Foro de Spyware - Ver Mensaje Individual - Me infecte con virusProtectPro (Solucionado)

Tema: Me infecte con virusProtectPro (Solucionado)

Ver Mensaje Individual

post #3 (permalink)

04/09/07, 12:02:37

Ellathan

Usuario

Registrado: sep 2007

Ubicación: Barcelona

Mensajes: 5

Re: Me infecte con virusProtectPro

Ya e hecho lo de Silent Runners y esto es lo que me a salido:

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"LDM" = "C:\Archivos de programa\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe" ["Logitech Inc."]
"H/PC Connection Agent" = ""C:\Archivos de programa\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"System Services" = "lgkmdavvc.exe" [file not found]
"BitTorrent" = ""C:\Archivos de programa\BitTorrent\bittorrent.exe" --force_start_minimized" [null data]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MessengerPlus3" = ""C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe" /WinStart" ["Patchou"]
"MSMSGS" = ""C:\Archivos de programa\Messenger\msmsgs.exe" /background" [MS]
"SUPERAntiSpyware" = "C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"SoundMAXPnP" = "C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
"SoundMAX" = ""C:\Archivos de programa\Analog Devices\SoundMAX\smax4.exe" /tray" ["Analog Devices, Inc."]
"ATIPTA" = "C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"CnxDslTaskBar" = "C:\Archivos de programa\Telefonica Kit ADSL USB\CnxDslTb.exe" ["Conexant Systems Inc."]
"MMTray" = ""C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"" ["Musicmatch, Inc."]
"MessengerPlus3" = ""C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe"" ["Patchou"]
"HP Component Manager" = ""C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb 10.exe" ["HP"]
"HP Software Update" = ""C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"]
"QuickTime Task" = ""C:\Archivos de programa\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u"
"System Services" = "lgkmdavvc.exe" [file not found]
"SunJavaUpdateSched" = ""C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"mmtask" = ""C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"" ["Musicmatch Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"OpwareSE2" = ""C:\Archivos de programa\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"" ["ScanSoft, Inc."]
"OPSE reminder" = ""C:\Archivos de programa\ScanSoft\OmniPageSE2.0\EregSpa\Ereg.exe" -r "C:\Archivos de programa\ScanSoft\OmniPageSE2.0\EregSpa\ereg.ini"" ["ScanSoft, Inc."]
"Google Desktop Search" = ""C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup" ["Google"]
"ATICCC" = ""C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"LanzarL2007" = ""C:\DOCUME~1\USUARIO\CONFIG~1\Temp\{EE62CFC2-4FA3-4970-BCB7-3054C2F2DF8D}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x000a"" [file not found]
"a-squared" = ""C:\Archivos de programa\a-squared Anti-Malware\a2guard.exe" /d=60" ["Emsi Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion BHO"
\InProcServer32\(Default) = "C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_ 0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensión de paneo de pantalla del Panel de control"
-> {HKLM...CLSID} = "Extensión de paneo de pantalla del Panel de control"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensión de icono de HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Extensión de iconos de archivo de Outlook"
\InProcServer32\(Default) = "C:\archivos de programa\microsoft office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\archivos de programa\microsoft office\Office10\msohev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a-squared Anti-Malware Shell Extension"
-> {HKLM...CLSID} = "a-squared Anti-Malware Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\a-squared Anti-Malware\a2contmenu.dll" ["Emsi Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler\
<<!>> "{b36d60c8-e1ce-464e-b74c-8128a627ef56}" = "hyracina"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\vvihh.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "C:\WINDOWS\system32\__c00A4F29.dat" [null data]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"stera" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"
-> {HKLM...CLSID} = "AmvTransform Class"
\InProcServer32\(Default) = "C:\Archivos de programa\MP3 Player Utilities 3.60\AMVTools\AmvTransform.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
a-squared Anti-Malware Shell Extension\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "a-squared Anti-Malware Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\a-squared Anti-Malware\a2contmenu.dll" ["Emsi Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\AllFilesystemObjects\shellex \ContextMenuHandlers\
a-squared Anti-Malware Shell Extension\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "a-squared Anti-Malware Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\a-squared Anti-Malware\a2contmenu.dll" ["Emsi Software GmbH"]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\

"SpecifyDefaultButtons" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Btn_Search" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoBandCustomize" = (REG_DWORD) hex:0x00000000
{Disable customizing browser toolbars}

"NoToolbarCustomize" = (REG_DWORD) hex:0x00000000
{Disable customizing browser toolbar buttons}

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configur ación local\Datos de programa\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\USUARIO\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS]

Startup items in "USUARIO" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\USUARIO\Menú Inicio\Programas\Inicio
"Búsqueda rápida de Microsoft" -> shortcut to: "C:\Archivos de programa\Microsoft Office\Office\FINDFAST.EXE" [MS]
"Inicio de Office" -> shortcut to: "C:\Archivos de programa\Microsoft Office\Office\OSA.EXE -b" [MS]
"OpenOffice.org 1.0.1" -> shortcut to: "C:\Archivos de programa\OpenOffice.org1.0.1\program\quickstart.ex e" [null data]

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
"Adobe Gamma Loader" -> shortcut to: "C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Logitech Desktop Messenger" -> shortcut to: "C:\Archivos de programa\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe -startup" ["Logitech Inc."]
"Microsoft Office" -> shortcut to: "C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"WinZip Quick Pick" -> shortcut to: "C:\Archivos de programa\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]

Enabled Scheduled Tasks:
------------------------

"A883B6DB91D42D8B" -> launches: "c:\docume~1\usuario\datosd~1\boneda~1\film dupe bias.exe" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {HKLM...CLSID} = "Barra de Herramientas MSN"
\InProcServer32\(Default) = "C:\Archivos de programa\MSN Toolbar\01.01.2607.0\es\msntb.dll" [MS]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_ 0.dll" ["Yahoo! Inc."]
"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
-> {HKLM...CLSID} = "Easy-WebPrint"
\InProcServer32\(Default) = "C:\Archivos de programa\Canon\Easy-WebPrint\Toolband.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\(Default) = "Easy-WebPrint"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Archivos de programa\Canon\Easy-WebPrint\Toolband.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Consola de Sun Java"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Archivos de programa\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Crear un favorito móvil"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft ActiveSync\INETREPL.DLL" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Crear un favorito móvil..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft ActiveSync\INETREPL.DLL" [MS]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Archivos de programa\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "OnlineInformation" = "http://www.the-exit.com" [file not found]

HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 112 domain names to IP addresses,
111 of the IP addresses are *not* localhost!

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

a-squared Anti-Malware Service, a2AntiMalware, ""C:\Archivos de programa\a-squared Anti-Malware\a2service.exe"" ["Emsi Software GmbH"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Canon BJ Language Monitor MP150\Driver = "CNMLM7K.DLL" ["CANON INC."]
hpzsnt10\Driver = "hpzsnt10.dll" ["HP"]

---------- (launch time: 2007-09-04 15:01:00)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 117 seconds.
---------- (total run time: 180 seconds)