• Registrarse
  • Iniciar sesión


  • Resultados 1 al 6 de 6

    Sirefefp-sirefef2 imposibles de eliminar

    Hola buenas, a ver si me podeis ayudar, tengo una instalacion con windows 7 y el panda cloud de antivirus. Hace cosa de una semana, empezo a saltar todo el rato se ha detectado virus ...

    1. #1
      Usuario Avatar de kores
      Registrado
      jul 2008
      Ubicación
      en pamplona
      Mensajes
      20

      Sirefefp-sirefef2 imposibles de eliminar

      Hola buenas, a ver si me podeis ayudar, tengo una instalacion con windows 7 y el panda cloud de antivirus. Hace cosa de una semana, empezo a saltar todo el rato se ha detectado virus y se ha eliminado. Ha seguido saltando, asi que me he puesto a investigar. He arrancado a prueba de fallos, he pasado el ccleanter, el malwarebytes, el superantispyware y el spybot. Una vez limpiado todo lo que salia, he pasado el eset online y me han salido otras 7 entradas que he eliminado. Hasta ahi bien. He reiniciado, otra vez a prueba de fallos, y he vuelto a pasar todo, y ha salido todo bien. Ningun registro, ninguna infeccion. Al iniciar en normal, otra vez los mensajes de se ha detectado virus.

      Vuelta a empezar, prueba de fallos, etc etc. Todo limpio. Cambio el antivirus online, pruebo con el panda y me da un registro dentro de la carpeta de windows/installer como que services.exe esta infectado por el sirefefP. Ok, busco por aqui, paso el tsd killer, reinicio, y mas de lo mismo. Busco por panda y paso dos utilidades, 1ª el yorkit.exe, supuestamente herramienta especifica para este virus. No funciona. 2ª Paso el panda cloud cleaner, este me detecta 3 infecciones, sirefefp y sirefef2, dice que lo ha limpiado, reinicio, lo vuelvo a pasar y siguen ahi.

      Me decido a pasar el combofix, lo paso, miro el log, y sinceramente yo no veo nada ahi, no se si es que no lo se mirar o es que no sale, o que. A ver si alguien me puede echar un cable, porque visto lo visto lo unico que me queda es formatear el pc.

      Un saludo.

    2. #2
      Moderador Gral.
      Avatar de @Javier_HF
      Registrado
      jun 2006
      Ubicación
      Spain.
      Mensajes
      21.711

      Re: Sirefefp-sirefef2 imposibles de eliminar

      Buenas kores.

      Atención!! No use ComboFix a menos que se le haya indicado específicamente en su mensaje por un integrante de nuestro Staff. Es una herramienta de gran alcance destinada por su creador a ser usada bajo la orientación y supervisión de un experto, no para uso privado. El uso de ComboFix incorrectamente podría generar problemas en su sistema. Por favor, lea las "Negaciones de la Garantía" de ComboFix.
      Veo que no hacemos mucho caso a las indicaciones que hacemos sobre ComboFix.

      Ahora pon el informe de Combofix, que lo puedes encontrar en >> C:\ComboFix.txt.

      Saludos.
      Quien no lo intenta no lo consigue | ;-)

      * Síguenos en nuestro Twitter y hazte nuestro amigo en Facebook.
      * Infórmate de las ultimas amenazas de la red desde: InfoSpyware Blog
      * No se resuelven dudas por Privados ni por E-mail, ya que para eso esta el foro.

    3. #3
      Usuario Avatar de kores
      Registrado
      jul 2008
      Ubicación
      en pamplona
      Mensajes
      20

