Download to read offline
![ComboFix 12-01-10.02 - Administrador 11/01/2012 18:29:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.3327.2823 [GMT
-5:00]
Running from: c:combofixComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other
Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:documents and settingsAdministradorEscritorioInternet Explorer.lnk
c:windowssystem32PowerToyReadme.htm
c:windowssystem32wallpaper.exe
c:windowssystem32windowsupdate.exe
c:windowswallpaper.jpg
.
.
((((((((((((((((((((((((( Files Created from 2011-12-11 to 2012-01-
11 )))))))))))))))))))))))))))))))
.
.
2012-01-11 22:59 . 2012-01-11 22:59 -------- d-----w- C:AMD
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M
Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-05-11 . C2BDEA3B5E025FADB79FD3DEB23B8F53 . 361344 . . [5.1.2600.5512] .
. c:windowssystem32driverstcpip.sys
.
[-] 2008-04-14 07:48 . BC40A2DE9FB2C8A551A240F2359C8F30 . 847360 . .
[2001.12.4414.700] . . c:windowssystem32comres.dll
[7] 2008-04-14 07:48 . 93F4E612C695E81512110956454E6E25 . 837120 . .
[2001.12.4414.700] . . c:windowsXPize DarksideBackupcomres.dll
.
[-] 2008-05-11 . 38FF5050D7BC47F344AE271B6C250201 . 3591680 . .
[7.00.6000.16640] . . c:windowssystem32mshtml.dll
.
[-] 2008-05-11 . 39E5AA52B667BDD18690336E7E410EAF . 826368 . . [7.00.6000.16640]
. . c:windowssystem32wininet.dll
.
[-] 2008-04-14 . C6C729770D9C3A0AD4D2D28788E71684 . 1698816 . . [6.00.2900.5512]
. . c:windowsexplorer.exe
[7] 2008-04-14 . 7522F548A84ABAD8FA516DE5AB3931EF . 1036288 . . [6.00.2900.5512]
. . c:windowsXPize DarksideBackupexplorer.exe
.
[-] 2008-04-14 . C8F12B2102B5A9F9AB87E23C6EDFA021 . 429056 . . [5.1.2600.5512] .
. c:windowsregedit.exe
[7] 2008-04-14 . F4B9F9AA2F72FAD20D09C3E3FF2BE224 . 152064 . . [5.1.2600.5512] .
. c:windowsXPize DarksideBackupregedit.exe
.
[-] 2008-04-14 . 97D44EE3E44CDC7035E3CB2EF20BABDB . 30208 . .
[5.1.2600.5512] . . c:windowssystem32ctfmon.exe
[7] 2008-04-14 . DAAE1CB1B1875B760496E7D3336DA1AD . 15360 . .
[5.1.2600.5512] . . c:windowsXPize DarksideBackupctfmon.exe
.
.
.](https://image.slidesharecdn.com/combofix-140428133004-phpapp01/85/Combo-fix-1-320.jpg)
![ComboFix 12-01-10.02 - Administrador 11/01/2012 18:29:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.3327.2823 [GMT
-5:00]
Running from: c:combofixComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other
Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:documents and settingsAdministradorEscritorioInternet Explorer.lnk
c:windowssystem32PowerToyReadme.htm
c:windowssystem32wallpaper.exe
c:windowssystem32windowsupdate.exe
c:windowswallpaper.jpg
.
.
((((((((((((((((((((((((( Files Created from 2011-12-11 to 2012-01-
11 )))))))))))))))))))))))))))))))
.
.
2012-01-11 22:59 . 2012-01-11 22:59 -------- d-----w- C:AMD
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M
Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-05-11 . C2BDEA3B5E025FADB79FD3DEB23B8F53 . 361344 . . [5.1.2600.5512] .
. c:windowssystem32driverstcpip.sys
.
[-] 2008-04-14 07:48 . BC40A2DE9FB2C8A551A240F2359C8F30 . 847360 . .
