Bunos dias a todos!
Miren, me infecte con el virus
photo.1226.jepg-www.myspeace.com, por msn, y desde entonces realice muchos de los pasos que lei por las paginas del foro, todo perfecto, pero creo que me quedaron secuelas
El problema actual es que
no puedo entrar a google.
Paso a contarles las cosas que hice y por ultimo el log del HijackThis.
En orden de procesos:
Desactive la restauracion e inicie modo seguro.
MsnCleaner => Extrañamente no detecto nada.
Avast => Actualice y pase en modo minucioso y nada.
Reinicie, bootie desde linux, instale el avast y lo pase desde alli en las particiones que utilizo en win... => Nuevamente, no reporta niguna anomalia.
Cansado de tanta lucha pase a instalarme los siguientes programas:
> SUPERAntiSpyware
> Spybot - Search & Destroy
> Ad-Aware y Malwarebytes' Anti-Malware
De los cuales Cada uno detecto diferentes cosas:
>
SUPERAntiSpyware
Trojan.Dropper/Gen-MultiPacked
C:\DOCUMENTS AND SETTINGS\MARTIN RISOLINO\OFC.EXE
C:\WINDOWS\SYSTEM32\AQJ.EXE
C:\WINDOWS\Prefetch\AQJ.EXE-2B54C1EA.pf
>
Spybot - Search & Destroy (me tiro el siguiente informe)
Código:
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2008-07-23 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-07-15 Includes\Adware.sbi
2008-07-15 Includes\AdwareC.sbi
2008-06-03 Includes\Cookies.sbi
2008-06-03 Includes\Dialer.sbi
2008-07-07 Includes\DialerC.sbi
2008-07-23 Includes\HeavyDuty.sbi
2008-07-10 Includes\Hijackers.sbi
2008-07-08 Includes\HijackersC.sbi
2008-07-15 Includes\Keyloggers.sbi
2008-07-15 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-07-23 Includes\Malware.sbi
2008-07-23 Includes\MalwareC.sbi
2008-07-15 Includes\PUPS.sbi
2008-07-22 Includes\PUPSC.sbi
2007-11-07 Includes\Revision.sbi
2008-06-18 Includes\Security.sbi
2008-07-08 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-07-11 Includes\Spyware.sbi
2008-07-15 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2008-07-23 Includes\Trojans.sbi
2008-07-22 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ Windows XP / SP3: Windows XP Service Pack 3
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0
--- Startup entries list ---
Located: HK_LM:Run, avast!
command: C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
size: 79224
MD5: 87B63FD1B5EC5CC41589CE7026DB7C5F
Located: HK_LM:Run, igfxhkcmd
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 77824
MD5: D9F3DB62D1B361D82CD82A347EA6218D
Located: HK_LM:Run, igfxpers
command: C:\WINDOWS\system32\igfxpers.exe
file: C:\WINDOWS\system32\igfxpers.exe
size: 118784
MD5: 32FB9368F485A7FE944EB6678B61734B
Located: HK_LM:Run, igfxtray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 94208
MD5: 54F1F98C4AD8F99BBBE8FBB62B38733F
Located: HK_LM:Run, SkyTel
command: SkyTel.EXE
file: SkyTel.EXE
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
file: C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97
Located: HK_LM:Run, SynTPEnh
command: C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
file: C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
size: 761946
MD5: 59307A84CACE50B66089DBD5F74EA17A
Located: HK_CU:Run, CTFMON.EXE
where: .DEFAULT...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: DAAE1CB1B1875B760496E7D3336DA1AD
Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-19...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: DAAE1CB1B1875B760496E7D3336DA1AD
Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-20...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: DAAE1CB1B1875B760496E7D3336DA1AD
Located: HK_CU:Run, ares
where: S-1-5-21-789336058-1220945662-682003330-1003...
command: "C:\Archivos de programa\Ares\Ares.exe" -h
file: C:\Archivos de programa\Ares\Ares.exe
size: 968704
MD5: 9BCC1C5D6B4F93AEF781441AF7490723
Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-21-789336058-1220945662-682003330-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: DAAE1CB1B1875B760496E7D3336DA1AD
Located: HK_CU:Run, MsnMsgr
where: S-1-5-21-789336058-1220945662-682003330-1003...
command: "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
file: C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
size: 5724184
MD5: FDEC512CB8752174649D3A513893938A
Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-789336058-1220945662-682003330-1003...