      Re: Sirefefp-sirefef2 imposibles de eliminar

      Ahi va



      ComboFix 13-03-14.02 - David-BASA 15/03/2013 12:43:30.1.4 - x64 NETWORK
      Microsoft Windows 7 Home Premium 6.1.7600.0.1252.34.3082.18.3958.2626 [GMT 1:00]
      Running from: c:\users\David-BASA\Desktop\ComboFix.exe
      AV: Panda Internet Security 2010 *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
      SP: Panda Internet Security 2010 *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
      SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
      * Created a new restore point
      .
      .
      ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      c:\windows\Installer\{a1421fab-bd35-cfbe-a431-336e8aa8c766}\@
      c:\windows\Installer\{a1421fab-bd35-cfbe-a431-336e8aa8c766}\U\00000001.@
      c:\windows\Installer\{a1421fab-bd35-cfbe-a431-336e8aa8c766}\U\80000000.@
      c:\windows\Installer\{a1421fab-bd35-cfbe-a431-336e8aa8c766}\U\800000cb.@
      .
      c:\windows\system32\services.exe . . . is infected!!
      .
      .
      ((((((((((((((((((((((((( Files Created from 2013-02-15 to 2013-03-15 )))))))))))))))))))))))))))))))
      .
      .
      2013-03-15 08:44 . 2011-12-12 12:19 37128 ----a-w- c:\windows\system32\drivers\PsBoot.sys
      2013-03-15 08:40 . 2011-03-10 17:05 57928 ----a-w- c:\windows\system32\drivers\PSKMAD.sys
      2013-03-15 01:56 . 2013-03-15 01:56 -------- d-----w- c:\users\David-BASA\AppData\Roaming\SUPERAntiSpyware.com
      2013-03-15 01:56 . 2013-03-15 01:56 -------- d-----w- c:\program files\SUPERAntiSpyware
      2013-03-15 01:54 . 2013-03-15 01:54 -------- d-----w- c:\program files (x86)\123
      2013-03-15 01:54 . 2012-12-14 15:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
      2013-03-14 13:31 . 2013-03-14 13:31 -------- d-----w- c:\program files (x86)\ESET
      2013-03-13 12:34 . 2013-03-13 12:34 -------- d-----w- c:\users\David-BASA\AppData\Local\Programs
      2013-03-12 16:15 . 2013-03-12 16:15 -------- d-----w- C:\HP Universal Print Driver PCL6 v5.0.1
      2013-03-04 10:55 . 2013-03-04 10:55 -------- d-----w- c:\users\David-BASA\AppData\Local\HP
      2013-02-27 16:23 . 2013-02-28 07:10 -------- d--h--w- c:\users\David-BASA\AppData\Roaming\5BCF6F02
      .
      .
      .
      (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2013-03-13 13:33 . 2012-10-25 09:15 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
      2013-03-13 13:33 . 2012-10-25 09:15 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
      2013-03-11 16:34 . 2012-11-26 16:13 6560 ----a-w- c:\programdata\NanoRepository.bin
      .
      .
      ------- Sigcheck -------
      Note: Unsigned files aren't necessarily malware.
      .
      [7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
      [-] 2009-07-14 . 014A9CB92514E27C0107614DF764BC06 . 328704 . . [6.1.7600.16385] .. c:\windows\system32\services.exe
      .
      ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4
      .
      [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
      @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
      [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
      2012-11-13 23:32 129272 ----a-w- c:\users\David-BASA\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
      .
      [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
      @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
      [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
      2012-11-13 23:32 129272 ----a-w- c:\users\David-BASA\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
      .
      [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
      @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
      [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
      2012-11-13 23:32 129272 ----a-w- c:\users\David-BASA\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
      .
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
      "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]
      "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-05 39408]
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
      "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-08 98304]
      "SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2009-08-12 352256]
      "KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2009-01-13 34088]
      "TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-11-21 2454840]
      "APVXDWIN"="c:\program files (x86)\Panda Security\Panda Internet Security 2010\APVXDWIN.EXE" [2009-09-25 906496]
      "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
      "PSUAMain"="c:\program files (x86)\Panda Security\WAC\PSUAMain.exe" [2012-09-20 37152]
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
      "GrpConv"="grpconv -o" [X]
      .
      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "TOSHIBA Online Product Information"="c:\program files (x86)\TOSHIBA\Toshiba Online Product Information\topi.exe" [2009-08-12 6203296]
      .
      c:\users\David-BASA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
      Dropbox.lnk - c:\users\David-BASA\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
      .
      c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
      TRDCReminder.lnk - c:\program files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe [2009-9-1 481184]
      .
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
      "ConsentPromptBehaviorAdmin"= 5 (0x5)
      "ConsentPromptBehaviorUser"= 3 (0x3)
      "EnableUIADesktopToggle"= 0 (0x0)
      .
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
      @=""
      .
      R0 916cc3d4ebcd9a86;syshost.exe;c:\windows\\SystemRoot\System32\Drivers\916cc3d4ebcd9a86.sys [x]
      R0 pavboot;Panda Boot Driver;c:\windows\system32\drivers\pavboot64.sys [2009-06-30 33800]
