PDA

Ver la Versión Completa : pc infectada con Spylocket

guasopampa
30/06/07, 17:16:33
Hola, mi pc esta infectada con Spylocket, sistema operativo windows XP service pack 2. Ya pase el PSGUard y el ccleaner. No encuentro en el Hijackthis las entradas BHO y toolbar que citan en esta pagina. Gracias por su ayuda
Hardrive
30/06/07, 17:43:39
Hola guasopampa

Reiniciá en Modo Seguro (http://www.forospyware.com/47-post4.html) y analizá con RogueRemover. Luego reiniciá en modo normal, analizá con Panda ActiveScan y pegá su reporte aquí junto a uno de lopxpMH2 (http://perso.numericable.fr/~altshift/Info/Fichiers/lopxpMH2_Sp.zip).

Salu2 :adios:
guasopampa
30/06/07, 21:30:33
el roueremover no encontro nada.
Aca estan los logs
Incidencia Estado Elemento Herramienta potencialmente no deseada:Application/Processor No desinfectado C:\WINNT\SYSTEM32\Process.exe
Herramienta potencialmente no deseada:Application/Processor No desinfectado C:\Documents and Settings\Osvaldo Caccaglio\Escritorio\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z Desinfectado C:\Documents and Settings\Osvaldo Caccaglio\Escritorio\SmitfraudFix\RESTART.EXE
Reporte realizado a 22:28:25,43, 30/06/2007

Reporte realizado a 22:28:25,45, 30/06/2007
******************************************
## Carpetas Datos de programa


******************************************
## Carpetas Datos de programa

El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: 0B34-16F3

Directorio de C:\Documents and Settings\Default User\Datos de programa

05/04/2005 00:47 <DIR> .
05/04/2005 00:47 <DIR> ..
23/03/2006 22:38 <DIR> AVG7
05/04/2005 00:55 <DIR> Microsoft
29/06/2007 02:59 62 desktop.ini
1 archivos 62 bytes
4 dirs 10.506.207.232 bytes libres
El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: 0B34-16F3

Directorio de C:\Documents and Settings\All Users\Datos de programa

05/04/2005 00:47 <DIR> .
05/04/2005 00:47 <DIR> ..
23/04/2005 17:42 <DIR> Adobe
28/06/2005 22:52 <DIR> Adobe Systems
18/12/2005 23:23 <DIR> Autodesk
23/03/2006 22:38 <DIR> avg7
23/03/2006 22:38 <DIR> Grisoft
04/07/2005 01:28 <DIR> HP
28/06/2007 02:22 <DIR> Macromedia
05/04/2005 00:53 <DIR> Microsoft
05/04/2005 23:53 <DIR> SBT
28/06/2007 20:14 <DIR> Spybot - Search & Destroy
28/06/2007 04:17 <DIR> TEMP
29/06/2007 20:34 <DIR> Yahoo! Companion
29/06/2007 02:59 62 desktop.ini
04/07/2005 00:44 1.130 hpzinstall.log
2 archivos 1.192 bytes
14 dirs 10.506.207.232 bytes libres
El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: 0B34-16F3
<¡D3vIL!>
30/06/07, 21:55:54
Hola guasopampa


Descarga el SilentRunner (http://www.silentrunners.org/Silent%20Runners.vbs) (dale click con el boton derecho del ratón al enlace y luego en Guardar enlace cómo, Save as o Save Link as....)

Ejecuta el script, al hacerlo, te hará unas preguntas, en dichas preguntas contesta 'No' y 'Si' (en ese orden)....

Luego, deberás esperar (aunque parezca que no hace nada) a que te aparezca un mensaje con el botón OK

En la misma carpeta que ejecutes el script aparecerá un archivo llamado Reporte el cual deberás colocarlo aquí (si lo abres o envías antes de ver el mensaje con el botón Ok, no estará completo)


Ten un poquito de paciencia hasta que termine el proceso.

