))))))))))))))))))))
.
.
2012-04-16 07:06 . 2012-04-16 07:11 6860 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-04-16 06:51 . 2008-04-14 05:49 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-15 08:24 . 2012-04-15 08:24 -------- d-----w- C:\FakeAlert Removal
2012-04-13 03:25 . 2012-04-13 03:26 -------- d-----w- c:\documents and settings\Administrador
2012-04-13 03:17 . 2012-04-13 03:17 239104 ----a-w- c:\documents and settings\All Users\Datos de programa\Vt9w8IQZxAtnxH.exe
2012-04-12 04:17 . 2012-04-12 04:17 -------- d--h--w- c:\documents and settings\NetworkService\Menú Inicio
2012-04-08 06:17 . 2012-04-08 06:17 -------- d--h--r- c:\documents and settings\LocalService\Favoritos
2012-04-02 07:14 . 2012-04-04 05:30 418464 ---ha-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-28 05:46 . 2012-03-28 05:46 -------- d--h--w- c:\documents and settings\All Users\Datos de programa\Premium
2012-03-28 05:44 . 2012-03-28 05:45 -------- d--h--w- c:\documents and settings\All Users\Datos de programa\CodecC
2012-03-28 05:44 . 2012-03-28 05:47 -------- d-----w- C:\codec-info
2012-03-28 05:44 . 2012-03-28 05:47 -------- d--h--w- c:\documents and settings\All Users\Datos de programa\InstallMate
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 05:30 . 2011-12-30 06:44 70304 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:57 . 2004-08-19 13:30 1860224 ---ha-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\archivos de programa\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD88DAF1-29CE-4B00-96DB-FD610A48B1CB}]
2012-03-27 19:01 141312 ---ha-w- c:\documents and settings\All Users\Datos de programa\CodecC\bhoclass.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 00:17 1487240 ---ha-w- c:\archivos de programa\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\archivos de programa\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ---ha-w- c:\documents and settings\PC\Datos de programa\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ---ha-w- c:\documents and settings\PC\Datos de programa\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ---ha-w- c:\documents and settings\PC\Datos de programa\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49 94208 ---ha-w- c:\documents and settings\PC\Datos de programa\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\archivos de programa\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"WBMKEYBD"="c:\windows\WBMKbdAP.exe" [2008-01-03 145920]
"HP Software Update"="c:\archivos de programa\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Acrobat Assistant 8.0"="c:\archivos de programa\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-01-03 815512]
"TkBellExe"="c:\archivos de programa\Real\RealPlayer\update\realsched.exe" [2011-12-05 296056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\PC\Menú Inicio\Programas\Inicio\
Dropbox.lnk - c:\documents and settings\PC\Datos de programa\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
c:\documents and settings\PC\Menú Inicio\Programas\Inicio\
Dropbox.lnk - c:\documents and settings\PC\Datos de programa\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
c:\documents and settings\PC\Menú Inicio\Programas\Inicio\
Dropbox.lnk - c:\documents and settings\PC\Datos de programa\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\archivos de programa\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0????\0\0\0???????fR\0??????\0autocheck smrgdf c:\documents and settings\Administrador.LLANES\Datos de programa\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventSystem]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseamps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vsedsps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseqrts]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\Corel\\DVD9\\WinDVD.exe"=
"c:\\Archivos de programa\\iolo\\System Mechanic Professional\\SysMech.exe"=
"c:\\Archivos de programa\\Archivos comunes\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Archivos de programa\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\PC\\Datos de programa\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Administración remota de Windows
.
R2 AMP;AMP;c:\windows\system32\drivers\amp.sys [9/28/2011 1:12 PM 138048]
R2 AMPSE;AMPSE;c:\windows\system32\drivers\ampse.sys [9/28/2011 1:12 PM 1189184]
R2 ioloSystemService;iolo System Service;c:\archivos de programa\iolo\Common\Lib\ioloServiceManager.exe [6/17/2011 1:17 AM 722616]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\archivos de programa\Secunia\PSI\psia.exe [10/14/2011 1:01 AM 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\archivos de programa\Secunia\PSI\sua.exe [10/14/2011 1:01 AM 399416]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\archiv~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\archiv~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
R2 vseamps;vseamps;c:\archivos de programa\Archivos comunes\Authentium\AntiVirus5\vseamps.exe [9/28/2011 12:59 PM 97088]
R2 vsedsps;vsedsps;c:\archivos de programa\Archivos comunes\Authentium\AntiVirus5\vsedsps.exe [9/28/2011 12:59 PM 97088]
R2 vseqrts;vseqrts;c:\archivos de programa\Archivos comunes\Authentium\AntiVirus5\vseqrts.exe [9/28/2011 12:59 PM 142144]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [5/26/2010 3:20 PM 74752]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [4/18/2005 1:00 AM 235904]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [5/26/2010 3:21 PM 6144]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/2/2012 2:14 AM 253600]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/19/2004 8:43 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 05:30]
.
2012-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-04-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1229272821-287218729-839522115-1003.job
- c:\archivos de programa\Real\RealUpgrade\realupgrade.exe [2011-11-08 22:14]
.
2012-04-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1229272821-287218729-839522115-1003.job
- c:\archivos de programa\Real\RealUpgrade\realupgrade.exe [2011-11-08 22:14]
.
2012-04-16 c:\windows\Tasks\User_Feed_Synchronization-{A1D73C7D-FE51-4D32-93B6-B3EC40E6F03A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Append Link Target to Existing PDF - c:\archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\archiv~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\archiv~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: c:\archivos de programa\SpeedBit Video Accelerator\LSP3.2.2.4\SBLSP.dll
TCP: DhcpNameServer = 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\archivos de programa\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-AMP
SafeBoot-AMPSE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-16 02:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9808211A rev.3.02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read Uno de los dispositivos vinculados al sistema no funciona.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x84A5A2C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\WININET.dll
c:\archivos de programa\SpeedBit Video Accelerator\LSP3.2.2.4\SBLSP.dll
c:\archivos de programa\SpeedBit Video Accelerator\DLL3.2.2.6\ConfigDB.dll
.
- - - - - - - > 'explorer.exe'(7296)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\documents and settings\PC\Datos de programa\Dropbox\bin\DropboxExt.14.dll
c:\archivos de programa\Windows Desktop Search\deskbar.dll
c:\archivos de programa\Windows Desktop Search\es-es\dbres.dll.mui
c:\archivos de programa\Windows Desktop Search\dbres.dll
c:\archivos de programa\Windows Desktop Search\wordwheel.dll
c:\archivos de programa\Windows Desktop Search\es-es\msnlExtRes.dll.mui
c:\archivos de programa\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\archivos de programa\Archivos comunes\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\archivos de programa\Juniper Networks\Common Files\dsNcService.exe
c:\archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\archivos de programa\Archivos comunes\Protexis\License Service\PsiService_2.exe
c:\archiv~1\SPEEDB~1\VideoAcceleratorService.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\SearchProtocolHost.exe
c:\archivos de programa\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-04-16 02:25:58 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-16 07:25
.
Pre-Run: 60,854,882,304 bytes libres
Post-Run: 60,241,068,032 bytes libres
.
- - End Of File - - 76DA4FBD8AD0C195BC6469815CC98ADC

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 PM

Posted 16 April 2012 - 11:33 AM

You have a nasty rootkit infection, but thus far we are making good progress cleaning it up. Please do this next:

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.7.1.0_19.01.2012_17.24.26_log.txt
  • Post that log, please.
Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://www.bleepingcomputer.com/forums/topic450198.html
Collect::
c:\documents and settings\All Users\Datos de programa\Vt9w8IQZxAtnxH.exe
Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Mr_Llanes

Mr_Llanes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 20 April 2012 - 12:21 AM

Hello RPMcMurphy!

I wish you well! I really, really appreciate all your help in this matter.

Below you may find the two logs that you requested:

TDSKiller log:
00:30:26.0109 2008 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
00:30:26.0125 2008 ============================================================
00:30:26.0125 2008 Current date / time: 2012/04/18 00:30:26.0125
00:30:26.0125 2008 SystemInfo:
00:30:26.0125 2008
00:30:26.0125 2008 OS Version: 5.1.2600 ServicePack: 3.0
00:30:26.0125 2008 Product type: Workstation
00:30:26.0125 2008 ComputerName: LLANES
00:30:26.0125 2008 UserName: Administrador
00:30:26.0125 2008 Windows directory: C:\WINDOWS
00:30:26.0125 2008 System windows directory: C:\WINDOWS
00:30:26.0140 2008 Processor architecture: Intel x86
00:30:26.0140 2008 Number of processors: 1
00:30:26.0140 2008 Page size: 0x1000
00:30:26.0140 2008 Boot type: Safe boot
00:30:26.0140 2008 ============================================================
00:30:41.0734 2008 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2861, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
00:30:41.0734 2008 Drive \Device\Harddisk1\DR2 - Size: 0x3C700000 (0.94 Gb), SectorSize: 0x200, Cylinders: 0x7B, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
00:30:41.0734 2008 \Device\Harddisk0\DR0:
00:30:41.0734 2008 MBR used
00:30:41.0734 2008 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1
00:30:41.0734 2008 \Device\Harddisk1\DR2:
00:30:41.0734 2008 MBR used
00:30:41.0734 2008 \Device\Harddisk1\DR2\Partition0: MBR, Type 0x6, StartLBA 0x9F8, BlocksNum 0x1E2E08
00:30:41.0921 2008 Initialize success
00:30:41.0921 2008 ============================================================
00:31:01.0671 0176 ============================================================
00:31:01.0671 0176 Scan started
00:31:01.0671 0176 Mode: Manual; TDLFS;
00:31:01.0671 0176 ============================================================
00:31:03.0968 0176 Abiosdsk - ok
00:31:04.0640 0176 abp480n5 - ok
00:31:05.0609 0176 ACPI (cf2a07e1751a2d612d7e13aa431ab057) C:\WINDOWS\system32\DRIVERS\ACPI.sys
00:31:05.0812 0176 ACPI - ok
00:31:06.0609 0176 ACPIEC (1c905333c0b9f3d7c68ddf25e54b00f9) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
00:31:06.0625 0176 ACPIEC - ok
00:31:07.0453 0176 ActivHidSerMini (975e7bb16739d09d0f565e3923361bb2) C:\WINDOWS\system32\DRIVERS\activhidsermini.sys
00:31:07.0531 0176 ActivHidSerMini - ok
00:31:08.0515 0176 AdobeFlashPlayerUpdateSvc (0d4c486a24a711a45fd83acdf4d18506) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
00:31:08.0515 0176 AdobeFlashPlayerUpdateSvc - ok
00:31:09.0281 0176 adpu160m - ok
00:31:10.0171 0176 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
00:31:10.0328 0176 aec - ok
00:31:11.0156 0176 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
00:31:11.0312 0176 AFD - ok
00:31:11.0984 0176 Aha154x - ok
00:31:12.0656 0176 aic78u2 - ok
00:31:13.0359 0176 aic78xx - ok
00:31:14.0031 0176 Alerter (fedca791a089d4e15084da10f38bce45) C:\WINDOWS\system32\alrsvc.dll
00:31:14.0046 0176 Alerter - ok
00:31:14.0734 0176 ALG (764b7a1e6ae2d70416a7932f3b97ac99) C:\WINDOWS\System32\alg.exe
00:31:14.0781 0176 ALG - ok
00:31:15.0484 0176 AliIde - ok
00:31:16.0312 0176 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
00:31:16.0359 0176 AmdPPM - ok
00:31:17.0218 0176 AMP (a7634ad081a97dd792ab261d80eafd84) C:\WINDOWS\system32\DRIVERS\amp.sys
00:31:17.0359 0176 AMP - ok
00:31:19.0281 0176 AMPSE (839c3a79cb536a2412b4f39e50015e59) C:\WINDOWS\system32\DRIVERS\ampse.sys
00:31:20.0500 0176 AMPSE - ok
00:31:21.0218 0176 amsint - ok
00:31:21.0453 0176 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\AppleMobileDeviceService.exe
00:31:21.0531 0176 Apple Mobile Device - ok
00:31:22.0453 0176 AppMgmt (30cd42bfcdafefe8567b9e527dd3ae08) C:\WINDOWS\System32\appmgmts.dll
00:31:22.0625 0176 AppMgmt - ok
00:31:23.0453 0176 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
00:31:23.0515 0176 Arp1394 - ok
00:31:24.0234 0176 asc - ok
00:31:24.0937 0176 asc3350p - ok
00:31:25.0609 0176 asc3550 - ok
00:31:26.0031 0176 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
00:31:26.0156 0176 aspnet_state - ok
00:31:26.0953 0176 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
00:31:26.0968 0176 AsyncMac - ok
00:31:27.0843 0176 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
00:31:27.0843 0176 atapi - ok
00:31:28.0578 0176 Atdisk - ok
00:31:29.0718 0176 Ati HotKey Poller (8afb4aff8837254e6d14338b1b11e690) C:\WINDOWS\system32\Ati2evxx.exe
00:31:30.0234 0176 Ati HotKey Poller - ok
00:31:33.0890 0176 ati2mtag (d0c00ee032994b698b47837a3561717a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
00:31:36.0781 0176 ati2mtag - ok
00:31:37.0625 0176 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
00:31:37.0687 0176 Atmarpc - ok
00:31:38.0515 0176 ATSWPDRV (b92864fe3c6e7d8d0a6b5603def691fd) C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
00:31:38.0656 0176 ATSWPDRV - ok
00:31:39.0359 0176 AudioSrv (a37f6480b06c37db69bbff045cf9f55b) C:\WINDOWS\System32\audiosrv.dll
00:31:39.0421 0176 AudioSrv - ok
00:31:40.0187 0176 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
00:31:40.0187 0176 audstub - ok
00:31:41.0031 0176 b57w2k (03758a3307168a783d3498ec1d392611) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
00:31:41.0171 0176 b57w2k - ok
00:31:42.0546 0176 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
00:31:43.0203 0176 BCM43XX - ok
00:31:44.0031 0176 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
00:31:44.0031 0176 Beep - ok
00:31:45.0140 0176 BITS (8ee9639c01b92490e09638caa1b16c3c) C:\WINDOWS\system32\qmgr.dll
00:31:45.0718 0176 BITS - ok
00:31:46.0515 0176 Browser (e28818bd591f8af8fbe9897472b9665e) C:\WINDOWS\System32\browser.dll
00:31:46.0593 0176 Browser - ok
00:31:47.0437 0176 CAMCAUD (3c17c5cb8655c9f8e973328926e074bd) C:\WINDOWS\system32\drivers\camc6aud.sys
00:31:47.0468 0176 CAMCAUD - ok
00:31:48.0531 0176 CAMCHALA (d72e555dd5e75c59b0338b0feb1a215b) C:\WINDOWS\system32\drivers\camc6hal.sys
00:31:48.0906 0176 CAMCHALA - ok
00:31:49.0046 0176 catchme - ok
00:31:49.0921 0176 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
00:31:49.0937 0176 cbidf2k - ok
00:31:50.0781 0176 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
00:31:50.0796 0176 CCDECODE - ok
00:31:51.0515 0176 cd20xrnt - ok
00:31:52.0234 0176 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
00:31:52.0265 0176 Cdaudio - ok
00:31:53.0062 0176 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
00:31:53.0125 0176 Cdfs - ok
00:31:53.0906 0176 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
00:31:53.0968 0176 Cdrom - ok
00:31:54.0687 0176 Changer - ok
00:31:55.0375 0176 CiSvc (b0e3fec4ee7b935a7387fd6ef31ea780) C:\WINDOWS\system32\cisvc.exe
00:31:55.0390 0176 CiSvc - ok
00:31:56.0062 0176 ClipSrv (0c3bf68ab94cefd64b333b326f84510e) C:\WINDOWS\system32\clipsrv.exe
00:31:56.0093 0176 ClipSrv - ok
00:31:56.0515 0176 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
00:31:56.0703 0176 clr_optimization_v2.0.50727_32 - ok
00:31:57.0187 0176 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
00:31:57.0375 0176 clr_optimization_v4.0.30319_32 - ok
00:31:58.0281 0176 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
00:31:58.0328 0176 CmBatt - ok
00:31:59.0171 0176 CmdIde - ok
00:31:59.0953 0176 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
00:31:59.0968 0176 Compbatt - ok
00:32:00.0593 0176 COMSysApp - ok
00:32:01.0281 0176 Cpqarray - ok
00:32:02.0000 0176 CryptSvc (e423c9c1946c656e0e4840210a0a8681) C:\WINDOWS\System32\cryptsvc.dll
00:32:02.0031 0176 CryptSvc - ok
00:32:02.0734 0176 dac2w2k - ok
00:32:03.0437 0176 dac960nt - ok
00:32:04.0500 0176 DcomLaunch (97869c55f562b777987100ea30ad8108) C:\WINDOWS\system32\rpcss.dll
00:32:04.0875 0176 DcomLaunch - ok
00:32:05.0640 0176 Dhcp (2ddfb3a5679fa02366686ecb1af622f0) C:\WINDOWS\System32\dhcpcsvc.dll
00:32:05.0765 0176 Dhcp - ok
00:32:06.0546 0176 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
00:32:06.0578 0176 Disk - ok
00:32:07.0187 0176 dmadmin - ok
00:32:08.0765 0176 dmboot (c252a99c0a78b39faa2e2d1d048b1050) C:\WINDOWS\system32\drivers\dmboot.sys
00:32:09.0625 0176 dmboot - ok
00:32:10.0562 0176 dmio (33b4d4039cd2cb25351a7bf13b2988d9) C:\WINDOWS\system32\drivers\dmio.sys
00:32:10.0734 0176 dmio - ok
00:32:11.0421 0176 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
00:32:11.0437 0176 dmload - ok
00:32:12.0109 0176 dmserver (40d0520ddaa9312c5dddd8c7c99d8325) C:\WINDOWS\System32\dmserver.dll
00:32:12.0109 0176 dmserver - ok
00:32:12.0906 0176 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
00:32:12.0953 0176 DMusic - ok
00:32:13.0656 0176 Dnscache (2e6d76cab5a402af257a963916fe05e7) C:\WINDOWS\System32\dnsrslvr.dll
00:32:13.0703 0176 Dnscache - ok
00:32:14.0562 0176 Dot3svc (412134c50e2063d882ef1634676e2b25) C:\WINDOWS\System32\dot3svc.dll
00:32:14.0703 0176 Dot3svc - ok
00:32:15.0421 0176 dpti2o - ok
00:32:16.0140 0176 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
00:32:16.0140 0176 drmkaud - ok
00:32:16.0921 0176 dsNcAdpt (b2c3f71b86e25c3df78339ddb40a7562) C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
00:32:16.0953 0176 dsNcAdpt - ok
00:32:17.0781 0176 dsNcService (60ae3d932bc594ff9cdc91f7cd2c2015) C:\Archivos de programa\Juniper Networks\Common Files\dsNcService.exe
00:32:18.0484 0176 dsNcService - ok
00:32:19.0250 0176 EapHost (fc3fe3654588e597fff395c305062c46) C:\WINDOWS\System32\eapsvc.dll
00:32:19.0296 0176 EapHost - ok
00:32:19.0984 0176 ERSvc (d96623dd7ce1ea9e4de7285d740e14f6) C:\WINDOWS\System32\ersvc.dll
00:32:20.0000 0176 ERSvc - ok
00:32:20.0796 0176 Eventlog (953df7327510df0de048b8e80e504ef9) C:\WINDOWS\system32\services.exe
00:32:20.0859 0176 Eventlog - ok
00:32:21.0750 0176 EventSystem (a225dd0d0489bd580781d19524a10b19) C:\WINDOWS\system32\es.dll
00:32:21.0984 0176 EventSystem - ok
00:32:22.0859 0176 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
00:32:23.0015 0176 Fastfat - ok
00:32:23.0812 0176 FastUserSwitchingCompatibility (1f617c5a76215c380478d750ce92cc73) C:\WINDOWS\System32\shsvcs.dll
00:32:24.0046 0176 FastUserSwitchingCompatibility - ok
00:32:24.0859 0176 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
00:32:24.0890 0176 Fdc - ok
00:32:25.0625 0176 FileDisk (0694585d54bf46379ce41aee2b6864aa) C:\WINDOWS\system32\drivers\FileDisk.sys
00:32:25.0640 0176 FileDisk - ok
00:32:26.0390 0176 FilterService (50104c5f1ee1e295781caf9521ca2e56) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
00:32:26.0421 0176 FilterService - ok
00:32:27.0171 0176 Fips (e5e61f2c07344e91dbfb7eafde549ab4) C:\WINDOWS\system32\drivers\Fips.sys
00:32:27.0218 0176 Fips - ok
00:32:27.0953 0176 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
00:32:27.0968 0176 Flpydisk - ok
00:32:28.0828 0176 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
00:32:28.0968 0176 FltMgr - ok
00:32:29.0390 0176 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
00:32:29.0453 0176 FontCache3.0.0.0 - ok
00:32:30.0312 0176 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
00:32:30.0328 0176 Fs_Rec - ok
00:32:31.0187 0176 Ftdisk (cc5f3af5711a1c7c8fa1d43bb16b401a) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
00:32:31.0343 0176 Ftdisk - ok
00:32:32.0171 0176 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
00:32:32.0203 0176 Gpc - ok
00:32:32.0531 0176 helpsvc (6b5e1788abf15177a20c6c76c11382bb) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
00:32:32.0531 0176 helpsvc - ok
00:32:33.0281 0176 HidServ (158aedf024cd58fea03be2d7d62abc9c) C:\WINDOWS\System32\hidserv.dll
00:32:33.0312 0176 HidServ - ok
00:32:34.0046 0176 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
00:32:34.0062 0176 HidUsb - ok
00:32:34.0859 0176 hkmsvc (8f80b5fb68e1e767d872cb9a8cad5b5d) C:\WINDOWS\System32\kmsvc.dll
00:32:34.0921 0176 hkmsvc - ok
00:32:35.0625 0176 hpn - ok
00:32:36.0421 0176 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
00:32:36.0484 0176 HPZid412 - ok
00:32:37.0250 0176 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
00:32:37.0265 0176 HPZipr12 - ok
00:32:38.0078 0176 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
00:32:38.0109 0176 HPZius12 - ok
00:32:39.0093 0176 HSFHWATI (36b13bc557c0e28b1bfb65aebf4ce5ff) C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
00:32:39.0343 0176 HSFHWATI - ok
00:32:41.0156 0176 HSF_DP (6fbefacc2a0379bf3b395b0ca0cadb17) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
00:32:42.0250 0176 HSF_DP - ok
00:32:44.0031 0176 HSF_DPV (c9f4e7da78a02623abf78a4a34ce79b1) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
00:32:45.0062 0176 HSF_DPV - ok
00:32:46.0187 0176 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
00:32:46.0453 0176 HTTP - ok
00:32:47.0171 0176 HTTPFilter (0406b351908a8c143b6b6bb8834d4920) C:\WINDOWS\System32\w3ssl.dll
00:32:47.0203 0176 HTTPFilter - ok
00:32:47.0875 0176 i2omgmt - ok
00:32:48.0546 0176 i2omp - ok
00:32:49.0328 0176 i8042prt (4a2490a66e8271901e89dd5fb79748ae) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
00:32:49.0406 0176 i8042prt - ok
00:32:50.0640 0176 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
00:32:51.0625 0176 idsvc - ok
00:32:52.0484 0176 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
00:32:52.0531 0176 Imapi - ok