      R0 PSINDvct;Device control Driver;c:\windows\system32\DRIVERS\PSINDvct.sys [2012-09-11 50656]
      R1 NNSALPC;NNSALPC;c:\windows\system32\DRIVERS\NNSAlpc.sys [2012-09-18 127016]
      R1 NNSHTTP;NNSHTTP;c:\windows\system32\DRIVERS\NNSHttp.sys [2012-09-18 136232]
      R1 NNSIDS;NNSIDS;c:\windows\system32\DRIVERS\NNSIds.sys [2012-09-18 154152]
      R1 NNSPICC;NNSPICC;c:\windows\system32\DRIVERS\NNSPicc.sys [2012-09-18 134696]
      R1 NNSPIHSW;NNSPIHSW;c:\windows\system32\DRIVERS\NNSPihsw.sys [2012-09-18 83496]
      R1 NNSPOP3;NNSPOP3;c:\windows\system32\DRIVERS\NNSPop3.sys [2012-09-18 139304]
      R1 NNSPROT;NNSPROT;c:\windows\system32\DRIVERS\NNSProt.sys [2012-09-18 397864]
      R1 NNSPRV;NNSPRV;c:\windows\system32\DRIVERS\NNSPrv.sys [2012-09-18 150568]
      R1 NNSSMTP;NNSSMTP;c:\windows\system32\DRIVERS\NNSSmtp.sys [2012-09-18 135208]
      R1 NNSSTRM;NNSSTRM;c:\windows\system32\DRIVERS\NNSStrm.sys [2012-09-18 290344]
      R1 NNSTLSC;NNSTLSC;c:\windows\system32\DRIVERS\NNSTlsc.sys [2012-09-27 105000]
      R1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2012-09-20 205352]
      R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
      R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
      R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-09-08 202752]
      R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2009-10-27 252784]
      R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
      R2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]
      R2 dvctprov;dvctprov;c:\windows\system32\DRIVERS\dvctprov.sys [2012-09-11 105776]
      R2 NanoServiceMain;Endpoint Protection Service;c:\program files (x86)\Panda Security\WAC\PSANHost.exe [2012-09-20 140064]
      R2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2012-09-20 168488]
      R2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2012-09-20 120872]
      R2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2012-09-20 124456]
      R2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys [2012-09-20 134184]
      R2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files (x86)\Toshiba TEMPRO\TemproSvc.exe [2009-10-15 116104]
      R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-09-28 251760]
      R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-09-30 2314240]
      R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2009-06-25 112896]
      R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
      R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
      R3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-22 35008]
      R3 Prot6Flt;Prot6Flt;c:\windows\system32\DRIVERS\Prot6Flt.sys [x]
      R3 PSKMAD;PSKMAD;c:\windows\system32\DRIVERS\PSKMAD.sys [2011-03-10 57928]
      R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-22 225280]
      R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-10-02 946688]
      R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
      R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
      R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
      R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
      R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-11-05 137560]
      R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-11-10 824688]
      R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-04-25 52736]
      R4 PSUAService;Panda Product Service;c:\program files (x86)\Panda Security\WAC\PSUAService.exe [2012-09-20 36640]
      R4 WAHost;Panda Endpoint Administration Agent;c:\program files (x86)\Panda Security\WaAgent\WAHost\WAHost.exe [2012-12-07 558368]
      S0 PsBoot;Panda boot driver;c:\windows\system32\Drivers\PsBoot.sys [2011-12-12 37128]
      S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2009-07-24 482384]
      S1 NNSNAHSL;Network Activity Hook Server LightWeight Filter Driver;c:\windows\system32\DRIVERS\NNSNAHSL.sys [2012-07-16 33320]
      S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]
      S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2358656]
      S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-19 14472]
      S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
      S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-11-05 291328]
      .
      .
      --- Other Services/Drivers In Memory ---
      .
      *NewlyCreated* - WS2IFSL
      .
      [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
      hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
      .
      [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
      2013-03-15 08:43 1629648 ----a-w- c:\program files (x86)\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe
      .
      Contents of the 'Scheduled Tasks' folder
      .
      2013-03-14 c:\windows\Tasks\Adobe Flash Player Updater.job
      - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-25 13:33]
      .
      2013-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
      - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 06:26]
      .
      2013-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
      - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 06:26]
      .
      .
      --------- X64 Entries -----------
      .
      .
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
      @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
      [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
      2012-11-13 23:32 162552 ----a-w- c:\users\David-BASA\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
      .
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
      @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
      [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
      2012-11-13 23:32 162552 ----a-w- c:\users\David-BASA\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
