Professional Documents
Culture Documents
1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.894.561 [GMT -5:00
]
Running from: \\PC02\Documentos c\Herramientas\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-01
01-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
- REDUCED FUNCTIONALITY MODE .
(((((((((((((((((((((((((((((((((((((((
)))))))))))))))))))))))))))))
.
Other Deletions
))))))))))))))))))))
c:\windows\system32\esclavx.cfg
.
(((((((((((((((((((((((((
))))))))))))))))))))))))
.
)))))))))))))))))))))
c:\windows\syste
c:\archivos de p
e\spoolsv.exe
+ 2009-10-21 21:45 . 2008-04-14 02:18 59904
e\regsvc.dll
+ 2009-10-21 21:45 . 2008-04-14 02:18 17408
e\powrprof.dll
+ 2009-10-21 21:45 . 2008-04-14 02:18 52736
e\mspmsnsv.dll
+ 2009-10-21 21:45 . 2008-04-14 02:18 33792
e\msgsvc.dll
+ 2009-10-21 21:45 . 2008-04-14 02:19 13312
e\lsass.exe
+ 2009-10-21 21:45 . 2008-04-14 02:18 22016
e\lpk.dll
+ 2009-10-21 21:45 . 2008-04-14 02:18 19968
e\linkinfo.dll
+ 2009-10-21 21:45 . 2008-04-14 01:55 25088
e\kbdclass.sys
+ 2009-10-21 21:45 . 2008-04-13 18:53 36608
e\ip6fw.sys
+ 2009-10-21 21:45 . 2008-04-14 02:18 56320
e\eventlog.dll
+ 2009-10-21 21:45 . 2008-04-14 02:18 15360
e\ctfmon.exe
+ 2009-10-21 21:45 . 2008-04-14 02:18 62464
e\cryptsvc.dll
+ 2009-10-21 21:45 . 2008-04-14 02:18 77824
e\browser.dll
+ 2010-02-21 23:14 . 2008-04-13 18:40 96512
e\atapi.sys
+ 2009-10-21 21:45 . 2008-04-13 18:57 14336
e\asyncmac.sys
+ 2009-10-21 21:45 . 2008-04-13 18:36 42368
e\agp440.sys
+ 2009-10-21 21:45 . 2001-08-24 10:00 12032
e\acpiec.sys
+ 2009-08-10 17:26 . 2009-08-10 17:26 8192
Users\00000004\UsrClass.dat
+ 2009-08-10 17:26 . 2009-08-10 17:26 8192
Users\00000002\UsrClass.dat
+ 2009-10-21 21:45 . 2008-04-14 02:18 5120
\sfc.dll
+ 2009-10-21 21:45 . 2001-08-24 10:00 2944
\null.sys
+ 2009-10-21 21:45 . 2001-08-24 10:00 4224
\beep.sys
+ 2010-12-13 15:54 . 2010-12-13 15:54 833024
\21b83.msi
- 2010-02-06 18:48 . 2010-02-06 18:48 136448
\{DB3B70EE-881B-4FF3-8602-E9FF599D328B}\egui.exe
+ 2010-12-13 15:54 . 2010-12-13 15:54 136448
\{DB3B70EE-881B-4FF3-8602-E9FF599D328B}\egui.exe
+ 2009-08-10 17:26 . 2009-08-10 17:26 262144
s\Users\00000006\UsrClass.dat
+ 2009-08-10 17:26 . 2009-08-10 17:26 233472
s\Users\00000003\NTUSER.DAT
+ 2009-08-10 17:26 . 2009-08-10 17:26 229376
s\Users\00000001\NTUSER.DAT
+ 2009-10-21 21:45 . 2008-04-14 02:18 129024
he\xmlprov.dll
+ 2009-10-21 21:45 . 2008-04-14 02:19 510976
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\cach
c:\windows\ERDNT\subs\
c:\windows\ERDNT\subs\
c:\windows\ERDNT\cache
c:\windows\ERDNT\cache
c:\windows\ERDNT\cache
c:\windows\Installer
c:\windows\Installer
c:\windows\Installer
c:\windows\ERDNT\sub
c:\windows\ERDNT\sub
c:\windows\ERDNT\sub