00:32:53.0328 0176 ImapiService (e50abd04ca0c015017722014d1d9251e) C:\WINDOWS\system32\imapi.exe
00:32:53.0484 0176 ImapiService - ok
00:32:54.0281 0176 ini910u - ok
00:32:55.0000 0176 IntelIde - ok
00:32:55.0906 0176 ioloSystemService (8c2d445f874cb05773b813ed853607cf) C:\Archivos de programa\iolo\Common\Lib\ioloServiceManager.exe
00:32:56.0656 0176 ioloSystemService - ok
00:32:57.0484 0176 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
00:32:57.0515 0176 Ip6Fw - ok
00:32:58.0343 0176 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
00:32:58.0375 0176 IpFilterDriver - ok
00:32:59.0140 0176 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
00:32:59.0171 0176 IpInIp - ok
00:33:00.0046 0176 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
00:33:00.0203 0176 IpNat - ok
00:33:01.0000 0176 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
00:33:01.0078 0176 IPSec - ok
00:33:01.0812 0176 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
00:33:01.0843 0176 IRENUM - ok
00:33:02.0656 0176 isapnp (0f3d281b0410fe5d482aada37d20524b) C:\WINDOWS\system32\DRIVERS\isapnp.sys
00:33:02.0703 0176 isapnp - ok
00:33:03.0406 0176 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
00:33:03.0421 0176 Iviaspi - ok
00:33:03.0703 0176 IviRegMgr (213822072085b5bbad9af30ab577d817) C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
00:33:03.0843 0176 IviRegMgr - ok
00:33:04.0203 0176 JavaQuickStarterService (9aa67569d5257462e230767510b0c815) C:\Archivos de programa\Java\jre6\bin\jqs.exe
00:33:04.0390 0176 JavaQuickStarterService - ok
00:33:05.0234 0176 Kbdclass (188ddd286bc0daea6984858c6a4d7bbf) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
00:33:05.0265 0176 Kbdclass - ok
00:33:06.0000 0176 kbdhid (72efebecf76eb1dccc5ba9ea746d90e8) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
00:33:06.0015 0176 kbdhid - ok
00:33:06.0906 0176 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
00:33:07.0078 0176 kmixer - ok
00:33:08.0000 0176 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
00:33:08.0093 0176 KSecDD - ok
00:33:08.0859 0176 lanmanserver (ccfc469efd7ecddc8fc887bae7b8563f) C:\WINDOWS\System32\srvsvc.dll
00:33:08.0968 0176 lanmanserver - ok
00:33:09.0796 0176 lanmanworkstation (3db7b764f5066587dae58a71ae51292e) C:\WINDOWS\System32\wkssvc.dll
00:33:09.0968 0176 lanmanworkstation - ok
00:33:10.0718 0176 lbrtfdc - ok
00:33:11.0437 0176 LmHosts (01af2112ff79aa613b6621a75c4e9277) C:\WINDOWS\System32\lmhsvc.dll
00:33:11.0453 0176 LmHosts - ok
00:33:12.0218 0176 LVPr2Mon (f96cfb47903854f228baaf3e2d41a0a3) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
00:33:12.0250 0176 LVPr2Mon - ok
00:33:12.0562 0176 LVPrcSrv (ff23862146a682fcc3dbaa002e22f958) C:\Archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPrcSrv.exe
00:33:12.0718 0176 LVPrcSrv - ok
00:33:14.0187 0176 LVRS (b895839b8743e400d7c7dae156f74e7e) C:\WINDOWS\system32\DRIVERS\lvrs.sys
00:33:14.0859 0176 LVRS - ok
00:33:15.0765 0176 lvselsus (9dd54f584758dbe8db56e218bd60874d) C:\WINDOWS\system32\DRIVERS\lvselsus.sys
00:33:15.0843 0176 lvselsus - ok
00:33:16.0656 0176 LVUSBSta (23f8ef78bb9553e465a476f3cee5ca18) C:\WINDOWS\system32\drivers\LVUSBSta.sys
00:33:16.0703 0176 LVUSBSta - ok
00:33:22.0265 0176 LVUVC (8bc0d5f6e3898f465a94c6d03afb5a20) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
00:33:27.0109 0176 LVUVC - ok
00:33:27.0921 0176 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
00:33:27.0937 0176 mdmxsdk - ok
00:33:28.0671 0176 Messenger (047e70b04b288439245ddc8dd1a31982) C:\WINDOWS\System32\msgsvc.dll
00:33:28.0703 0176 Messenger - ok
00:33:29.0453 0176 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
00:33:29.0468 0176 mnmdd - ok
00:33:30.0218 0176 mnmsrvc (85ada209695a677c9d60962cde10696b) C:\WINDOWS\system32\mnmsrvc.exe
00:33:30.0250 0176 mnmsrvc - ok
00:33:31.0000 0176 Modem (9024556e739b8469d2b8f5f0e4c9bc9f) C:\WINDOWS\system32\drivers\Modem.sys
00:33:31.0031 0176 Modem - ok
00:33:31.0765 0176 Mouclass (6fd36b4994a2363659a65c9f970cfdb7) C:\WINDOWS\system32\DRIVERS\mouclass.sys
00:33:31.0796 0176 Mouclass - ok
00:33:32.0531 0176 mouhid (8ee532e516b2d23d686cfc1cc0a15c25) C:\WINDOWS\system32\DRIVERS\mouhid.sys
00:33:32.0546 0176 mouhid - ok
00:33:33.0328 0176 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
00:33:33.0375 0176 MountMgr - ok
00:33:34.0062 0176 mraid35x - ok
00:33:34.0953 0176 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
00:33:35.0156 0176 MRxDAV - ok
00:33:36.0328 0176 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
00:33:36.0828 0176 MRxSmb - ok
00:33:37.0546 0176 MSDTC (975bd2762bf355a572597cc54d97ba93) C:\WINDOWS\system32\msdtc.exe
00:33:37.0562 0176 MSDTC - ok
00:33:38.0328 0176 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
00:33:38.0359 0176 Msfs - ok
00:33:38.0968 0176 MSIServer - ok
00:33:39.0765 0176 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
00:33:39.0781 0176 MSKSSRV - ok
00:33:40.0625 0176 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
00:33:40.0625 0176 MSPCLOCK - ok
00:33:41.0421 0176 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
00:33:41.0437 0176 MSPQM - ok
00:33:42.0218 0176 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
00:33:42.0234 0176 mssmbios - ok
00:33:43.0015 0176 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
00:33:43.0015 0176 MSTEE - ok
00:33:43.0875 0176 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
00:33:43.0984 0176 Mup - ok
00:33:44.0843 0176 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
00:33:44.0953 0176 NABTSFEC - ok
00:33:45.0953 0176 napagent (fd578fcc03bbd76af1e62202e6670d29) C:\WINDOWS\System32\qagentrt.dll
00:33:46.0265 0176 napagent - ok
00:33:47.0250 0176 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
00:33:47.0437 0176 NDIS - ok
00:33:48.0187 0176 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
00:33:48.0203 0176 NdisIP - ok
00:33:49.0000 0176 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
00:33:49.0015 0176 NdisTapi - ok
00:33:49.0796 0176 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
00:33:49.0812 0176 Ndisuio - ok
00:33:50.0656 0176 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
00:33:50.0750 0176 NdisWan - ok
00:33:51.0546 0176 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
00:33:51.0625 0176 NDProxy - ok
00:33:52.0578 0176 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
00:33:52.0609 0176 NetBIOS - ok
00:33:53.0500 0176 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
00:33:53.0671 0176 NetBT - ok
00:33:54.0515 0176 NetDDE (96b009e5b163850cf94dc333ed2bee93) C:\WINDOWS\system32\netdde.exe
00:33:54.0625 0176 NetDDE - ok
00:33:54.0765 0176 NetDDEdsdm (96b009e5b163850cf94dc333ed2bee93) C:\WINDOWS\system32\netdde.exe
00:33:54.0765 0176 NetDDEdsdm - ok
00:33:55.0515 0176 Netlogon (671aca589da3733fac878a751c5bf0ed) C:\WINDOWS\system32\lsass.exe
00:33:55.0531 0176 Netlogon - ok
00:33:56.0437 0176 Netman (a48884c9359ee9f1fc8f3f0d93fb1d95) C:\WINDOWS\System32\netman.dll
00:33:56.0640 0176 Netman - ok
00:33:57.0250 0176 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
00:33:57.0406 0176 NetTcpPortSharing - ok
00:33:58.0265 0176 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
00:33:58.0328 0176 NIC1394 - ok
00:33:59.0250 0176 Nla (5e11d375c92a0dda7ac4d487fc4e1978) C:\WINDOWS\System32\mswsock.dll
00:33:59.0468 0176 Nla - ok
00:34:00.0203 0176 NMIndexingService (cb992ae1506985d9167e85883b4c3240) C:\Archivos de programa\Archivos comunes\Nero\Lib\NMIndexingService.exe
00:34:00.0781 0176 NMIndexingService - ok
00:34:01.0609 0176 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
00:34:01.0640 0176 Npfs - ok
00:34:02.0921 0176 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
00:34:03.0500 0176 Ntfs - ok
00:34:04.0156 0176 NtLmSsp (671aca589da3733fac878a751c5bf0ed) C:\WINDOWS\system32\lsass.exe
00:34:04.0156 0176 NtLmSsp - ok
00:34:05.0265 0176 NtmsSvc (d60c40d71a4d874c903255e4827afa0c) C:\WINDOWS\system32\ntmssvc.dll
00:34:05.0703 0176 NtmsSvc - ok
00:34:06.0406 0176 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
00:34:06.0406 0176 Null - ok
00:34:07.0187 0176 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
00:34:07.0203 0176 NwlnkFlt - ok
00:34:07.0921 0176 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
00:34:07.0953 0176 NwlnkFwd - ok
00:34:08.0734 0176 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
00:34:08.0796 0176 ohci1394 - ok
00:34:09.0640 0176 Parport (e7855cbd8bd1fda085a3f92cff7906e2) C:\WINDOWS\system32\DRIVERS\parport.sys
00:34:09.0734 0176 Parport - ok
00:34:10.0515 0176 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
00:34:10.0531 0176 PartMgr - ok
00:34:11.0312 0176 ParVdm (fad44d704ecd7d39ad01415b8bb34204) C:\WINDOWS\system32\drivers\ParVdm.sys
00:34:11.0328 0176 ParVdm - ok
00:34:12.0000 0176 pavboot - ok
00:34:12.0781 0176 PCI (f11bc84ae6c7b003b5e0c8eeb4a1f444) C:\WINDOWS\system32\DRIVERS\pci.sys
00:34:12.0859 0176 PCI - ok
00:34:13.0531 0176 PCIDump - ok
00:34:14.0250 0176 PCIIde (33d63f0a9021acb4d75d83b646b93a30) C:\WINDOWS\system32\DRIVERS\pciide.sys
00:34:14.0250 0176 PCIIde - ok
00:34:15.0093 0176 Pcmcia (f50c27cca56dc97b3a45e7f0059bd2ba) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
00:34:15.0250 0176 Pcmcia - ok
00:34:15.0921 0176 PDCOMP - ok
00:34:16.0593 0176 PDFRAME - ok
00:34:17.0265 0176 PDRELI - ok
00:34:17.0937 0176 PDRFRAME - ok
00:34:18.0625 0176 perc2 - ok
00:34:19.0343 0176 perc2hib - ok
00:34:20.0093 0176 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
00:34:20.0109 0176 Pfc - ok
00:34:20.0890 0176 PlugPlay (953df7327510df0de048b8e80e504ef9) C:\WINDOWS\system32\services.exe
00:34:20.0890 0176 PlugPlay - ok
00:34:21.0625 0176 Pml Driver HPZ12 (fb03f341ff5380394bf2ee52f1979925) C:\WINDOWS\system32\HPZipm12.exe
00:34:21.0703 0176 Pml Driver HPZ12 - ok
00:34:22.0390 0176 PolicyAgent (671aca589da3733fac878a751c5bf0ed) C:\WINDOWS\system32\lsass.exe
00:34:22.0390 0176 PolicyAgent - ok
00:34:23.0171 0176 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
00:34:23.0218 0176 PptpMiniport - ok
00:34:23.0968 0176 prmvmouse (f1f70dde1fd6713bfb32c62a68a190b4) C:\WINDOWS\system32\DRIVERS\activmouse.sys
00:34:23.0984 0176 prmvmouse - ok
00:34:24.0765 0176 Processor (d4d8634dfdae3eca83620ee4088f7aa9) C:\WINDOWS\system32\DRIVERS\processr.sys
00:34:24.0812 0176 Processor - ok
00:34:25.0546 0176 ProtectedStorage (671aca589da3733fac878a751c5bf0ed) C:\WINDOWS\system32\lsass.exe
00:34:25.0562 0176 ProtectedStorage - ok
00:34:26.0328 0176 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
00:34:26.0390 0176 PSched - ok
00:34:27.0125 0176 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
00:34:27.0156 0176 PSI - ok
00:34:27.0484 0176 PSI_SVC_2 (a6a7ad767bf5141665f5c675f671b3e1) C:\Archivos de programa\Archivos comunes\Protexis\License Service\PsiService_2.exe
00:34:27.0687 0176 PSI_SVC_2 - ok
00:34:28.0515 0176 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
00:34:28.0531 0176 Ptilink - ok
00:34:29.0218 0176 ql1080 - ok
00:34:29.0906 0176 Ql10wnt - ok
00:34:30.0609 0176 ql12160 - ok
00:34:31.0281 0176 ql1240 - ok
00:34:31.0953 0176 ql1280 - ok
00:34:32.0687 0176 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
00:34:32.0703 0176 RasAcd - ok
00:34:33.0453 0176 RasAuto (8345c6f52f38a95b950b9b3d064ae3ee) C:\WINDOWS\System32\rasauto.dll
00:34:33.0546 0176 RasAuto - ok
00:34:34.0343 0176 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
00:34:34.0390 0176 Rasl2tp - ok
00:34:35.0234 0176 RasMan (b279f6a9ea3acb5844c103ed2db65b44) C:\WINDOWS\System32\rasmans.dll
00:34:35.0468 0176 RasMan - ok
00:34:36.0281 0176 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
00:34:36.0328 0176 RasPppoe - ok
00:34:37.0109 0176 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
00:34:37.0125 0176 Raspti - ok
00:34:38.0062 0176 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
00:34:38.0234 0176 Rdbss - ok
00:34:38.0953 0176 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
00:34:38.0953 0176 RDPCDD - ok
00:34:39.0890 0176 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
00:34:40.0078 0176 rdpdr - ok
00:34:40.0984 0176 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
00:34:41.0140 0176 RDPWD - ok
00:34:41.0921 0176 RDSessMgr (6193e6b05336c277ea4db39afa46bc23) C:\WINDOWS\system32\sessmgr.exe
00:34:42.0078 0176 RDSessMgr - ok
00:34:42.0875 0176 redbook (20950948970a0ea329b4254052bcf093) C:\WINDOWS\system32\DRIVERS\redbook.sys
00:34:42.0937 0176 redbook - ok
00:34:43.0687 0176 regi (001b4278407f4303efc902a2b16f2453) C:\WINDOWS\system32\drivers\regi.sys
00:34:43.0718 0176 regi - ok
00:34:44.0437 0176 RemoteAccess (1b7481d377bd7997452352f82f4cffed) C:\WINDOWS\System32\mprdim.dll
00:34:44.0500 0176 RemoteAccess - ok
00:34:45.0218 0176 RemoteRegistry (e424f05b07ac4357dc08d06218d76c7c) C:\WINDOWS\system32\regsvc.dll
00:34:45.0281 0176 RemoteRegistry - ok
00:34:46.0062 0176 RpcLocator (9fccbdbaa0cf915aac0132de1c9566b3) C:\WINDOWS\system32\locator.exe
00:34:46.0140 0176 RpcLocator - ok
00:34:47.0218 0176 RpcSs (97869c55f562b777987100ea30ad8108) C:\WINDOWS\System32\rpcss.dll
00:34:47.0218 0176 RpcSs - ok
00:34:48.0093 0176 RSVP (5e38212c2c00dc342e2281d2f6bfb746) C:\WINDOWS\system32\rsvp.exe