      .
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
      @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
      [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
      2012-11-13 23:32 162552 ----a-w- c:\users\David-BASA\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
      .
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
      @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
      [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
      2012-11-13 23:32 162552 ----a-w- c:\users\David-BASA\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-11-05 709976]
      "Toshiba TEMPRO"="c:\program files (x86)\Toshiba TEMPRO\TemproTray.exe" [2009-10-15 1050000]
      "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-21 8306208]
      "Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaReminder.exe" [2009-08-25 134032]
      "HP Color LaserJet CM2320 MFP Series Fax"="c:\program files (x86)\HP\HP Color LaserJet CM2320 MFP Series\hppfaxprintersrv.exe" [2009-09-22 3700736]
      .
      ------- Supplementary Scan -------
      .
      uLocal Page = c:\windows\system32\blank.htm
      uStart Page = hxxp://www.google.es/
      mLocal Page = c:\windows\SysWOW64\blank.htm
      uInternet Settings,ProxyOverride = *.local
      IE: E&xportar a Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
      TCP: Interfaces\{2146FFB9-71D9-43EF-8498-6A98F66B43E3}: NameServer = 80.58.61.250,80.58.61.254
      DPF: {2DAB6EF1-66C3-427C-87CD-8DC448C47EAE} - hxxps://www5.aeat.es/es13/h/tgvicab.cab
      DPF: {947B00D2-962D-4A35-9E48-98EE6A442B41} - hxxps://www1.agenciatributaria.gob.es/ADUA/internet/aded1503.cab
      DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} - hxxps://www1.agenciatributaria.gob.es/es13/h/cactivex.cab
      .
      - - - - ORPHANS REMOVED - - - -
      .
      Wow6432Node-HKLM-Run-<NO NAME> - (no file)
      Wow6432Node-HKLM-RunOnce-<NO NAME> - (no file)
      SafeBoot-mcmscsvc
      SafeBoot-MCODS
      WebBrowser-{977AE9CC-AF83-45E8-9E03-E2798216E2D5} - (no file)
      HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
      HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
      HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
      HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
      HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
      HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
      HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
      HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
      HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
      HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
      .
      .
      .
      --------------------- LOCKED REGISTRY KEYS ---------------------
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
      @Denied: (A 2) (Everyone)
      @="FlashBroker"
      "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
      "Enabled"=dword:00000001
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
      @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
      @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
      @Denied: (A 2) (Everyone)
      @="IFlashBroker5"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
      @="{00020424-0000-0000-C000-000000000046}"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
      @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
      "Version"="1.0"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
      @Denied: (A 2) (Everyone)
      @="FlashBroker"
      "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
      "Enabled"=dword:00000001
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
      @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
      @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
      @Denied: (A 2) (Everyone)
      @="Shockwave Flash Object"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
      @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
      "ThreadingModel"="Apartment"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
      @="0"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
      @="ShockwaveFlash.ShockwaveFlash.11"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
      @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
      @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
      @="1.0"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
      @="ShockwaveFlash.ShockwaveFlash"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
      @Denied: (A 2) (Everyone)
      @="Macromedia Flash Factory Object"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
      @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
      "ThreadingModel"="Apartment"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
      @="FlashFactory.FlashFactory.1"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
      @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
      @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
      @="1.0"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
      @="FlashFactory.FlashFactory"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
      @Denied: (A 2) (Everyone)
      @="IFlashBroker5"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
      @="{00020424-0000-0000-C000-000000000046}"
      .
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
      @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
      "Version"="1.0"
      .
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
      @Denied: (Full) (Everyone)
      .
      Completion time: 2013-03-15 12:50:27
      ComboFix-quarantined-files.txt 2013-03-15 11:50
      .
      Pre-Run: 183.666.049.024 bytes libres
      Post-Run: 183.569.940.480 bytes libres
      .
      - - End Of File - - 27E9C814FC1F2270D6ECDF1FAE9DC767