[2001.12.4414.700] . . c:windowssystem32comres.dll
[7] 2008-04-14 07:48 . 93F4E612C695E81512110956454E6E25 . 837120 . .
[2001.12.4414.700] . . c:windowsXPize DarksideBackupcomres.dll
.
[-] 2008-05-11 . 38FF5050D7BC47F344AE271B6C250201 . 3591680 . .
[7.00.6000.16640] . . c:windowssystem32mshtml.dll
.
[-] 2008-05-11 . 39E5AA52B667BDD18690336E7E410EAF . 826368 . . [7.00.6000.16640]
. . c:windowssystem32wininet.dll
.
[-] 2008-04-14 . C6C729770D9C3A0AD4D2D28788E71684 . 1698816 . . [6.00.2900.5512]
. . c:windowsexplorer.exe
[7] 2008-04-14 . 7522F548A84ABAD8FA516DE5AB3931EF . 1036288 . . [6.00.2900.5512]
. . c:windowsXPize DarksideBackupexplorer.exe
.
[-] 2008-04-14 . C8F12B2102B5A9F9AB87E23C6EDFA021 . 429056 . . [5.1.2600.5512] .
. c:windowsregedit.exe
[7] 2008-04-14 . F4B9F9AA2F72FAD20D09C3E3FF2BE224 . 152064 . . [5.1.2600.5512] .
. c:windowsXPize DarksideBackupregedit.exe
.
[-] 2008-04-14 . 97D44EE3E44CDC7035E3CB2EF20BABDB . 30208 . .
[5.1.2600.5512] . . c:windowssystem32ctfmon.exe
[7] 2008-04-14 . DAAE1CB1B1875B760496E7D3336DA1AD . 15360 . .
[5.1.2600.5512] . . c:windowsXPize DarksideBackupctfmon.exe
.
.
.](https://image.slidesharecdn.com/combofix-140428133004-phpapp01/75/Combo-fix-1-2048.jpg)
![[-] 2008-05-11 20:28 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . .
[11.0.5721.5145] . . c:windowssystem32mspmsnsv.dll
.
.
c:windowsSystem32wscntfy.exe ... is missing !!
c:windowsSystem32regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading
Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"TaskSwitchXP"="c:archivos de programaTaskSwitchXPTaskSwitchXP.exe" [2006-08-
04 62976]
.
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"StartCCC"="c:archivos de programaATI TechnologiesATI.ACECore-
StaticCLIStart.exe" [2011-03-10 98304]
"USB Security"="c:archivos de programaUSB Disk SecurityUSBGuard.exe" [2011-
01-31 627616]
.
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"CTFMON.EXE"="c:windowssystem32CTFMON.EXE" [2008-04-14 30208]
.
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2008-05-11 124928]
.
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
.
[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer
]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogon]
"UIHost"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2e,65,78,65,00
.
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared
toolsmsconfigstartupregctfmon.exe]
2008-04-14 07:48 30208 ----a-w- c:windowssystem32ctfmon.exe
.
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared
toolsmsconfigstartupregHDAudDeck]
2010-10-22 03:13 40995440 ----a-r- c:archivos de
programaVIAVIAudioiHDADeckHDeck.exe
.
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthoriz
edApplicationsList]
"%windir%Network Diagnosticxpnetdiag.exe"=
"%windir%system32sessmgr.exe"=](https://image.slidesharecdn.com/combofix-140428133004-phpapp01/85/Combo-fix-2-320.jpg)
!["c:Archivos de programaWindows LiveMessengerwlcsdk.exe"=
"c:Archivos de programaWindows LiveMessengermsnmsgr.exe"=
.