Salu2
Recuerda volver
guasopampa
30/06/07, 22:22:40
listo aqui lo tienes

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"CTFMON.EXE" = "C:\WINNT\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"IgfxTray" = "C:\WINNT\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINNT\system32\hkcmd.exe" ["Intel Corporation"]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Archivos de programa\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"HP Software Update" = ""C:\Archivos de programa\HP\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"HP Component Manager" = ""C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"!AVG Anti-Spyware" = ""C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
"SDTray" = ""C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe"" ["PC Tools"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx\ {++}
"Register Homesite+.exe" = ""C:\Archivos de programa\Macromedia\HomeSite+\Homesite+.exe" /REGSERVER" ["Macromedia, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensión de paneo de pantalla del Panel de control"
-> {HKLM...CLSID} = "Extensión de paneo de pantalla del Panel de control"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensión de icono de HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {HKLM...CLSID} = "Menu Band"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Seguimiento de menú Shell"
-> {HKLM...CLSID} = "Seguimiento de menú Shell"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Sitio del menú"
-> {HKLM...CLSID} = "Sitio del menú"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menú Barra de escritorio"
-> {HKLM...CLSID} = "Menú Barra de escritorio"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {HKLM...CLSID} = "IShellFolderBand"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Vínculos"
-> {HKLM...CLSID} = "&Vínculos"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Imágenes en miniatura"
-> {HKLM...CLSID} = "Background Thumbnail Generator"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{450D8FBA-AD25-11D0-98A8-0800361B1103}" = "MyDocs Folder"
-> {HKLM...CLSID} = "Mis documentos"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Extensión de iconos de archivo de Outlook"
\InProcServer32\(Default) = "C:\ARCHIV~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "Componente de extensión del núcleo de CorelDRAW"
-> {HKLM...CLSID} = "CorelDRAW Shell Extension Component"
\InProcServer32\(Default) = "C:\Archivos de programa\Corel\Corel Graphics 12\PROGRAMS\CrlShell.dll" ["Corel Corporation"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {HKLM...CLSID} = "Shell Extension for CDRW"
\InProcServer32\(Default) = "C:\Archivos de programa\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {HKLM...CLSID} = "Nero Shell Extension Property Sheet"
\InProcServer32\(Default) = "[NeroFolder]\neroshx.dll" [file not found]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
"{0AC6C6C5-F7A8-11D2-BEF4-00C04F990001}" = "Macromedia FTP & RDS"
-> {HKLM...CLSID} = "Macromedia FTP & RDS"
\InProcServer32\(Default) = "C:\WINNT\system32\CfShellFtpRds.dll" ["Macromedia, Inc."]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINNT\system32\AcSignIcon.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Archivos de programa\Archivos comunes\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler\
<<!>> "{596e4935-4d3b-4a3c-842d-2efd1b3de598}" = "hundi"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\pjgerka.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"| [file not found]|"sprestrt" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\AllFilesystemObjects\shellex \ContextMenuHandlers\
FAExt\(Default) = "{05672D66-9736-42F5-8BEB-FA1DD3CA51C4}"
-> {HKLM...CLSID} = "FAExt Class"
\InProcServer32\(Default) = "C:\ARCHIV~1\FILEAS~1\FILEAS~1.DLL" ["Malwarebytes"]


Default executables:
--------------------

HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
<<!>> HKCU\Software\Classes\AutoCADScriptFile\shell\open \command\(Default) = ""C:\WINNT\notepad.exe" "%1"" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\

"CDRAutoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINNT\system32\config\systemprofile\Configuraci ón local\Datos de programa\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\logon.scr" [MS]


Startup items in "Osvaldo Caccaglio" & "All Users" startup folders:
-------------------------------------------------------------------