00:34:48.0250 0176 RSVP - ok
00:34:48.0968 0176 SamSs (671aca589da3733fac878a751c5bf0ed) C:\WINDOWS\system32\lsass.exe
00:34:48.0968 0176 SamSs - ok
00:34:49.0765 0176 SCardSvr (a50e4dd0e2a9df762807c84153b4953a) C:\WINDOWS\System32\SCardSvr.exe
00:34:49.0875 0176 SCardSvr - ok
00:34:50.0734 0176 Schedule (51be25c404d3dd344c6079de715e4977) C:\WINDOWS\system32\schedsvc.dll
00:34:50.0937 0176 Schedule - ok
00:34:51.0781 0176 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
00:34:51.0859 0176 sdbus - ok
00:34:52.0734 0176 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
00:34:52.0750 0176 Secdrv - ok
00:34:53.0437 0176 seclogon (b62c489373a1e1b949fc0faa90f3b47a) C:\WINDOWS\System32\seclogon.dll
00:34:53.0468 0176 seclogon - ok
00:34:54.0609 0176 Secunia PSI Agent (5b66db4877bbac9f7493aa8d84421e49) C:\Archivos de programa\Secunia\PSI\PSIA.exe
00:34:55.0625 0176 Secunia PSI Agent - ok
00:34:56.0156 0176 Secunia Update Agent (0e88fdf474f2cdd370a4a6ce77d018f0) C:\Archivos de programa\Secunia\PSI\sua.exe
00:34:56.0546 0176 Secunia Update Agent - ok
00:34:57.0328 0176 SENS (a95a27c874b0931a6f8f656924f4a14a) C:\WINDOWS\system32\sens.dll
00:34:57.0375 0176 SENS - ok
00:34:58.0187 0176 Serial (f41b42b92ae9c1191858c3f80cc24a9c) C:\WINDOWS\system32\drivers\Serial.sys
00:34:58.0265 0176 Serial - ok
00:34:59.0093 0176 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
00:34:59.0093 0176 Sfloppy - ok
00:35:00.0125 0176 SharedAccess (4a4ef3ee166fad4a04b1d767ad986329) C:\WINDOWS\System32\ipnathlp.dll
00:35:00.0468 0176 SharedAccess - ok
00:35:01.0296 0176 ShellHWDetection (1f617c5a76215c380478d750ce92cc73) C:\WINDOWS\System32\shsvcs.dll
00:35:01.0312 0176 ShellHWDetection - ok
00:35:02.0062 0176 Simbad - ok
00:35:02.0796 0176 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
00:35:02.0812 0176 SLIP - ok
00:35:03.0515 0176 Sparrow - ok
00:35:04.0218 0176 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
00:35:04.0234 0176 splitter - ok
00:35:04.0968 0176 Spooler (cdd2dc6ae65084481e723e746c20539a) C:\WINDOWS\system32\spoolsv.exe
00:35:05.0031 0176 Spooler - ok
00:35:05.0828 0176 sr (ccb3065c3ee63a4515fe84af9e78d1dd) C:\WINDOWS\system32\DRIVERS\sr.sys
00:35:05.0937 0176 sr - ok
00:35:06.0796 0176 srservice (0f30eec6013fcf76693405ec4a7df899) C:\WINDOWS\system32\srsvc.dll
00:35:06.0937 0176 srservice - ok
00:35:08.0171 0176 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
00:35:08.0531 0176 Srv - ok
00:35:09.0390 0176 SSDPSRV (b622a432ef02895de4aa38ac8b85fa4c) C:\WINDOWS\System32\ssdpsrv.dll
00:35:09.0468 0176 SSDPSRV - ok
00:35:10.0265 0176 StillCam (4e634ba97c122f84a6c2595af4d2dc62) C:\WINDOWS\system32\DRIVERS\serscan.sys
00:35:10.0281 0176 StillCam - ok
00:35:11.0328 0176 stisvc (7226422c95fdf8aa6092ee964912b0df) C:\WINDOWS\system32\wiaservc.dll
00:35:11.0671 0176 stisvc - ok
00:35:12.0484 0176 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
00:35:12.0500 0176 streamip - ok
00:35:13.0281 0176 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
00:35:13.0296 0176 swenum - ok
00:35:14.0078 0176 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
00:35:14.0140 0176 swmidi - ok
00:35:14.0796 0176 SwPrv - ok
00:35:15.0484 0176 symc810 - ok
00:35:16.0203 0176 symc8xx - ok
00:35:16.0875 0176 sym_hi - ok
00:35:17.0562 0176 sym_u3 - ok
00:35:18.0484 0176 SynTP (0f332c0ba9b968ebc8cbb906416f8597) C:\WINDOWS\system32\DRIVERS\SynTP.sys
00:35:18.0718 0176 SynTP - ok
00:35:19.0531 0176 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
00:35:19.0609 0176 sysaudio - ok
00:35:20.0437 0176 SysmonLog (f1f6ee807f0112aae2259b253b6ddf89) C:\WINDOWS\system32\smlogsvc.exe
00:35:20.0531 0176 SysmonLog - ok
00:35:21.0484 0176 TapiSrv (04a5b8ea326951db27df60a14f2999ff) C:\WINDOWS\System32\tapisrv.dll
00:35:21.0734 0176 TapiSrv - ok
00:35:22.0828 0176 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
00:35:23.0187 0176 Tcpip - ok
00:35:23.0937 0176 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
00:35:23.0953 0176 TDPIPE - ok
00:35:24.0671 0176 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
00:35:24.0703 0176 TDTCP - ok
00:35:25.0437 0176 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
00:35:25.0484 0176 TermDD - ok
00:35:26.0468 0176 TermService (288b20d56d5f0ec4bcc77fbfa5a81740) C:\WINDOWS\System32\termsrv.dll
00:35:26.0781 0176 TermService - ok
00:35:27.0562 0176 Themes (1f617c5a76215c380478d750ce92cc73) C:\WINDOWS\System32\shsvcs.dll
00:35:27.0562 0176 Themes - ok
00:35:28.0453 0176 tifm21 (0edc3cf7b38f4260eb006c38e4a44de4) C:\WINDOWS\system32\drivers\tifm21.sys
00:35:28.0625 0176 tifm21 - ok
00:35:29.0343 0176 TlntSvr (65bf170815c0df302be038fd8891c722) C:\WINDOWS\system32\tlntsvr.exe
00:35:29.0421 0176 TlntSvr - ok
00:35:30.0093 0176 TosIde - ok
00:35:30.0843 0176 TrkWks (321761d0d12ee5285ce79ac175cba672) C:\WINDOWS\system32\trkwks.dll
00:35:30.0953 0176 TrkWks - ok
00:35:31.0781 0176 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
00:35:31.0859 0176 Udfs - ok
00:35:32.0562 0176 ultra - ok
00:35:33.0718 0176 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
00:35:34.0109 0176 Update - ok
00:35:34.0968 0176 upnphost (7594203f459abdb5fe53c08d6b1bd53b) C:\WINDOWS\System32\upnphost.dll
00:35:35.0156 0176 upnphost - ok
00:35:35.0828 0176 UPS (575bafeb33af057b13a10579d0dc884a) C:\WINDOWS\System32\ups.exe
00:35:35.0843 0176 UPS - ok
00:35:36.0640 0176 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
00:35:36.0718 0176 usbaudio - ok
00:35:37.0453 0176 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
00:35:37.0484 0176 usbccgp - ok
00:35:38.0265 0176 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:35:38.0296 0176 usbehci - ok
00:35:39.0125 0176 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:35:39.0203 0176 usbhub - ok
00:35:39.0953 0176 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
00:35:39.0968 0176 usbohci - ok
00:35:40.0718 0176 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
00:35:40.0750 0176 usbprint - ok
00:35:41.0562 0176 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
00:35:41.0578 0176 usbscan - ok
00:35:42.0375 0176 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:35:42.0390 0176 USBSTOR - ok
00:35:43.0187 0176 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
00:35:43.0218 0176 VgaSave - ok
00:35:43.0906 0176 ViaIde - ok
00:35:44.0031 0176 VideoAcceleratorService - ok
00:35:44.0843 0176 VolSnap (c41ffdc191e6c832e2e53c967eae0a16) C:\WINDOWS\system32\drivers\VolSnap.sys
00:35:44.0906 0176 VolSnap - ok
00:35:45.0140 0176 vseamps (9ba46ed5fc55ce97aa7bbbe273f1b1e3) C:\Archivos de programa\Archivos comunes\Authentium\AntiVirus5\vseamps.exe
00:35:45.0234 0176 vseamps - ok
00:35:45.0406 0176 vsedsps (37708f105e90b0ff29dca7cfdc748c70) C:\Archivos de programa\Archivos comunes\Authentium\AntiVirus5\vsedsps.exe
00:35:45.0500 0176 vsedsps - ok
00:35:45.0765 0176 vseqrts (994a1ab4cbeb530678f0d27cecee50ac) C:\Archivos de programa\Archivos comunes\Authentium\AntiVirus5\vseqrts.exe
00:35:45.0906 0176 vseqrts - ok
00:35:46.0953 0176 VSS (60f28de3fae525d026e4d66405b80db8) C:\WINDOWS\System32\vssvc.exe
00:35:47.0250 0176 VSS - ok
00:35:48.0078 0176 W32Time (c71cfacdbfadd819736f61f5738bddc1) C:\WINDOWS\system32\w32time.dll
00:35:48.0265 0176 W32Time - ok
00:35:49.0046 0176 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:35:49.0078 0176 Wanarp - ok
00:35:49.0781 0176 WDICA - ok
00:35:50.0578 0176 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
00:35:50.0671 0176 wdmaud - ok
00:35:51.0468 0176 WebClient (340a4fd9017d1ebd1f6dc435282a39dc) C:\WINDOWS\System32\webclnt.dll
00:35:51.0546 0176 WebClient - ok
00:35:53.0125 0176 winachsf (c1d5cbd8aa0d674da1ba1bb189696396) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
00:35:53.0875 0176 winachsf - ok
00:35:54.0765 0176 winmgmt (a5fc75cab140cf6a78e16c3681001872) C:\WINDOWS\system32\wbem\WMIsvc.dll
00:35:54.0890 0176 winmgmt - ok
00:35:56.0718 0176 WinRM (644d9e863192cd94a448bbc0930bc91f) C:\WINDOWS\system32\WsmSvc.dll
00:35:57.0890 0176 WinRM - ok
00:35:58.0656 0176 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
00:35:58.0687 0176 WmdmPmSN - ok
00:36:00.0093 0176 Wmi (c40a0af014d54da0e729066845a2a6dc) C:\WINDOWS\System32\advapi32.dll
00:36:00.0796 0176 Wmi - ok
00:36:01.0562 0176 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
00:36:01.0578 0176 WmiAcpi - ok
00:36:02.0421 0176 WmiApSrv (ca1a5270acc0062b13f62ca5a0cd8da8) C:\WINDOWS\system32\wbem\wmiapsrv.exe
00:36:02.0562 0176 WmiApSrv - ok
00:36:03.0734 0176 WMPNetworkSvc (6782482a8ca4b5b5dab4ef0ad78db08f) C:\Archivos de programa\Windows Media Player\WMPNetwk.exe
00:36:04.0750 0176 WMPNetworkSvc - ok
00:36:06.0000 0176 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
00:36:06.0828 0176 WPFFontCache_v0400 - ok
00:36:07.0687 0176 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
00:36:07.0703 0176 WS2IFSL - ok
00:36:08.0484 0176 wscsvc (8cd684fd248dfe208c2f8f5052838a81) C:\WINDOWS\system32\wscsvc.dll
00:36:08.0562 0176 wscsvc - ok
00:36:09.0187 0176 WSearch - ok
00:36:09.0968 0176 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
00:36:10.0000 0176 WSTCODEC - ok
00:36:10.0703 0176 wuauserv (0b8fc4d0f9d6964713e81ad558b50a71) C:\WINDOWS\system32\wuauserv.dll
00:36:10.0765 0176 wuauserv - ok
00:36:11.0609 0176 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
00:36:11.0687 0176 WudfPf - ok
00:36:12.0468 0176 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
00:36:12.0562 0176 WudfRd - ok
00:36:13.0265 0176 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
00:36:13.0343 0176 WudfSvc - ok
00:36:14.0500 0176 WZCSVC (d2caf9ff9da12f0cc6398c6e331015e4) C:\WINDOWS\System32\wzcsvc.dll
00:36:15.0000 0176 WZCSVC - ok
00:36:15.0796 0176 xmlprov (14fdadcf05a37582399daf1da1de1c7b) C:\WINDOWS\System32\xmlprov.dll
00:36:15.0953 0176 xmlprov - ok
00:36:16.0046 0176 MBR (0x1B8) (602df1e9b6477221656f780a2d24c63e) \Device\Harddisk0\DR0
00:36:16.0078 0176 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
00:36:16.0078 0176 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
00:36:16.0281 0176 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
00:36:16.0281 0176 \Device\Harddisk0\DR0 - detected TDSS File System (1)
00:36:16.0296 0176 MBR (0x1B8) (ddae9d649db12f6aff24483f2c298989) \Device\Harddisk1\DR2
00:36:16.0546 0176 \Device\Harddisk1\DR2 - ok
00:36:16.0562 0176 Boot (0x1200) (09ecd0b0a47d3c500e18889ed5a891ac) \Device\Harddisk0\DR0\Partition0
00:36:16.0578 0176 \Device\Harddisk0\DR0\Partition0 - ok
00:36:16.0593 0176 Boot (0x1200) (a9bc3fa88e9a38e3f8afd4c7473c59ee) \Device\Harddisk1\DR2\Partition0
00:36:16.0593 0176 \Device\Harddisk1\DR2\Partition0 - ok
00:36:16.0593 0176 ============================================================
00:36:16.0593 0176 Scan finished
00:36:16.0593 0176 ============================================================
00:36:16.0625 2044 Detected object count: 2
00:36:16.0625 2044 Actual detected object count: 2
00:37:06.0828 2044 \Device\Harddisk0\DR0\# - copied to quarantine
00:37:06.0828 2044 \Device\Harddisk0\DR0 - copied to quarantine
00:37:07.0171 2044 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
00:37:07.0218 2044 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
00:37:07.0234 2044 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
00:37:07.0250 2044 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
00:37:07.0265 2044 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
00:37:07.0359 2044 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
00:37:07.0375 2044 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
00:37:07.0390 2044 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
00:37:07.0390 2044 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
00:37:07.0406 2044 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
00:37:07.0421 2044 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
00:37:07.0437 2044 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
00:37:07.0671 2044 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
00:37:07.0671 2044 \Device\Harddisk0\DR0 - ok
00:37:07.0671 2044 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
00:37:07.0687 2044 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
00:37:07.0734 2044 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
00:37:07.0765 2044 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
00:37:07.0765 2044 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
00:37:07.0796 2044 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
00:37:07.0875 2044 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
00:37:07.0906 2044 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
00:37:07.0921 2044 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
00:37:07.0937 2044 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
00:37:08.0125 2044 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
00:37:08.0156 2044 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
00:37:08.0156 2044 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
00:37:08.0156 2044 \Device\Harddisk0\DR0\TDLFS - deleted
00:37:08.0156 2044 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Delete
00:37:19.0062 2000 Deinitialize success