    4. #4
      Moderador Gral.
      Avatar de @Javier_HF
      Registrado
      jun 2006
      Ubicación
      Spain.
      Mensajes
      21.711

      Re: Sirefefp-sirefef2 imposibles de eliminar

      Bien, pues ahora sigue estos pasos :

      Descarga >> Malwarebytes Anti-Rootkit (Beta) y descomprimes el contenido en tu escritorio.

      • Abre la carpeta Mbar, haces doble clic en el archivo Mbar.exe
      • En la ventana que saldrá pulsas en "Next".
      • Pulsar en "Update", y cuando termine en "Next"
      • Ahora inicias el análisis pulsando en el botón "Scan"
      • Al terminar, si existe infección pulsamos en "CleanUp" y si no hay infección pulsamos en ""Exit"


      Al terminar busca en la carpeta Mbar, y abres los archivos mbar-log.txt y system-log.txt, nos copias el contenido en la siguiente respuesta y comentas resultados.

      Saludos.
      Quien no lo intenta no lo consigue | ;-)

      * Síguenos en nuestro Twitter y hazte nuestro amigo en Facebook.
      * Infórmate de las ultimas amenazas de la red desde: InfoSpyware Blog
      * No se resuelven dudas por Privados ni por E-mail, ya que para eso esta el foro.

    5. #5
      Usuario Avatar de kores
      Registrado
      jul 2008
      Ubicación
      en pamplona
      Mensajes
      20
      Ahi va el mbar-log

      Malwarebytes Anti-Rootkit BETA 1.01.0.1021
      Malwarebytes : Free anti-malware download

      Database version: v2013.03.18.05

      Windows 7 x64 NTFS
      Internet Explorer 8.0.7600.16385
      David-BASA :: DAVID [administrator]

      18/03/2013 9:09:48
      mbar-log-2013-03-18 (09-09-48).txt

      Scan type: Quick scan
      Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
      Scan options disabled:
      Objects scanned: 30413
      Time elapsed: 12 minute(s),

      Memory Processes Detected: 0
      (No malicious items detected)

      Memory Modules Detected: 0
      (No malicious items detected)

      Registry Keys Detected: 0
      (No malicious items detected)

      Registry Values Detected: 0
      (No malicious items detected)

      Registry Data Items Detected: 0
      (No malicious items detected)

      Folders Detected: 0
      (No malicious items detected)

      Files Detected: 1
      c:\Windows\System32\services.exe (Rootkit.0Access.S) -> Delete on reboot.

      (end)

      system-log

      ---------------------------------------
      Malwarebytes Anti-Rootkit BETA 1.01.0.1021

      (c) Malwarebytes Corporation 2011-2012

      OS version: 6.1.7600 Windows 7 x64

      Account is Administrative

      Internet Explorer version: 8.0.7600.16385

      Java version: 1.6.0_14

      File system is: NTFS
      Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
      CPU speed: 2.261000 GHz
      Memory total: 4149850112, free: 2736742400