C:\Documents and Settings\Osvaldo Caccaglio\Menú Inicio\Programas\Inicio
"Adobe Gamma" -> shortcut to: "C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
"Microsoft Office" -> shortcut to: "C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"WinZip Quick Pick" -> shortcut to: "C:\Archivos de programa\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"Acrobat Assistant" -> shortcut to: "C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]


Winsock2 Service Provider DLLs:
-------------------------------
<¡D3vIL!>
30/06/07, 22:25:16
Hola guasopampa

- "Reinicia a prueba de fallos" (http://www.forospyware.com/292284-post4.html)

- Busca y elimina estos archivos/carpetas (Si no lo/los encuentras activa ''Ver archivos ocultos del sistema'' (http://www.forospyware.com/t13.html)),si no se dejan eliminar descarga el programa "FileASSASSIN" (http://www.forospyware.com/298547-post10.html),con la opción "Use la función eliminar al reiniciar windows


C:\WINNT\system32\pjgerka.dll


- Reinicia el PC a "Modo normal"

- Usa el Ccleaner(Manual) (http://www.forospyware.com/t39511.html) para limpiar el sistema,primero utilizá la opción de "Limpiador" para borrar cookies, temporales de Internet y todos los archivos que este te muestre como obsoletos.y luego usa su opción de "Registro" para limpiar todo el registro de Windows (haciendo copia de seguridad).

salu2 http://img455.imageshack.us/img455/7932/icontwistedrp4.gif
Recuerda volver y contarnos los resultados
Hardrive
30/06/07, 23:35:58
Además pegá un reporte del lopxpMH2 (http://perso.numericable.fr/~altshift/Info/Fichiers/lopxpMH2_Sp.zip) completo.

Salu2
guasopampa
01/07/07, 01:05:45
parece que lo lograste sacar, de ser asi te felicito. Te paso el log:
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"CTFMON.EXE" = "C:\WINNT\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"IgfxTray" = "C:\WINNT\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINNT\system32\hkcmd.exe" ["Intel Corporation"]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Archivos de programa\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"HP Software Update" = ""C:\Archivos de programa\HP\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"HP Component Manager" = ""C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"!AVG Anti-Spyware" = ""C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
"SDTray" = ""C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe"" ["PC Tools"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx\ {++}
"Register Homesite+.exe" = ""C:\Archivos de programa\Macromedia\HomeSite+\Homesite+.exe" /REGSERVER" ["Macromedia, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensión de paneo de pantalla del Panel de control"
-> {HKLM...CLSID} = "Extensión de paneo de pantalla del Panel de control"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensión de icono de HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {HKLM...CLSID} = "Menu Band"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Seguimiento de menú Shell"
-> {HKLM...CLSID} = "Seguimiento de menú Shell"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Sitio del menú"
-> {HKLM...CLSID} = "Sitio del menú"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menú Barra de escritorio"
-> {HKLM...CLSID} = "Menú Barra de escritorio"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {HKLM...CLSID} = "IShellFolderBand"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Vínculos"
-> {HKLM...CLSID} = "&Vínculos"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Imágenes en miniatura"
-> {HKLM...CLSID} = "Background Thumbnail Generator"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{450D8FBA-AD25-11D0-98A8-0800361B1103}" = "MyDocs Folder"
-> {HKLM...CLSID} = "Mis documentos"
\InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Extensión de iconos de archivo de Outlook"
\InProcServer32\(Default) = "C:\ARCHIV~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "Componente de extensión del núcleo de CorelDRAW"
-> {HKLM...CLSID} = "CorelDRAW Shell Extension Component"
\InProcServer32\(Default) = "C:\Archivos de programa\Corel\Corel Graphics 12\PROGRAMS\CrlShell.dll" ["Corel Corporation"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {HKLM...CLSID} = "Shell Extension for CDRW"
\InProcServer32\(Default) = "C:\Archivos de programa\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {HKLM...CLSID} = "Nero Shell Extension Property Sheet"
\InProcServer32\(Default) = "[NeroFolder]\neroshx.dll" [file not found]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
"{0AC6C6C5-F7A8-11D2-BEF4-00C04F990001}" = "Macromedia FTP & RDS"
-> {HKLM...CLSID} = "Macromedia FTP & RDS"
\InProcServer32\(Default) = "C:\WINNT\system32\CfShellFtpRds.dll" ["Macromedia, Inc."]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINNT\system32\AcSignIcon.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Archivos de programa\Archivos comunes\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler\
<<!>> "{596e4935-4d3b-4a3c-842d-2efd1b3de598}" = "hundi"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\pjgerka.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"| [file not found]|"sprestrt" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\AllFilesystemObjects\shellex \ContextMenuHandlers\
FAExt\(Default) = "{05672D66-9736-42F5-8BEB-FA1DD3CA51C4}"
-> {HKLM...CLSID} = "FAExt Class"
\InProcServer32\(Default) = "C:\ARCHIV~1\FILEAS~1\FILEAS~1.DLL" ["Malwarebytes"]