R0 sptd;sptd;c:windowssystem32driverssptd.sys [11/01/2012 11:17 717296]
R3 AtiHDAudioService;ATI Function Driver for HD Audio
Service;c:windowssystem32driversAtihdXP3.sys [11/01/2012 18:00 101904]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet
Controller;c:windowssystem32driversl1c51x86.sys [11/01/2012 17:51 50176]
R3 usbfilter;AMD USB Filter Driver;c:windowssystem32driversusbfilter.sys
[11/01/2012 17:47 30392]
R3 VIAHdAudAddService;VIA High Definition Audio Driver
Service;c:windowssystem32driversviahduaa.sys [11/01/2012 17:52 2135280]
S3 MSICDSetup;MSICDSetup;??e:cdriver.sys --> e:CDriver.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - UDFS
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.experienciaue.com.ar/graciasporinstalar20091.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: Interfaces{BE5DD549-A9DA-497C-97B4-8CF94843DB28}: NameServer =
200.48.225.130,200.48.225.146
FF - ProfilePath -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2012-01-11 18:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(504)
c:windowssystem32SETUPAPI.dll
c:windowssystem32Ati2evxx.dll
c:windowssystem32atiadlxx.dll
c:windowssystem32cscui.dll
.
- - - - - - - > 'lsass.exe'(560)
c:windowssystem32setupapi.dll
.
Completion time: 2012-01-11 18:31:43
ComboFix-quarantined-files.txt 2012-01-11 23:31
.
Pre-Run: 257.153.736.704 bytes libres
Post-Run: 257.164.029.952 bytes libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe](https://image.slidesharecdn.com/combofix-140428133004-phpapp01/85/Combo-fix-3-320.jpg)
![[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP
Professional" /noexecute=optin /fastdetect
.
- - End Of File - - FF47439C608601FA56E23F036E003415](https://image.slidesharecdn.com/combofix-140428133004-phpapp01/85/Combo-fix-4-320.jpg)
Uploaded bySergio Gabriel Cervantes
Combo fix
This document appears to be a log from a program that scans for malware and other security issues on a Windows XP system. It found some unsigned and potentially unwanted files and registry entries. It quarantined some files and made repairs to the system. The system was scanned and no hidden processes, autostart entries or files were found, indicating no rootkits or stealth malware were detected on the system.
Combo fix
- 1. ComboFix 12-01-10.02 -Administrador 11/01/2012 18:29:39.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.3327.2823 [GMT -5:00] Running from: c:combofixComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:documents and settingsAdministradorEscritorioInternet Explorer.lnk c:windowssystem32PowerToyReadme.htm c:windowssystem32wallpaper.exe c:windowssystem32windowsupdate.exe c:windowswallpaper.jpg . . ((((((((((((((((((((((((( Files Created from 2011-12-11 to 2012-01- 11 ))))))))))))))))))))))))))))))) . . 2012-01-11 22:59 . 2012-01-11 22:59 -------- d-----w- C:AMD . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2008-05-11 . C2BDEA3B5E025FADB79FD3DEB23B8F53 . 361344 . . [5.1.2600.5512] . . c:windowssystem32driverstcpip.sys . [-] 2008-04-14 07:48 . BC40A2DE9FB2C8A551A240F2359C8F30 . 847360 . . [2001.12.4414.700] . . c:windowssystem32comres.dll [7] 2008-04-14 07:48 . 93F4E612C695E81512110956454E6E25 . 837120 . . [2001.12.4414.700] . . c:windowsXPize DarksideBackupcomres.dll . [-] 2008-05-11 . 38FF5050D7BC47F344AE271B6C250201 . 3591680 . . [7.00.6000.16640] . . c:windowssystem32mshtml.dll . [-] 2008-05-11 . 39E5AA52B667BDD18690336E7E410EAF . 826368 . . [7.00.6000.16640] . . c:windowssystem32wininet.dll . [-] 2008-04-14 . C6C729770D9C3A0AD4D2D28788E71684 . 1698816 . . [6.00.2900.5512] . . c:windowsexplorer.exe [7] 2008-04-14 . 7522F548A84ABAD8FA516DE5AB3931EF . 1036288 . . [6.00.2900.5512] . . c:windowsXPize DarksideBackupexplorer.exe . [-] 2008-04-14 . C8F12B2102B5A9F9AB87E23C6EDFA021 . 429056 . . [5.1.2600.5512] . . c:windowsregedit.exe [7] 2008-04-14 . F4B9F9AA2F72FAD20D09C3E3FF2BE224 . 152064 . . [5.1.2600.5512] . . c:windowsXPize DarksideBackupregedit.exe . [-] 2008-04-14 . 97D44EE3E44CDC7035E3CB2EF20BABDB . 30208 . . [5.1.2600.5512] . . c:windowssystem32ctfmon.exe [7] 2008-04-14 . DAAE1CB1B1875B760496E7D3336DA1AD . 15360 . . [5.1.2600.5512] . . c:windowsXPize DarksideBackupctfmon.exe . . .