      ------------ Kernel report ------------
      03/18/2013 08:57:22
      ------------ Loaded modules -----------
      \SystemRoot\system32\ntoskrnl.exe
      \SystemRoot\system32\hal.dll
      \SystemRoot\system32\kdcom.dll
      \SystemRoot\system32\mcupdate_GenuineIntel.dll
      \SystemRoot\system32\PSHED.dll
      \SystemRoot\system32\CLFS.SYS
      \SystemRoot\system32\CI.dll
      \SystemRoot\system32\drivers\Wdf01000.sys
      \SystemRoot\system32\drivers\WDFLDR.SYS
      \SystemRoot\system32\DRIVERS\ACPI.sys
      \SystemRoot\system32\DRIVERS\WMILIB.SYS
      \SystemRoot\system32\DRIVERS\msisadrv.sys
      \SystemRoot\system32\DRIVERS\pci.sys
      \SystemRoot\system32\DRIVERS\vdrvroot.sys
      \SystemRoot\system32\DRIVERS\LPCFilter.sys
      \SystemRoot\System32\drivers\partmgr.sys
      \SystemRoot\system32\DRIVERS\compbatt.sys
      \SystemRoot\system32\DRIVERS\BATTC.SYS
      \SystemRoot\system32\DRIVERS\volmgr.sys
      \SystemRoot\System32\drivers\volmgrx.sys
      \SystemRoot\System32\drivers\mountmgr.sys
      \SystemRoot\system32\drivers\pavboot64.sys
      \SystemRoot\system32\DRIVERS\pciide.sys
      \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
      \SystemRoot\system32\DRIVERS\iaStor.sys
      \SystemRoot\system32\DRIVERS\atapi.sys
      \SystemRoot\system32\DRIVERS\ataport.SYS
      \SystemRoot\system32\DRIVERS\msahci.sys
      \SystemRoot\system32\DRIVERS\amdxata.sys
      \SystemRoot\system32\drivers\fltmgr.sys
      \SystemRoot\system32\drivers\fileinfo.sys
      \SystemRoot\System32\Drivers\Ntfs.sys
      \SystemRoot\System32\Drivers\msrpc.sys
      \SystemRoot\System32\Drivers\ksecdd.sys
      \SystemRoot\System32\Drivers\cng.sys
      \SystemRoot\System32\drivers\pcw.sys
      \SystemRoot\System32\Drivers\Fs_Rec.sys
      \SystemRoot\system32\drivers\ndis.sys
      \SystemRoot\system32\drivers\NETIO.SYS
      \SystemRoot\System32\Drivers\ksecpkg.sys
      \SystemRoot\system32\DRIVERS\volsnap.sys
      \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
      \SystemRoot\system32\DRIVERS\tos_sps64.sys
      \SystemRoot\System32\Drivers\spldr.sys
      \SystemRoot\System32\drivers\rdyboost.sys
      \SystemRoot\system32\DRIVERS\PSINDvct.sys
      \SystemRoot\System32\Drivers\mup.sys
      \SystemRoot\System32\drivers\hwpolicy.sys
      \SystemRoot\System32\DRIVERS\fvevol.sys
      \SystemRoot\system32\DRIVERS\disk.sys
      \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
      \SystemRoot\system32\DRIVERS\cdrom.sys
      \SystemRoot\System32\Drivers\Null.SYS
      \SystemRoot\System32\Drivers\Beep.SYS
      \SystemRoot\System32\drivers\vga.sys
      \SystemRoot\System32\drivers\VIDEOPRT.SYS
      \SystemRoot\System32\drivers\watchdog.sys
      \SystemRoot\System32\DRIVERS\RDPCDD.sys
      \SystemRoot\system32\drivers\rdpencdd.sys
      \SystemRoot\system32\drivers\rdprefmp.sys
      \SystemRoot\System32\Drivers\Msfs.SYS
      \SystemRoot\System32\Drivers\Npfs.SYS
      \SystemRoot\System32\drivers\tcpip.sys
      \SystemRoot\System32\drivers\fwpkclnt.sys
      \SystemRoot\system32\DRIVERS\tdx.sys
      \SystemRoot\system32\DRIVERS\TDI.SYS
      \SystemRoot\system32\drivers\afd.sys
      \SystemRoot\System32\DRIVERS\netbt.sys
      \SystemRoot\system32\drivers\ws2ifsl.sys
      \SystemRoot\system32\DRIVERS\wfplwf.sys
      \SystemRoot\system32\DRIVERS\pacer.sys
      \SystemRoot\system32\DRIVERS\vwififlt.sys
      \SystemRoot\system32\DRIVERS\NNSNAHSL.sys
      \SystemRoot\system32\DRIVERS\netbios.sys
      \SystemRoot\system32\DRIVERS\wanarp.sys
      \SystemRoot\system32\DRIVERS\termdd.sys
      \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
      \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
      \SystemRoot\system32\DRIVERS\rdbss.sys