ComboFix log:
ComboFix 12-04-15.02 - Administrador 19/04/2012 23:37:07.4.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.895.712 [GMT -5:00]
Running from: c:\documents and settings\Administrador.LLANES\Escritorio\ComboFix.exe
Command switches used :: c:\documents and settings\Administrador.LLANES\Escritorio\CFScript.txt
AV: System Shield *Enabled/Updated* {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
.
file zipped: c:\documents and settings\All Users\Datos de programa\Vt9w8IQZxAtnxH.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Datos de programa\Vt9w8IQZxAtnxH.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-20 to 2012-04-20 )))))))))))))))))))))))))))))))
.
.
2012-04-18 05:40 . 2012-04-18 05:40 -------- d-----w- c:\windows\LastGood.Tmp
2012-04-18 05:37 . 2012-04-18 05:37 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-16 06:51 . 2008-04-14 05:49 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-15 08:24 . 2012-04-15 08:24 -------- d-----w- C:\FakeAlert Removal
2012-04-13 03:25 . 2012-04-13 03:26 -------- d-----w- c:\documents and settings\Administrador
2012-04-12 04:17 . 2012-04-12 04:17 -------- d-----w- c:\documents and settings\NetworkService\Menú Inicio
2012-04-08 06:17 . 2012-04-08 06:17 -------- d-----r- c:\documents and settings\LocalService\Favoritos
2012-04-02 07:14 . 2012-04-04 05:30 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-28 05:46 . 2012-03-28 05:46 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Premium
2012-03-28 05:44 . 2012-03-28 05:45 -------- d-----w- c:\documents and settings\All Users\Datos de programa\CodecC
2012-03-28 05:44 . 2012-03-28 05:47 -------- d-----w- C:\codec-info
2012-03-28 05:44 . 2012-03-28 05:47 -------- d-----w- c:\documents and settings\All Users\Datos de programa\InstallMate
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 05:30 . 2011-12-30 06:44 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:57 . 2004-08-19 13:30 1860224 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD88DAF1-29CE-4B00-96DB-FD610A48B1CB}]
2012-03-27 19:01 141312 ----a-w- c:\documents and settings\All Users\Datos de programa\CodecC\bhoclass.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 00:17 1487240 ----a-w- c:\archivos de programa\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\archivos de programa\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\archivos de programa\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"WBMKEYBD"="c:\windows\WBMKbdAP.exe" [2008-01-03 145920]
"HP Software Update"="c:\archivos de programa\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Acrobat Assistant 8.0"="c:\archivos de programa\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-01-03 815512]
"TkBellExe"="c:\archivos de programa\Real\RealPlayer\update\realsched.exe" [2011-12-05 296056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\PC\Menú Inicio\Programas\Inicio\
Dropbox.lnk - c:\documents and settings\Administrador.LLANES\Datos de programa\Dropbox\bin\Dropbox.exe [N/A]
.
c:\documents and settings\PC\Menú Inicio\Programas\Inicio\
Dropbox.lnk - c:\documents and settings\Administrador.LLANES\Datos de programa\Dropbox\bin\Dropbox.exe [N/A]
.
c:\documents and settings\PC\Menú Inicio\Programas\Inicio\
Dropbox.lnk - c:\documents and settings\Administrador.LLANES\Datos de programa\Dropbox\bin\Dropbox.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\archivos de programa\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0????\0\0\0???????fR\0??????\0autocheck smrgdf c:\documents and settings\Administrador.LLANES\Datos de programa\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventSystem]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseamps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vsedsps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseqrts]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\Corel\\DVD9\\WinDVD.exe"=
"c:\\Archivos de programa\\iolo\\System Mechanic Professional\\SysMech.exe"=
"c:\\Archivos de programa\\Archivos comunes\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Archivos de programa\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\PC\\Datos de programa\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Administración remota de Windows
.
R2 ioloSystemService;iolo System Service;c:\archivos de programa\iolo\Common\Lib\ioloServiceManager.exe [17/06/2011 01:17 a.m. 722616]
R2 vseamps;vseamps;c:\archivos de programa\Archivos comunes\Authentium\AntiVirus5\vseamps.exe [28/09/2011 12:59 p.m. 97088]
R2 vsedsps;vsedsps;c:\archivos de programa\Archivos comunes\Authentium\AntiVirus5\vsedsps.exe [28/09/2011 12:59 p.m. 97088]
R2 vseqrts;vseqrts;c:\archivos de programa\Archivos comunes\Authentium\AntiVirus5\vseqrts.exe [28/09/2011 12:59 p.m. 142144]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [26/05/2010 03:20 p.m. 74752]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [26/05/2010 03:21 p.m. 6144]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S2 AMP;AMP;c:\windows\system32\drivers\amp.sys [28/09/2011 01:12 p.m. 138048]
S2 AMPSE;AMPSE;c:\windows\system32\drivers\ampse.sys [28/09/2011 01:12 p.m. 1189184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 01:16 p.m. 130384]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [17/04/2007 08:09 p.m. 11032]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\archivos de programa\Secunia\PSI\psia.exe [14/10/2011 01:01 a.m. 994360]
S2 Secunia Update Agent;Secunia Update Agent;c:\archivos de programa\Secunia\PSI\sua.exe [14/10/2011 01:01 a.m. 399416]
S2 VideoAcceleratorService;VideoAcceleratorService;c:\archiv~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\archiv~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [02/04/2012 02:14 a.m. 253600]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [18/04/2005 01:00 a.m. 235904]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 03:30 a.m. 15544]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [19/08/2004 08:43 a.m. 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 01:16 p.m. 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 05:30]
.
2012-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-04-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1229272821-287218729-839522115-1003.job
- c:\archivos de programa\Real\RealUpgrade\realupgrade.exe [2011-11-08 22:14]
.
2012-04-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1229272821-287218729-839522115-1003.job
- c:\archivos de programa\Real\RealUpgrade\realupgrade.exe [2011-11-08 22:14]
.
2012-04-18 c:\windows\Tasks\User_Feed_Synchronization-{A1D73C7D-FE51-4D32-93B6-B3EC40E6F03A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
LSP: c:\archivos de programa\SpeedBit Video Accelerator\LSP3.2.2.4\SBLSP.dll
TCP: DhcpNameServer = 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\archivos de programa\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKLM-RunOnce-SMRequiresRestart - (no file)
HKLM-RunOnce-4FA12186-8D89-4137-B5DF-B472F6A69F8B - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-19 23:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1229272821-287218729-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f2,aa,c3,b6,2b,09,69,4b,b5,38,02,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f2,aa,c3,b6,2b,09,69,4b,b5,38,02,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(252)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(300)
c:\windows\system32\WININET.dll
.
Completion time: 2012-04-20 00:06:59 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-20 05:06
ComboFix2.txt 2012-04-16 07:26
.
Pre-Run: 61,235,720,192 bytes libres
Post-Run: 61,239,734,272 bytes libres
.
- - End Of File - - EDA3CA986311C02A0D3CCE90C8402FB2