Default executables:
--------------------

HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
<<!>> HKCU\Software\Classes\AutoCADScriptFile\shell\open \command\(Default) = ""C:\WINNT\notepad.exe" "%1"" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\

"CDRAutoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINNT\system32\config\systemprofile\Configuraci ón local\Datos de programa\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\logon.scr" [MS]


Startup items in "Osvaldo Caccaglio" & "All Users" startup folders:
-------------------------------------------------------------------

C:\Documents and Settings\Osvaldo Caccaglio\Menú Inicio\Programas\Inicio
"Adobe Gamma" -> shortcut to: "C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
"Microsoft Office" -> shortcut to: "C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"WinZip Quick Pick" -> shortcut to: "C:\Archivos de programa\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"Acrobat Assistant" -> shortcut to: "C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINNT\system32\drivers\CDAC11BA.EXE" ["Macrovision"]
InCD Helper, InCDsrv, "C:\Archivos de programa\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
Spyware Doctor Auxiliary Service, sdAuxService, "C:\Archivos de programa\Spyware Doctor\svcntaux.exe" ["PC Tools"]
Spyware Doctor Service, sdCoreService, "C:\Archivos de programa\Spyware Doctor\swdsvc.exe" ["PC Tools"]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINNT\system32\mspmspsv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Adobe PDF Port\Driver = "C:\WINNT\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 72 seconds.
---------- (total run time: 152 seconds)
<¡D3vIL!>
01/07/07, 14:26:22
Hola guasopampa

El SilentRunner sige mostrado el archivo nocivo que debes eliminar ::ups::

- "Reinicia a prueba de fallos" (http://www.forospyware.com/292284-post4.html)

- Busca y elimina estos archivos/carpetas (Si no lo/los encuentras activa ''Ver archivos ocultos del sistema'' (http://www.forospyware.com/t13.html)),si no se dejan eliminar descarga el programa "FileASSASSIN" (http://www.forospyware.com/298547-post10.html),con la opción "Use la función eliminar al reiniciar windows


C:\WINNT\system32\pjgerka.dll


- Reinicia el PC a "Modo normal"

- Usa el Ccleaner(Manual) (http://www.forospyware.com/t39511.html) para limpiar el sistema,primero utilizá la opción de "Limpiador" para borrar cookies, temporales de Internet y todos los archivos que este te muestre como obsoletos.y luego usa su opción de "Registro" para limpiar todo el registro de Windows (haciendo copia de seguridad).

- Sube este archivo C:\WINNT\notepad.exe a Jotti's (http://www.forospyware.com/foro-de-virus-y-spywares/aviso-7.html) (Esta al final del post)

salu2 http://img455.imageshack.us/img455/7932/icontwistedrp4.gif
Recuerda volver y contarnos los resultados

© Copyright 2005 - 2008 InfoSpyware ® Todos los derechos reservados.
InfoSpyware Security Blog