command: C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
size: 2156368
MD5: 08FC1FAD357F053043016597B6559BDC
Located: HK_CU:Run, SUPERAntiSpyware
where: S-1-5-21-789336058-1220945662-682003330-1003...
command: C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
file: C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
size: 1506544
MD5: 24A3D7D9DD5555F409CF909600D32D60
Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-18...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: DAAE1CB1B1875B760496E7D3336DA1AD
Located: Inicio (común), Acceso directo a ViOrbv2.lnk
where: C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio...
command: C:\WINDOWS\Resources\Themes\Aero Basic Black for XP\ViOrb\ViOrb IntensityStyle RC1\ViOrbv2.exe
file: C:\WINDOWS\Resources\Themes\Aero Basic Black for XP\ViOrb\ViOrb IntensityStyle RC1\ViOrbv2.exe
size: 163840
MD5: 66DB6659A220A30B0F54419483D474A7
Located: Inicio (común), BTTray.lnk
where: C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio...
command: C:\Archivos de programa\WIDCOMM\Bluetooth Software\BTTray.exe
file: C:\Archivos de programa\WIDCOMM\Bluetooth Software\BTTray.exe
size: 618557
MD5: B21EACDAD44AB2F47C5630F4283FE833
Located: WinLogon, !SASWinLogon
command: C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
file: C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
size: 294912
MD5: 3B2F85D8C913CE452ADE4A0D24299FEA
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, igfxcui
command: igfxdev.dll
file: igfxdev.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{7E853D72-626A-48EC-A868-BA8D5E23E045} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
--- ActiveX list ---
{193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control)
DPF name:
CLSID name: ewidoOnlineScan Control
Installer:
Codebase: http://downloads.ewido.net/ewidoOnlineScan.cab
description:
classification: Legitimate
known filename: EWIDOO~1.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: ewidoOnlineScan.dll
Short name: EWIDOO~1.DLL
Date (created): 11/07/2006 09:41:36 a.m.
Date (last access): 24/07/2008 09:45:58 a.m.
Date (last write): 11/07/2006 09:41:36 a.m.
Filesize: 345656
Attributes: archive
MD5: B284992540E0FA2B76DEA56F93D49A16
CRC32: FD2E709C
Version: 1.0.0.4
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Archivos de programa\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 10/06/2008 02:32:34 a.m.
Date (last access): 24/07/2008 09:45:58 a.m.
Date (last write): 10/06/2008 04:27:02 a.m.
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Path: C:\Archivos de programa\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 10/06/2008 02:32:34 a.m.
Date (last access): 24/07/2008 09:45:58 a.m.
Date (last write): 10/06/2008 04:27:02 a.m.
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Archivos de programa\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 10/06/2008 02:32:34 a.m.
Date (last access): 24/07/2008 09:45:58 a.m.
Date (last write): 10/06/2008 04:27:02 a.m.
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
--- Process list ---
PID: 0 ( 0) [System]
PID: 1104 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 1200 (1104) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 1224 (1104) \??\C:\WINDOWS\system32\winlogon.exe
size: 510976
PID: 1268 (1224) C:\WINDOWS\system32\services.exe
size: 109056
MD5: D658A8C2FC7B2AD53D1259741A09EE04
PID: 1280 (1224) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 671ACA589DA3733FAC878A751C5BF0ED
PID: 1440 (1268) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4F2340F0BD5B6365C38E74DD391919A8
PID: 1528 (1268) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4F2340F0BD5B6365C38E74DD391919A8
PID: 1568 (1268) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4F2340F0BD5B6365C38E74DD391919A8
PID: 1624 (1268) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4F2340F0BD5B6365C38E74DD391919A8
PID: 1752 (1268) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4F2340F0BD5B6365C38E74DD391919A8
PID: 200 (1268) C:\Archivos de programa\Lavasoft\Ad-Aware\aawservice.exe
size: 611664
MD5: 17067069B9A7865028C1F2E6971D0CCC
PID: 232 (1268) C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
size: 17272
MD5: 67AF5593EF8359B56DAD6F289D22494B
PID: 304 (1268) C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
size: 144760
MD5: 373BF09D372A82EA637CA9A6BC8CC8E9
PID: 444 ( 428) C:\WINDOWS\Explorer.EXE
size: 1036288
MD5: 7522F548A84ABAD8FA516DE5AB3931EF