Thanks again for all your help!

Mr_LLanes

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 PM

Posted 20 April 2012 - 08:45 PM

How is your computer running now? Please do this next:

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information, C:\_OTL\MovedFiles or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Posted Image Go to thisLINK to run an online scannner from ESET.
  • Note: For browsers other than Internet Explorer, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If you are using Internet Explorer, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • MBAM log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Mr_Llanes

Mr_Llanes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 22 April 2012 - 12:24 AM

Hello RPMcMurphy!

I wish you well.

The computer is still acting strange. It connects to my network but it does not connect to the internet!

That being said, I cannot accomplish the last task you assgined me to do... I cannot update MBAM,I cannot scan with ESET.. What can I do now?...

Best regards,

Mr_Llanes

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 PM

Posted 22 April 2012 - 10:41 AM

Hello,

Please do this next:

Posted Image Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
Please include the following in your next post:
  • FSS log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 Mr_Llanes

Mr_Llanes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 23 April 2012 - 12:18 AM

Hello RPMcMurphy!

I wish you well.

Below, the FSS log as requested:

Farbar Service Scanner Version: 16-04-2012
Ran by Administrador (administrator) on 23-04-2012 at 00:13:43
Running from "C:\Documents and Settings\Administrador.LLANES\Escritorio\FixComputer\6 Farbar"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Minimal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
The start type of IpSec service is OK.
The ImagePath of IpSec service is OK.


Connection Status:
==============
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

netman Service is not running. Checking service configuration:
The start type of netman service is OK.
The ImagePath of netman service is OK.
The ServiceDll of netman service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-19 08:42] - [2008-04-14 07:48] - 0126976 ____A (Microsoft Corporation) 2DDFB3A5679FA02366686ECB1AF622F0

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-19 08:42] - [2009-04-20 12:18] - 0045568 ____A (Microsoft Corporation) 2E6D76CAB5A402AF257A963916FE05E7

C:\WINDOWS\system32\ipnathlp.dll
[2004-08-19 08:42] - [2008-04-14 07:48] - 0332288 ____A (Microsoft Corporation) 4A4EF3EE166FAD4A04B1D767AD986329

C:\WINDOWS\system32\netman.dll
[2004-08-19 08:42] - [2008-04-14 07:48] - 0198144 ____A (Microsoft Corporation) A48884C9359EE9F1FC8F3F0D93FB1D95

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-07-19 13:24] - [2008-04-14 07:48] - 0145408 ____A (Microsoft Corporation) A5FC75CAB140CF6A78E16C3681001872

C:\WINDOWS\system32\srsvc.dll
[2010-07-19 13:26] - [2008-04-14 07:48] - 0171520 ____A (Microsoft Corporation) 0F30EEC6013FCF76693405EC4A7DF899

C:\WINDOWS\system32\Drivers\sr.sys
[2010-07-19 13:26] - [2008-04-14 07:28] - 0073472 ____A (Microsoft Corporation) CCB3065C3EE63A4515FE84AF9E78D1DD

C:\WINDOWS\system32\wscsvc.dll
[2004-08-19 08:42] - [2008-04-14 07:48] - 0080896 ____A (Microsoft Corporation) 8CD684FD248DFE208C2F8F5052838A81

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-07-19 13:24] - [2008-04-14 07:48] - 0145408 ____A (Microsoft Corporation) A5FC75CAB140CF6A78E16C3681001872

C:\WINDOWS\system32\wuauserv.dll
[2010-07-19 13:26] - [2008-04-14 07:48] - 0006656 ____A (Microsoft Corporation) 0B8FC4D0F9D6964713E81AD558B50A71

C:\WINDOWS\system32\qmgr.dll
[2010-07-19 13:26] - [2008-04-14 07:48] - 0409088 ____A (Microsoft Corporation) 8EE9639C01B92490E09638CAA1B16C3C

C:\WINDOWS\system32\es.dll
[2004-08-19 08:42] - [2008-07-07 15:27] - 0253952 ____A (Microsoft Corporation) A225DD0D0489BD580781D19524A10B19

C:\WINDOWS\system32\cryptsvc.dll
[2004-08-19 08:41] - [2008-04-14 07:48] - 0062464 ____A (Microsoft Corporation) E423C9C1946C656E0E4840210A0A8681

C:\WINDOWS\system32\svchost.exe
[2004-08-19 08:43] - [2008-04-14 07:49] - 0014336 ____A (Microsoft Corporation) 4F2340F0BD5B6365C38E74DD391919A8

C:\WINDOWS\system32\rpcss.dll
[2004-08-19 08:42] - [2009-02-09 05:52] - 0401408 ____A (Microsoft Corporation) 97869C55F562B777987100EA30AD8108

C:\WINDOWS\system32\services.exe
[2004-08-19 08:43] - [2009-02-09 06:23] - 0111104 ____A (Microsoft Corporation) 953DF7327510DF0DE048B8E80E504EF9


Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 PM

Posted 23 April 2012 - 11:22 AM

Please do this next:

Posted Image Please run Farbar Service Scanner again.
  • Type the following in the Search box:

    dhcpcsvc.dll
    dnsrslvr.dll
    ipnathlp.dll
    netman.dll
    WMIsvc.dll
    srsvc.dll
    sr.sys
    wscsvc.dll
    WMIsvc.dll
    wuauserv.dll
    qmgr.dll
    es.dll
    cryptsvc.dll
    svchost.exe
    rpcss.dll
    services.exe
  • Click Search Files button and post the log (FSS.txt) it makes to your reply.
Please include the following in your next post:
  • FSS log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 Mr_Llanes

Mr_Llanes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 24 April 2012 - 11:00 PM

Hello RPMcMurphy,

I wish you well.

Per your request, below the FSS log:

Farbar Service Scanner Version: 16-04-2012
Ran by Administrador (administrator) on 24-04-2012 at 22:52:27
Microsoft Windows XP Professional Service Pack 3 (X86)

************************************************
======== Search: "dhcpcsvc.dlldnsrslvr.dllipnathlp.dllnetman.dllWMIsvc.dllsrsvc.dllsr.syswscsvc.dllWMIsvc.dllwuauserv.dllqmgr.dlles.dllcryptsvc.dllsvchost.exerpcss.dllservices.exe" =========

====== End Of Search ======

Best regards,

Mr_Llanes

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 PM

Posted 25 April 2012 - 03:00 PM

Hi,

Please do this next:

Posted Image Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    dhcpcsvc.dl*
    dnsrslvr.dl*
    ipnathlp.dl*
    netman.dl*
    WMIsvc.dl*
    srsvc.dl*
    sr.sy*
    wscsvc.dl*
    WMIsvc.dl*
    wuauserv.dl*
    qmgr.dl*
    es.dl*
    cryptsvc.dl*
    svchost.ex*
    rpcss.dl*
    services.ex*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please include the following in your next post:
  • SystemLook log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 Mr_Llanes

Mr_Llanes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 27 April 2012 - 12:14 AM

Hello RPMcMurphy,

I wish you well.

Below the SystemLook log.


SystemLook 30.07.11 by jpshortstuff
Log created at 23:43 on 26/04/2012 by Administrador
Administrator - Elevation successful

========== filefind ==========

Searching for "dhcpcsvc.dl*"
C:\WINDOWS\ServicePackFiles\i386\dhcpcsvc.dll ------- 126976 bytes [20:22 19/07/2010] [12:48 14/04/2008] 2DDFB3A5679FA02366686ECB1AF622F0
C:\WINDOWS\system32\dhcpcsvc.dll --a---- 126976 bytes [13:42 19/08/2004] [12:48 14/04/2008] 2DDFB3A5679FA02366686ECB1AF622F0

Searching for "dnsrslvr.dl*"
C:\WINDOWS\ServicePackFiles\i386\dnsrslvr.dll ------- 45568 bytes [20:24 19/07/2010] [12:48 14/04/2008] E903D6C886CA0C86164BF778589F7C6E
C:\WINDOWS\system32\dnsrslvr.dll --a---- 45568 bytes [13:42 19/08/2004] [17:18 20/04/2009] 2E6D76CAB5A402AF257A963916FE05E7

Searching for "ipnathlp.dl*"
C:\WINDOWS\ServicePackFiles\i386\ipnathlp.dll ------- 332288 bytes [20:24 19/07/2010] [12:48 14/04/2008] 4A4EF3EE166FAD4A04B1D767AD986329
C:\WINDOWS\system32\ipnathlp.dll --a---- 332288 bytes [13:42 19/08/2004] [12:48 14/04/2008] 4A4EF3EE166FAD4A04B1D767AD986329

Searching for "netman.dl*"
C:\WINDOWS\ERDNT\cache\netman.dll --a---- 198144 bytes [07:20 07/01/2012] [12:48 14/04/2008] A48884C9359EE9F1FC8F3F0D93FB1D95
C:\WINDOWS\ServicePackFiles\i386\netman.dll ------- 198144 bytes [20:25 19/07/2010] [12:48 14/04/2008] A48884C9359EE9F1FC8F3F0D93FB1D95
C:\WINDOWS\system32\netman.dll --a---- 198144 bytes [13:42 19/08/2004] [12:48 14/04/2008] A48884C9359EE9F1FC8F3F0D93FB1D95