c:\windows\ERDNT\cac
c:\windows\ERDNT\cac
he\winlogon.exe
+ 2009-10-21 21:45 . 2009-07-03
he\wininet.dll
+ 2009-10-21 21:45 . 2008-04-14
he\user32.dll
+ 2009-10-21 21:45 . 2008-04-14
he\upnphost.dll
+ 2009-10-21 21:45 . 2008-04-14
he\termsrv.dll
+ 2009-10-21 21:45 . 2008-06-20
he\tcpip.sys
+ 2009-10-21 21:45 . 2008-04-14
he\tapisrv.dll
+ 2009-10-21 21:45 . 2008-04-14
he\srsvc.dll
+ 2009-10-21 21:45 . 2008-04-14
he\shsvcs.dll
+ 2009-10-21 21:45 . 2009-02-09
he\services.exe
+ 2009-10-21 21:45 . 2008-04-14
he\schedsvc.dll
+ 2009-10-21 21:45 . 2008-04-14
he\scecli.dll
+ 2009-10-21 21:45 . 2009-02-09
he\rpcss.dll
+ 2009-10-21 21:45 . 2008-04-14
he\qmgr.dll
+ 2009-10-21 21:45 . 2008-04-14
he\ntmssvc.dll
+ 2009-10-21 21:45 . 2008-04-13
he\ntfs.sys
+ 2009-10-21 21:45 . 2008-04-14
he\netman.dll
+ 2009-10-21 21:45 . 2008-04-14
he\netlogon.dll
+ 2009-10-21 21:45 . 2008-04-13
he\ndis.sys
+ 2009-10-21 21:45 . 2008-06-20
he\mswsock.dll
+ 2009-10-21 21:45 . 2008-04-14
he\msvcrt.dll
+ 2009-10-21 21:45 . 2008-04-14
he\mfc40u.dll
+ 2009-10-21 21:45 . 2008-04-14
he\imm32.dll
+ 2009-10-21 21:45 . 2008-07-07
he\es.dll
+ 2009-10-21 21:45 . 2008-04-14
he\comctl32.dll
+ 2009-10-21 21:45 . 2008-04-14
he\appmgmts.dll
+ 2009-10-21 21:45 . 2008-04-13
he\aec.sys
+ 2009-08-10 19:34 . 2010-10-06
\esclavo.exe
+ 2009-08-10 17:26 . 2009-08-10
bs\Users\00000005\NTUSER.DAT
+ 2009-10-21 21:45 . 2008-04-14
che\sfcfiles.dll
+ 2009-10-21 21:45 . 2009-02-09
16:57
915456
c:\windows\ERDNT\cac
02:18
579584
c:\windows\ERDNT\cac
02:18
186368
c:\windows\ERDNT\cac
02:18
296960
c:\windows\ERDNT\cac
11:51
361600
c:\windows\ERDNT\cac
02:18
249856
c:\windows\ERDNT\cac
02:18
171520
c:\windows\ERDNT\cac
02:18
135168
c:\windows\ERDNT\cac
11:23
111104
c:\windows\ERDNT\cac
02:18
193536
c:\windows\ERDNT\cac
02:18
185856
c:\windows\ERDNT\cac
10:52
401408
c:\windows\ERDNT\cac
02:18
409088
c:\windows\ERDNT\cac
02:18
437760
c:\windows\ERDNT\cac
19:15
574976
c:\windows\ERDNT\cac
02:18
198144
c:\windows\ERDNT\cac
02:18
407040
c:\windows\ERDNT\cac
19:20
182656
c:\windows\ERDNT\cac
17:47
248320
c:\windows\ERDNT\cac
02:18
343040
c:\windows\ERDNT\cac
02:18
927504
c:\windows\ERDNT\cac
02:18
110080
c:\windows\ERDNT\cac
20:27
253952
c:\windows\ERDNT\cac
02:18
617472
c:\windows\ERDNT\cac
02:18
175104
c:\windows\ERDNT\cac
16:39
142592
c:\windows\ERDNT\cac
20:06
1556480
c:\windows\system32
17:26
4599808
c:\windows\ERDNT\su
02:18
1572352
c:\windows\ERDNT\ca
11:24
2191488
c:\windows\ERDNT\ca
che\ntoskrnl.exe
+ 2009-10-21 21:45 . 2009-02-11 00:06 2068480
che\ntkrnlpa.exe
+ 2009-10-21 21:45 . 2009-07-19 13:14 5937152
che\mshtml.dll
+ 2009-10-21 21:45 . 2009-03-21 14:08 1042944
che\kernel32.dll
+ 2009-10-21 21:45 . 2008-04-14 02:18 1036288
che\explorer.exe
.