      \SystemRoot\system32\DRIVERS\psinknc.sys
      \SystemRoot\system32\drivers\nsiproxy.sys
      \SystemRoot\system32\DRIVERS\NNSTlsc.sys
      \SystemRoot\system32\DRIVERS\NNSStrm.sys
      \SystemRoot\system32\DRIVERS\NNSSmtp.sys
      \SystemRoot\system32\DRIVERS\NNSPrv.sys
      \SystemRoot\system32\DRIVERS\NNSProt.sys
      \SystemRoot\system32\DRIVERS\NNSPop3.sys
      \SystemRoot\system32\DRIVERS\NNSPihsw.sys
      \SystemRoot\system32\DRIVERS\NNSPicc.sys
      \SystemRoot\system32\DRIVERS\NNSIds.sys
      \SystemRoot\system32\DRIVERS\NNSHttp.sys
      \SystemRoot\system32\DRIVERS\NNSAlpc.sys
      \SystemRoot\system32\DRIVERS\mssmbios.sys
      \SystemRoot\System32\drivers\discache.sys
      \SystemRoot\System32\Drivers\dfsc.sys
      \SystemRoot\system32\DRIVERS\blbdrive.sys
      \SystemRoot\system32\DRIVERS\tunnel.sys
      \SystemRoot\system32\DRIVERS\atikmdag.sys
      \SystemRoot\System32\drivers\dxgkrnl.sys
      \SystemRoot\System32\drivers\dxgmms1.sys
      \SystemRoot\system32\DRIVERS\HDAudBus.sys
      \SystemRoot\system32\DRIVERS\HECIx64.sys
      \SystemRoot\system32\DRIVERS\usbehci.sys
      \SystemRoot\system32\DRIVERS\USBPORT.SYS
      \SystemRoot\system32\DRIVERS\Rt64win7.sys
      \SystemRoot\system32\DRIVERS\CmBatt.sys
      \SystemRoot\system32\DRIVERS\i8042prt.sys
      \SystemRoot\system32\DRIVERS\kbdclass.sys
      \SystemRoot\system32\DRIVERS\SynTP.sys
      \SystemRoot\system32\DRIVERS\USBD.SYS
      \SystemRoot\system32\DRIVERS\mouclass.sys
      \SystemRoot\system32\DRIVERS\tdcmdpst.sys
      \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
      \SystemRoot\system32\DRIVERS\Impcd.sys
      \SystemRoot\system32\DRIVERS\TVALZFL.sys
      \SystemRoot\system32\DRIVERS\intelppm.sys
      \SystemRoot\system32\DRIVERS\CompositeBus.sys
      \SystemRoot\system32\DRIVERS\serscan.sys
      \SystemRoot\system32\drivers\ksthunk.sys
      \SystemRoot\system32\drivers\ks.sys
      \SystemRoot\system32\DRIVERS\AgileVpn.sys
      \SystemRoot\system32\DRIVERS\rasl2tp.sys
      \SystemRoot\system32\DRIVERS\ndistapi.sys
      \SystemRoot\system32\DRIVERS\ndiswan.sys
      \SystemRoot\system32\DRIVERS\raspppoe.sys
      \SystemRoot\system32\DRIVERS\raspptp.sys
      \SystemRoot\system32\DRIVERS\rassstp.sys
      \SystemRoot\system32\DRIVERS\swenum.sys
      \SystemRoot\system32\DRIVERS\umbus.sys
      \SystemRoot\system32\DRIVERS\usbhub.sys
      \SystemRoot\System32\Drivers\NDProxy.SYS
      \SystemRoot\system32\drivers\RtHDMIVX.sys
      \SystemRoot\system32\drivers\portcls.sys
      \SystemRoot\system32\drivers\drmk.sys
      \SystemRoot\system32\drivers\RTKVHD64.sys
      \SystemRoot\System32\Drivers\crashdmp.sys
      \SystemRoot\System32\Drivers\dump_iaStor.sys
      \SystemRoot\System32\Drivers\dump_dumpfve.sys
      \SystemRoot\System32\win32k.sys
      \SystemRoot\System32\drivers\Dxapi.sys
      \SystemRoot\system32\DRIVERS\monitor.sys
      \SystemRoot\System32\TSDDD.dll
      \SystemRoot\System32\cdd.dll
      \SystemRoot\system32\DRIVERS\usbccgp.sys
      \SystemRoot\System32\Drivers\usbvideo.sys
      \SystemRoot\system32\DRIVERS\pgeffect.sys
      \SystemRoot\System32\ATMFD.DLL
      \SystemRoot\system32\DRIVERS\dvctprov.sys
      \SystemRoot\system32\drivers\luafv.sys
      \SystemRoot\system32\DRIVERS\PSINAflt.sys
      \SystemRoot\system32\DRIVERS\PSINProt.sys
      \SystemRoot\system32\DRIVERS\PSINFile.sys
      \SystemRoot\system32\DRIVERS\PSINProc.sys
      \SystemRoot\system32\drivers\WudfPf.sys
      \SystemRoot\system32\DRIVERS\lltdio.sys
      \SystemRoot\system32\DRIVERS\nwifi.sys
      \SystemRoot\system32\DRIVERS\ndisuio.sys
      \SystemRoot\system32\DRIVERS\rspndr.sys
      \SystemRoot\system32\drivers\HTTP.sys
      \SystemRoot\System32\DRIVERS\srvnet.sys
      \SystemRoot\system32\DRIVERS\bowser.sys