Searching for "WMIsvc.dl*"
C:\WINDOWS\ServicePackFiles\i386\wmisvc.dll ------- 145408 bytes [20:25 19/07/2010] [12:48 14/04/2008] A5FC75CAB140CF6A78E16C3681001872
C:\WINDOWS\system32\wbem\wmisvc.dll --a---- 145408 bytes [18:24 19/07/2010] [12:48 14/04/2008] A5FC75CAB140CF6A78E16C3681001872

Searching for "srsvc.dl*"
C:\WINDOWS\ERDNT\cache\srsvc.dll --a---- 171520 bytes [07:20 07/01/2012] [12:48 14/04/2008] 0F30EEC6013FCF76693405EC4A7DF899
C:\WINDOWS\ServicePackFiles\i386\srsvc.dll ------- 171520 bytes [20:22 19/07/2010] [12:48 14/04/2008] 0F30EEC6013FCF76693405EC4A7DF899
C:\WINDOWS\system32\srsvc.dll --a---- 171520 bytes [18:26 19/07/2010] [12:48 14/04/2008] 0F30EEC6013FCF76693405EC4A7DF899

Searching for "sr.sy*"
C:\WINDOWS\ServicePackFiles\i386\sr.sys ------- 73472 bytes [20:23 19/07/2010] [12:28 14/04/2008] CCB3065C3EE63A4515FE84AF9E78D1DD
C:\WINDOWS\system32\drivers\sr.sys --a---- 73472 bytes [18:26 19/07/2010] [12:28 14/04/2008] CCB3065C3EE63A4515FE84AF9E78D1DD

Searching for "wscsvc.dl*"
C:\WINDOWS\ServicePackFiles\i386\wscsvc.dll ------- 80896 bytes [20:23 19/07/2010] [12:48 14/04/2008] 8CD684FD248DFE208C2F8F5052838A81
C:\WINDOWS\SoftwareDistribution\Download\4fcdf3a74fe834ce16dc12a720df5cc7\wscsvc.dll --a---- 80896 bytes [20:45 19/07/2010] [12:48 14/04/2008] 8CD684FD248DFE208C2F8F5052838A81
C:\WINDOWS\system32\wscsvc.dll --a---- 80896 bytes [13:42 19/08/2004] [12:48 14/04/2008] 8CD684FD248DFE208C2F8F5052838A81

Searching for "WMIsvc.dl*"
C:\WINDOWS\ServicePackFiles\i386\wmisvc.dll ------- 145408 bytes [20:25 19/07/2010] [12:48 14/04/2008] A5FC75CAB140CF6A78E16C3681001872
C:\WINDOWS\system32\wbem\wmisvc.dll --a---- 145408 bytes [18:24 19/07/2010] [12:48 14/04/2008] A5FC75CAB140CF6A78E16C3681001872

Searching for "wuauserv.dl*"
C:\WINDOWS\ServicePackFiles\i386\wuauserv.dll ------- 6656 bytes [20:22 19/07/2010] [12:48 14/04/2008] 0B8FC4D0F9D6964713E81AD558B50A71
C:\WINDOWS\SoftwareDistribution\Download\4fcdf3a74fe834ce16dc12a720df5cc7\wuauserv.dll --a---- 6656 bytes [20:45 19/07/2010] [12:48 14/04/2008] 0B8FC4D0F9D6964713E81AD558B50A71
C:\WINDOWS\system32\wuauserv.dll --a---- 6656 bytes [18:26 19/07/2010] [12:48 14/04/2008] 0B8FC4D0F9D6964713E81AD558B50A71

Searching for "qmgr.dl*"
C:\WINDOWS\ERDNT\cache\qmgr.dll --a---- 409088 bytes [07:20 07/01/2012] [12:48 14/04/2008] 8EE9639C01B92490E09638CAA1B16C3C
C:\WINDOWS\ServicePackFiles\i386\qmgr.dll ------- 409088 bytes [20:24 19/07/2010] [12:48 14/04/2008] 8EE9639C01B92490E09638CAA1B16C3C
C:\WINDOWS\SoftwareDistribution\Download\4fcdf3a74fe834ce16dc12a720df5cc7\qmgr.dll --a---- 409088 bytes [20:44 19/07/2010] [12:48 14/04/2008] 8EE9639C01B92490E09638CAA1B16C3C
C:\WINDOWS\system32\qmgr.dll --a---- 409088 bytes [18:26 19/07/2010] [12:48 14/04/2008] 8EE9639C01B92490E09638CAA1B16C3C
C:\WINDOWS\system32\bits\qmgr.dll ------- 409088 bytes [20:27 19/07/2010] [12:48 14/04/2008] 8EE9639C01B92490E09638CAA1B16C3C

Searching for "es.dl*"
C:\WINDOWS\ERDNT\cache\es.dll --a---- 253952 bytes [07:20 07/01/2012] [20:27 07/07/2008] A225DD0D0489BD580781D19524A10B19
C:\WINDOWS\ServicePackFiles\i386\es.dll ------- 246272 bytes [20:23 19/07/2010] [12:48 14/04/2008] 76ABF3BB5A6D684641EC92B28240811D
C:\WINDOWS\SoftwareDistribution\Download\074aa4e5b849c12e51a17542ceea31a2\backup\sp2gdr\es.dll ------- 243200 bytes [20:27 19/07/2010] [13:42 19/08/2004] 86F565E6FDD0C0776089D2F92AB1FC3F
C:\WINDOWS\SoftwareDistribution\Download\074aa4e5b849c12e51a17542ceea31a2\backup\sp2qfe\es.dll ------- 243200 bytes [20:27 19/07/2010] [13:42 19/08/2004] 86F565E6FDD0C0776089D2F92AB1FC3F
C:\WINDOWS\SoftwareDistribution\Download\074aa4e5b849c12e51a17542ceea31a2\backup\sp3gdr\es.dll ------- 243200 bytes [20:27 19/07/2010] [13:42 19/08/2004] 86F565E6FDD0C0776089D2F92AB1FC3F
C:\WINDOWS\SoftwareDistribution\Download\074aa4e5b849c12e51a17542ceea31a2\backup\sp3qfe\es.dll ------- 243200 bytes [20:27 19/07/2010] [13:42 19/08/2004] 86F565E6FDD0C0776089D2F92AB1FC3F
C:\WINDOWS\system32\es.dll --a---- 253952 bytes [13:42 19/08/2004] [20:27 07/07/2008] A225DD0D0489BD580781D19524A10B19

Searching for "cryptsvc.dl*"
C:\WINDOWS\ERDNT\cache\cryptsvc.dll --a---- 62464 bytes [07:20 07/01/2012] [12:48 14/04/2008] E423C9C1946C656E0E4840210A0A8681
C:\WINDOWS\ServicePackFiles\i386\cryptsvc.dll ------- 62464 bytes [20:25 19/07/2010] [12:48 14/04/2008] E423C9C1946C656E0E4840210A0A8681
C:\WINDOWS\system32\cryptsvc.dll --a---- 62464 bytes [13:41 19/08/2004] [12:48 14/04/2008] E423C9C1946C656E0E4840210A0A8681

Searching for "svchost.ex*"
C:\Archivos de programa\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 182856 bytes [03:11 30/12/2011] [20:53 13/01/2012] 63EEC8A8B221AB79045E776E5F592868
C:\WINDOWS\ERDNT\cache\svchost.exe --a---- 14336 bytes [07:20 07/01/2012] [12:49 14/04/2008] 4F2340F0BD5B6365C38E74DD391919A8
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20120408-055534-00.hdmp --ah--- 0 bytes [05:55 08/04/2012] [05:56 08/04/2012] D41D8CD98F00B204E9800998ECF8427E
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20120408-055534-00.mdmp --a--c- 0 bytes [05:55 08/04/2012] [05:55 08/04/2012] D41D8CD98F00B204E9800998ECF8427E
C:\WINDOWS\ServicePackFiles\i386\svchost.exe ------- 14336 bytes [20:24 19/07/2010] [12:49 14/04/2008] 4F2340F0BD5B6365C38E74DD391919A8
C:\WINDOWS\system32\svchost.exe --a---- 14336 bytes [13:43 19/08/2004] [12:49 14/04/2008] 4F2340F0BD5B6365C38E74DD391919A8

Searching for "rpcss.dl*"
C:\WINDOWS\ERDNT\cache\rpcss.dll --a---- 401408 bytes [07:20 07/01/2012] [10:52 09/02/2009] 97869C55F562B777987100EA30AD8108
C:\WINDOWS\ServicePackFiles\i386\rpcss.dll ------- 399360 bytes [20:24 19/07/2010] [12:48 14/04/2008] 53D02EFFA72CA5C57687BEE20610ABA6
C:\WINDOWS\system32\rpcss.dll --a---- 401408 bytes [13:42 19/08/2004] [10:52 09/02/2009] 97869C55F562B777987100EA30AD8108

Searching for "services.ex*"
C:\WINDOWS\ERDNT\cache\services.exe --a---- 111104 bytes [07:20 07/01/2012] [11:23 09/02/2009] 953DF7327510DF0DE048B8E80E504EF9
C:\WINDOWS\ServicePackFiles\i386\services.exe ------- 109056 bytes [20:23 19/07/2010] [12:49 14/04/2008] D658A8C2FC7B2AD53D1259741A09EE04
C:\WINDOWS\system32\services.exe --a---- 111104 bytes [13:43 19/08/2004] [11:23 09/02/2009] 953DF7327510DF0DE048B8E80E504EF9

-= EOF =-

Best regards,

Mr_Llanes

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 PM

Posted 27 April 2012 - 10:30 PM

Hi,

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\dhcpcsvc.dll | C:\WINDOWS\system32\dhcpcsvc.dll
C:\WINDOWS\ServicePackFiles\i386\dnsrslvr.dll | C:\WINDOWS\system32\dnsrslvr.dll
C:\WINDOWS\ServicePackFiles\i386\ipnathlp.dll | C:\WINDOWS\system32\ipnathlp.dll
C:\WINDOWS\ServicePackFiles\i386\netman.dll | C:\WINDOWS\system32\netman.dll
C:\WINDOWS\ServicePackFiles\i386\wmisvc.dll | C:\WINDOWS\system32\wbem\wmisvc.dll
C:\WINDOWS\ServicePackFiles\i386\srsvc.dll | C:\WINDOWS\system32\srsvc.dll
C:\WINDOWS\ServicePackFiles\i386\sr.sys | C:\WINDOWS\system32\drivers\sr.sys
C:\WINDOWS\SoftwareDistribution\Download\4fcdf3a74fe834ce16dc12a720df5cc7\wscsvc.dll | C:\WINDOWS\system32\wscsvc.dll
C:\WINDOWS\ServicePackFiles\i386\wmisvc.dll | C:\WINDOWS\system32\wbem\wmisvc.dll 
C:\WINDOWS\ServicePackFiles\i386\wuauserv.dll | C:\WINDOWS\system32\wuauserv.dll
C:\WINDOWS\ServicePackFiles\i386\qmgr.dll | C:\WINDOWS\system32\bits\qmgr.dll
C:\WINDOWS\ServicePackFiles\i386\es.dll | C:\WINDOWS\system32\es.dll
C:\WINDOWS\ServicePackFiles\i386\cryptsvc.dll | C:\WINDOWS\system32\cryptsvc.dll
C:\WINDOWS\ServicePackFiles\i386\svchost.exe | C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ServicePackFiles\i386\rpcss.dll | C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\ServicePackFiles\i386\services.exe | C:\WINDOWS\system32\services.exe

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Reboot your PC, then continue with this:

Posted Image Please run Farbar Service Scanner again.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
Please include the following in your next post:
  • ComboFix log
  • FSS log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 Mr_Llanes

Mr_Llanes
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 01 May 2012 - 11:54 PM

Hello RPMcMurphy,

I wish you well.

Sorry for the delay, it's been a couple of very busy days!

Below you may find the two requested logs.