-- Snapshot reset to current date -.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
)))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
c:\windows\ERDNT\ca
c:\windows\ERDNT\ca
c:\windows\ERDNT\ca
c:\windows\ERDNT\ca
)))))))))))))))))))
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
\DfLogon]
2007-06-28 17:39
65536 ----a-wc:\windows\system32\LogonDll.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute
REG_MULTI_SZ
autocheck autochk /k:C /k:D *
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Men Inicio^Programas^In
icio^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Men Inicio\Programas\Inicio\Adobe Gamma
Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Men Inicio^Programas^In
icio^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Men Inicio\Programas\Inicio\InterVideo W
inCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Authoriz
edApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Messenger\\msmsgs.exe"=
"c:\\Archivos de programa\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Archivos de programa\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Documents and Settings\\Administrador\\temp\\TeamViewer\\Version4\\TeamView
er.exe"=
R0 DeepFrz;DeepFrz;c:\windows\system32\drivers\DeepFrz.sys [28/06/2007 12:45 131
472]
R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [08/08/200
8 21:34 38784]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [13/03/2008 16:52
33800]
R2 ekrn;Eset Service;c:\archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
[13/03/2008 16:49 472320]
R2 escSrv;Cargador del Terminal;c:\windows\system32\escsrv.exe [10/08/2009 14:34
45056]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [08/08/2008 21:34 116224
]
--- Other Services/Drivers In Memory --*Deregistered* - udffsrec
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49
E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEAct
iveSetup SIGNUP
.
- pref("media.enforce_sa
- pref("media.cache_size
- pref("media.ogg.enable
- pref("media.wave.enabl
- pref("media.autoplay.e
- pref("browser.urlbar.a
- pref("capability.polic
- pref("dom.storage.defa
- pref("content.sink.eve
- pref("network.http.pro
- pref("layout.css.dpi",
- pref("layout.css.devPi
xelsPerPx", -1);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_
single_finger_input", true);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_s
cript_run_time", 0);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("network.tcp.send
buffer", 131072);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", tr
ue);
c:\archivos de programa\Mozilla Firefox\greprefs\security-prefs.js - pref("secur
ity.remember_cert_checkbox_default_setting", true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox-branding.js - pref
("browser.search.param.yahoo-fr", "moz35");
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox-branding.js - pref
("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("extensi
ons.blocklist.level", 2);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("browser
.urlbar.restrict.typed", "~");
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("browser
.urlbar.default.behavior", 0);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.clearOnShutdown.history",
true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.clearOnShutdown.formdata",
true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.clearOnShutdown.passwords", false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.clearOnShutdown.downloads", true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.clearOnShutdown.cookies",
true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.clearOnShutdown.cache",
true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.clearOnShutdown.sessions",
true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.clearOnShutdown.offlineApps", false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.clearOnShutdown.siteSettings", false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.cpd.history",
true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.cpd.formdata",
true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.cpd.passwords",
false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.cpd.downloads",
true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.cpd.cookies",
true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.cpd.cache",
true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.cpd.sessions",
true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.cpd.offlineApps",
false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.cpd.siteSettings",
false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy
.sanitize.migrateFx3Prefs",
false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("browser
.ssl_override_behavior", 2);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js
y.alternate_certificate_error_page", "certerror");
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js
.privatebrowsing.autostart", false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js
.privatebrowsing.dont_prompt_on_enter", false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js
i.uri", "https://www.google.com/loc/json");
.
- pref("securit
- pref("browser
- pref("browser
- pref("geo.wif
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http:/
/www.gmer.net
Rootkit scan 2011-01-06 19:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS --------------------[HKEY_USERS\S-1-5-21-299502267-1715567821-725345543-500\Software\Microsoft\Inter
net Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,0e,c1,d8,cf,ad,64,48,a1,59,34,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,0e,c1,d8,cf,ad,64,48,a1,59,34,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB
}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-10
1"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB
}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB
}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB
}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41
D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41
D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41
D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LogonDll.dll
.
Completion time: 2011-01-07 19:49
ComboFix-quarantined-files.txt 2011-01-07 00:49
ComboFix2.txt 2010-02-21 23:15
ComboFix3.txt 2009-10-21 21:46
ComboFix4.txt 2009-08-10 17:32
Pre-Run: 26.226.475.008 bytes libres
Post-Run: 26.192.830.464 bytes libres
285
--- E O F ---
2009-09-21 21:02