PID: 1060 (1268) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: CDD2DC6AE65084481E723E746C20539A
PID: 1448 ( 444) C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
size: 761946
MD5: 59307A84CACE50B66089DBD5F74EA17A
PID: 1632 ( 444) C:\WINDOWS\system32\hkcmd.exe
size: 77824
MD5: D9F3DB62D1B361D82CD82A347EA6218D
PID: 1656 ( 444) C:\WINDOWS\system32\igfxpers.exe
size: 118784
MD5: 32FB9368F485A7FE944EB6678B61734B
PID: 1684 ( 444) C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
size: 79224
MD5: 87B63FD1B5EC5CC41589CE7026DB7C5F
PID: 1720 ( 444) C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97
PID: 1736 ( 444) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: DAAE1CB1B1875B760496E7D3336DA1AD
PID: 1800 ( 444) C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
size: 5724184
MD5: FDEC512CB8752174649D3A513893938A
PID: 160 ( 444) C:\WINDOWS\Resources\Themes\Aero Basic Black for XP\ViOrb\ViOrb IntensityStyle RC1\ViOrbv2.exe
size: 163840
MD5: 66DB6659A220A30B0F54419483D474A7
PID: 172 ( 444) C:\Archivos de programa\WIDCOMM\Bluetooth Software\BTTray.exe
size: 618557
MD5: B21EACDAD44AB2F47C5630F4283FE833
PID: 824 (1268) C:\Archivos de programa\Bonjour\mDNSResponder.exe
size: 229376
MD5: 73686FE0B2E0469F89FD2075BE724704
PID: 468 (1268) C:\Archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
size: 266295
MD5: D9E3B5AAD23BF7EFA6A5DE3C855E0DA2
PID: 1144 (1268) C:\Archivos de programa\CDBurnerXP\NMSAccessU.exe
size: 71096
MD5: FD306FBCCE7ADB1077B709742E7148E9
PID: 336 (1268) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4F2340F0BD5B6365C38E74DD391919A8
PID: 224 (1268) C:\WINDOWS\system32\wdfmgr.exe
size: 38912
MD5: AB0A7CA90D9E3D6A193905DC1715DED0
PID: 1908 (1268) C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
size: 247160
MD5: 1E105120FCA89F052081D94D8EDDD522
PID: 2068 (1268) C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
size: 349560
MD5: 0AC0D3338B4E4F2744B648FCC35A8BB3
PID: 2664 (1268) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 764B7A1E6AE2D70416A7932F3B97AC99
PID: 556 (1568) C:\WINDOWS\system32\wuauclt.exe
size: 53080
MD5: F3E9065EB617A7E3A832A7976BFA021B
PID: 3008 ( 444) C:\Archivos de programa\Mozilla Firefox\firefox.exe
size: 307712
MD5: A6D64056AD6CA84534143757FD782D7A
PID: 680 (1268) C:\WINDOWS\system32\msiexec.exe
size: 78848
MD5: 858653E3E1183B2F4CE924FDA8A256EF
PID: 920 ( 444) C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
size: 1506544
MD5: 24A3D7D9DD5555F409CF909600D32D60
PID: 3032 ( 444) C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 4 ( 0) System
PID: 752 (3032) C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
size: 2156368
MD5: 08FC1FAD357F053043016597B6559BDC
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 24/07/2008 09:49:00 a.m.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
>
Ad-Aware (Encontró y eliminó lo siguiente)
Código:
3262
Win32.Trojan.Monder Malware 10
[202814] File: C:\Documents and Settings\Martin Risolino\Configuración local\Temp\photo.zip
1394
Win32.Trojan-Dropper.Delf Malware 10
[190125] File: D:\Documentos\Descargas\SO\aresregular209_installer.exe
9999
[1] MRU Path: C:\Documents and Settings\Martin Risolino\Recent Count: 7
[3] MRU Registry Key: S-1-5-21-789336058-1220945662-682003330-1003\Software\Microsoft\Internet Explorer\TypedURLs Count: 3
Bien, eliminando lo encontrado, pase el
ccleaner, y armé un log
HijackThis:
Código:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:57:36 a.m., on 24/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Lavasoft\Ad-Aware\aawservice.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\Resources\Themes\Aero Basic Black for XP\ViOrb\ViOrb IntensityStyle RC1\ViOrbv2.exe
C:\Archivos de programa\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\Archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Archivos de programa\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Martin Risolino\ofc.exe \o
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Archivos de programa\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Archivos de programa\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Archivos de programa\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Archivos de programa\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Archivos de programa\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Archivos de programa\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Archivos de programa\CDBurnerXP\NMSAccessU.exe
--
End of file - 7186 bytes
Bueno, desde ya muchas gracias gente!!
Martin