Best regards,

Mr_Llanes




COMBOFIX LOG:---------------------------------------------------------------------------------------

ComboFix 12-04-29.02 - Administrador 01/05/2012 23:06:11.5.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.895.705 [GMT -5:00]
Running from: c:\documents and settings\Administrador.LLANES\Escritorio\ComboFix.exe
Command switches used :: c:\documents and settings\Administrador.LLANES\Escritorio\CFScript.txt
AV: System Shield *Enabled/Updated* {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Datos de programa\CodecC\bhOClass.dll
.
---- Previous Run -------
.
c:\documents and settings\All Users\Datos de programa\Vt9w8IQZxAtnxH.exe
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\dhcpcsvc.dll --> c:\windows\system32\dhcpcsvc.dll
c:\windows\ServicePackFiles\i386\dnsrslvr.dll --> c:\windows\system32\dnsrslvr.dll
c:\windows\ServicePackFiles\i386\ipnathlp.dll --> c:\windows\system32\ipnathlp.dll
c:\windows\ServicePackFiles\i386\netman.dll --> c:\windows\system32\netman.dll
c:\windows\ServicePackFiles\i386\wmisvc.dll --> c:\windows\system32\wbem\wmisvc.dll
c:\windows\ServicePackFiles\i386\srsvc.dll --> c:\windows\system32\srsvc.dll
c:\windows\ServicePackFiles\i386\sr.sys --> c:\windows\system32\drivers\sr.sys
c:\windows\SoftwareDistribution\Download\4fcdf3a74fe834ce16dc12a720df5cc7\wscsvc.dll --> c:\windows\system32\wscsvc.dll
c:\windows\ServicePackFiles\i386\wmisvc.dll --> c:\windows\system32\wbem\wmisvc.dll
c:\windows\ServicePackFiles\i386\wuauserv.dll --> c:\windows\system32\wuauserv.dll
c:\windows\ServicePackFiles\i386\qmgr.dll --> c:\windows\system32\bits\qmgr.dll
c:\windows\ServicePackFiles\i386\es.dll --> c:\windows\system32\es.dll
c:\windows\ServicePackFiles\i386\cryptsvc.dll --> c:\windows\system32\cryptsvc.dll
c:\windows\ServicePackFiles\i386\svchost.exe --> c:\windows\system32\svchost.exe
c:\windows\ServicePackFiles\i386\rpcss.dll --> c:\windows\system32\rpcss.dll
c:\windows\ServicePackFiles\i386\services.exe --> c:\windows\system32\services.exe
.
((((((((((((((((((((((((( Files Created from 2012-04-02 to 2012-05-02 )))))))))))))))))))))))))))))))
.
.
2012-04-18 05:37 . 2012-04-18 05:37 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-16 06:51 . 2008-04-14 05:49 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-15 08:24 . 2012-04-15 08:24 -------- d-----w- C:\FakeAlert Removal
2012-04-13 03:25 . 2012-04-13 03:26 -------- d-----w- c:\documents and settings\Administrador
2012-04-12 04:17 . 2012-04-12 04:17 -------- d-----w- c:\documents and settings\NetworkService\Menú Inicio
2012-04-08 06:17 . 2012-04-08 06:17 -------- d-----r- c:\documents and settings\LocalService\Favoritos
2012-04-02 07:14 . 2012-04-04 05:30 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 05:30 . 2011-12-30 06:44 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:57 . 2004-08-19 13:30 1860224 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 00:17 1487240 ----a-w- c:\archivos de programa\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\archivos de programa\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\archivos de programa\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"WBMKEYBD"="c:\windows\WBMKbdAP.exe" [2008-01-03 145920]
"HP Software Update"="c:\archivos de programa\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Acrobat Assistant 8.0"="c:\archivos de programa\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-01-03 815512]
"TkBellExe"="c:\archivos de programa\Real\RealPlayer\update\realsched.exe" [2011-12-05 296056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SMRequiresRestart"="" [BU]
"4FA12186-8D89-4137-B5DF-B472F6A69F8B"="" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\PC\Menú Inicio\Programas\Inicio\
Dropbox.lnk - c:\documents and settings\Administrador.LLANES\Datos de programa\Dropbox\bin\Dropbox.exe [N/A]
.
c:\documents and settings\PC\Menú Inicio\Programas\Inicio\
Dropbox.lnk - c:\documents and settings\Administrador.LLANES\Datos de programa\Dropbox\bin\Dropbox.exe [N/A]
.
c:\documents and settings\PC\Menú Inicio\Programas\Inicio\
Dropbox.lnk - c:\documents and settings\Administrador.LLANES\Datos de programa\Dropbox\bin\Dropbox.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\archivos de programa\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0????\0\0\0???????fR\0??????\0autocheck smrgdf c:\documents and settings\Administrador.LLANES\Datos de programa\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventSystem]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseamps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vsedsps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseqrts]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\Corel\\DVD9\\WinDVD.exe"=
"c:\\Archivos de programa\\iolo\\System Mechanic Professional\\SysMech.exe"=
"c:\\Archivos de programa\\Archivos comunes\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Archivos de programa\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\PC\\Datos de programa\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Administración remota de Windows
.
R2 ioloSystemService;iolo System Service;c:\archivos de programa\iolo\Common\Lib\ioloServiceManager.exe [17/06/2011 01:17 a.m. 722616]
R2 vseamps;vseamps;c:\archivos de programa\Archivos comunes\Authentium\AntiVirus5\vseamps.exe [28/09/2011 12:59 p.m. 97088]
R2 vsedsps;vsedsps;c:\archivos de programa\Archivos comunes\Authentium\AntiVirus5\vsedsps.exe [28/09/2011 12:59 p.m. 97088]
R2 vseqrts;vseqrts;c:\archivos de programa\Archivos comunes\Authentium\AntiVirus5\vseqrts.exe [28/09/2011 12:59 p.m. 142144]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [26/05/2010 03:20 p.m. 74752]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [26/05/2010 03:21 p.m. 6144]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S2 AMP;AMP;c:\windows\system32\drivers\amp.sys [28/09/2011 01:12 p.m. 138048]
S2 AMPSE;AMPSE;c:\windows\system32\drivers\ampse.sys [28/09/2011 01:12 p.m. 1189184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 01:16 p.m. 130384]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [17/04/2007 08:09 p.m. 11032]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\archivos de programa\Secunia\PSI\psia.exe [14/10/2011 01:01 a.m. 994360]
S2 Secunia Update Agent;Secunia Update Agent;c:\archivos de programa\Secunia\PSI\sua.exe [14/10/2011 01:01 a.m. 399416]
S2 VideoAcceleratorService;VideoAcceleratorService;c:\archiv~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\archiv~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [02/04/2012 02:14 a.m. 253600]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [18/04/2005 01:00 a.m. 235904]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 03:30 a.m. 15544]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [19/08/2004 08:43 a.m. 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 01:16 p.m. 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 05:30]
.
2012-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-04-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1229272821-287218729-839522115-1003.job
- c:\archivos de programa\Real\RealUpgrade\realupgrade.exe [2011-11-08 22:14]
.
2012-04-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1229272821-287218729-839522115-1003.job
- c:\archivos de programa\Real\RealUpgrade\realupgrade.exe [2011-11-08 22:14]
.
2012-04-22 c:\windows\Tasks\User_Feed_Synchronization-{A1D73C7D-FE51-4D32-93B6-B3EC40E6F03A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
LSP: c:\archivos de programa\SpeedBit Video Accelerator\LSP3.2.2.4\SBLSP.dll
TCP: DhcpNameServer = 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\archivos de programa\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-01 23:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1229272821-287218729-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f2,aa,c3,b6,2b,09,69,4b,b5,38,02,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f2,aa,c3,b6,2b,09,69,4b,b5,38,02,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(248)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1800)
c:\windows\system32\WININET.dll
.
Completion time: 2012-05-01 23:34:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-02 04:34
ComboFix2.txt 2012-04-20 05:07
ComboFix3.txt 2012-04-16 07:26
.
Pre-Run: 61,219,332,096 bytes libres
Post-Run: 61,215,076,352 bytes libres
.
- - End Of File - - 3782FAA838FB959EFC15A6722E8B4DA2





FSS LOG: ----------------------------------------------------------------------------------------

Farbar Service Scanner Version: 16-04-2012
Ran by Administrador (administrator) on 01-05-2012 at 23:48:33
Running from "C:\Documents and Settings\Administrador.LLANES\Escritorio\FixComputer\6 Farbar"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Minimal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
The start type of IpSec service is OK.
The ImagePath of IpSec service is OK.


Connection Status:
==============
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

netman Service is not running. Checking service configuration:
The start type of netman service is OK.
The ImagePath of netman service is OK.
The ServiceDll of netman service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-19 08:42] - [2008-04-14 07:48] - 0126976 ____A (Microsoft Corporation) 2DDFB3A5679FA02366686ECB1AF622F0

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-19 08:42] - [2008-04-14 07:48] - 0045568 ____A (Microsoft Corporation) E903D6C886CA0C86164BF778589F7C6E

C:\WINDOWS\system32\ipnathlp.dll
[2004-08-19 08:42] - [2008-04-14 07:48] - 0332288 ____A (Microsoft Corporation) 4A4EF3EE166FAD4A04B1D767AD986329

C:\WINDOWS\system32\netman.dll
[2004-08-19 08:42] - [2008-04-14 07:48] - 0198144 ____A (Microsoft Corporation) A48884C9359EE9F1FC8F3F0D93FB1D95

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-07-19 13:24] - [2008-04-14 07:48] - 0145408 ____A (Microsoft Corporation) A5FC75CAB140CF6A78E16C3681001872

C:\WINDOWS\system32\srsvc.dll
[2010-07-19 13:26] - [2008-04-14 07:48] - 0171520 ____A (Microsoft Corporation) 0F30EEC6013FCF76693405EC4A7DF899

C:\WINDOWS\system32\Drivers\sr.sys
[2010-07-19 13:26] - [2008-04-14 07:28] - 0073472 ____A (Microsoft Corporation) CCB3065C3EE63A4515FE84AF9E78D1DD

C:\WINDOWS\system32\wscsvc.dll
[2004-08-19 08:42] - [2008-04-14 07:48] - 0080896 ____A (Microsoft Corporation) 8CD684FD248DFE208C2F8F5052838A81

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-07-19 13:24] - [2008-04-14 07:48] - 0145408 ____A (Microsoft Corporation) A5FC75CAB140CF6A78E16C3681001872

C:\WINDOWS\system32\wuauserv.dll
[2010-07-19 13:26] - [2008-04-14 07:48] - 0006656 ____A (Microsoft Corporation) 0B8FC4D0F9D6964713E81AD558B50A71

C:\WINDOWS\system32\qmgr.dll
[2010-07-19 13:26] - [2008-04-14 07:48] - 0409088 ____A (Microsoft Corporation) 8EE9639C01B92490E09638CAA1B16C3C

C:\WINDOWS\system32\es.dll
[2004-08-19 08:42] - [2008-04-14 07:48] - 0246272 ____A (Microsoft Corporation) 76ABF3BB5A6D684641EC92B28240811D

C:\WINDOWS\system32\cryptsvc.dll
[2004-08-19 08:41] - [2008-04-14 07:48] - 0062464 ____A (Microsoft Corporation) E423C9C1946C656E0E4840210A0A8681

C:\WINDOWS\system32\svchost.exe
[2004-08-19 08:43] - [2008-04-14 07:49] - 0014336 ____A (Microsoft Corporation) 4F2340F0BD5B6365C38E74DD391919A8

C:\WINDOWS\system32\rpcss.dll
[2004-08-19 08:42] - [2008-04-14 07:48] - 0399360 ____A (Microsoft Corporation) 53D02EFFA72CA5C57687BEE20610ABA6

C:\WINDOWS\system32\services.exe
[2004-08-19 08:43] - [2008-04-14 07:49] - 0109056 ____A (Microsoft Corporation) D658A8C2FC7B2AD53D1259741A09EE04


Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users