- 2. [-] 2008-05-11 20:28. C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:windowssystem32mspmsnsv.dll . . c:windowsSystem32wscntfy.exe ... is missing !! c:windowsSystem32regsvc.dll ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun] "TaskSwitchXP"="c:archivos de programaTaskSwitchXPTaskSwitchXP.exe" [2006-08- 04 62976] . [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] "StartCCC"="c:archivos de programaATI TechnologiesATI.ACECore- StaticCLIStart.exe" [2011-03-10 98304] "USB Security"="c:archivos de programaUSB Disk SecurityUSBGuard.exe" [2011- 01-31 627616] . [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun] "CTFMON.EXE"="c:windowssystem32CTFMON.EXE" [2008-04-14 30208] . [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce] "nltide_2"="shell32" [X] "nltide_3"="advpack.dll" [2008-05-11 124928] . [HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer] "NoSMHelp"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoSMMyPictures"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer ] "ForceClassicControlPanel"= 1 (0x1) "NoSMHelp"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoSMMyPictures"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogon] "UIHost"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2e,65,78,65,00 . [HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregctfmon.exe] 2008-04-14 07:48 30208 ----a-w- c:windowssystem32ctfmon.exe . [HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregHDAudDeck] 2010-10-22 03:13 40995440 ----a-r- c:archivos de programaVIAVIAudioiHDADeckHDeck.exe . [HKLM~servicessharedaccessparametersfirewallpolicystandardprofile] "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) . [HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthoriz edApplicationsList] "%windir%Network Diagnosticxpnetdiag.exe"= "%windir%system32sessmgr.exe"=
- 3. "c:Archivos de programaWindowsLiveMessengerwlcsdk.exe"= "c:Archivos de programaWindows LiveMessengermsnmsgr.exe"= . R0 sptd;sptd;c:windowssystem32driverssptd.sys [11/01/2012 11:17 717296] R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:windowssystem32driversAtihdXP3.sys [11/01/2012 18:00 101904] R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:windowssystem32driversl1c51x86.sys [11/01/2012 17:51 50176] R3 usbfilter;AMD USB Filter Driver;c:windowssystem32driversusbfilter.sys [11/01/2012 17:47 30392] R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:windowssystem32driversviahduaa.sys [11/01/2012 17:52 2135280] S3 MSICDSetup;MSICDSetup;??e:cdriver.sys --> e:CDriver.sys [?] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - UDFS . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.experienciaue.com.ar/graciasporinstalar20091.html uSearchURL,(Default) = hxxp://www.google.com/keyword/%s TCP: Interfaces{BE5DD549-A9DA-497C-97B4-8CF94843DB28}: NameServer = 200.48.225.130,200.48.225.146 FF - ProfilePath - . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-11 18:31 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(504) c:windowssystem32SETUPAPI.dll c:windowssystem32Ati2evxx.dll c:windowssystem32atiadlxx.dll c:windowssystem32cscui.dll . - - - - - - - > 'lsass.exe'(560) c:windowssystem32setupapi.dll . Completion time: 2012-01-11 18:31:43 ComboFix-quarantined-files.txt 2012-01-11 23:31 . Pre-Run: 257.153.736.704 bytes libres Post-Run: 257.164.029.952 bytes libres . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
- 4. [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS [operating systems] c:cmdconsBOOTSECT.DAT="MicrosoftWindows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - FF47439C608601FA56E23F036E003415