      \SystemRoot\system32\DRIVERS\mrxsmb.sys
      \SystemRoot\system32\DRIVERS\mrxsmb10.sys
      \SystemRoot\system32\DRIVERS\mrxsmb20.sys
      \SystemRoot\System32\DRIVERS\srv2.sys
      \SystemRoot\System32\DRIVERS\srv.sys
      \SystemRoot\system32\drivers\peauth.sys
      \SystemRoot\System32\Drivers\secdrv.SYS
      \SystemRoot\System32\drivers\tcpipreg.sys
      \SystemRoot\System32\DRIVERS\PSKMAD.sys
      \??\C:\Windows\system32\drivers\mbamchameleon.sys
      \??\C:\Windows\system32\drivers\mbamswissarmy.sys
      \Windows\System32\ntdll.dll
      \Windows\System32\smss.exe
      \Windows\System32\apisetschema.dll
      \Windows\System32\autochk.exe
      \Windows\System32\setupapi.dll
      \Windows\System32\kernel32.dll
      \Windows\System32\oleaut32.dll
      \Windows\System32\iertutil.dll
      \Windows\System32\ole32.dll
      \Windows\System32\ws2_32.dll
      \Windows\System32\shell32.dll
      \Windows\System32\shlwapi.dll
      \Windows\System32\advapi32.dll
      \Windows\System32\wininet.dll
      \Windows\System32\sechost.dll
      \Windows\System32\comdlg32.dll
      \Windows\System32\normaliz.dll
      \Windows\System32\msctf.dll
      \Windows\System32\Wldap32.dll
      \Windows\System32\msvcrt.dll
      \Windows\System32\lpk.dll
      \Windows\System32\usp10.dll
      \Windows\System32\clbcatq.dll
      \Windows\System32\nsi.dll
      \Windows\System32\imagehlp.dll
      \Windows\System32\psapi.dll
      \Windows\System32\gdi32.dll
      \Windows\System32\user32.dll
      \Windows\System32\rpcrt4.dll
      \Windows\System32\urlmon.dll
      \Windows\System32\imm32.dll
      \Windows\System32\difxapi.dll
      \Windows\System32\wintrust.dll
      \Windows\System32\cfgmgr32.dll
      \Windows\System32\crypt32.dll
      \Windows\System32\KernelBase.dll
      \Windows\System32\devobj.dll
      \Windows\System32\comctl32.dll
      \Windows\System32\msasn1.dll
      ----------- End -----------
      <<<1>>>
      Upper Device Name: \Device\Harddisk0\DR0
      Upper Device Object: 0xfffffa8006824060
      Upper Device Driver Name: \Driver\Disk\
      Lower Device Name: \Device\Ide\IAAStorageDevice-1\
      Lower Device Object: 0xfffffa8004980050
      Lower Device Driver Name: \Driver\iaStor\
      Driver name found: iaStor
      Initialization returned 0x0
      Load Function returned 0x0
      Downloaded database version: v2013.03.18.05
      Initializing...
      Done!
      <<<2>>>
      Device number: 0, partition: 2
      Physical Sector Size: 512
      Drive: 0, DevicePointer: 0xfffffa8006824060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
      --------- Disk Stack ------
      DevicePointer: 0xfffffa8006824b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
      DevicePointer: 0xfffffa8006824060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
      DevicePointer: 0xfffffa8004980050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
      ------------ End ----------
      Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
      Upper DeviceData: 0xfffff8a00d3d9750, 0xfffffa8006824060, 0xfffffa8008c13790
      Lower DeviceData: 0xfffff8a00be2a260, 0xfffffa8004980050, 0xfffffa800890c960
      <<<3>>>
      Volume: C:
      File system type: NTFS
      SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
      Scanning directory: C:\Windows\system32\drivers...
      <<<2>>>
      Device number: 0, partition: 2
      <<<3>>>
      Volume: C:
      File system type: NTFS
      SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
      Done!
      Drive 0
      Scanning MBR on drive 0...
      Inspecting partition table:
      MBR Signature: 55AA
      Disk Signature: A7DA3472

      Partition information:

      Partition 0 type is Other (0x27)
      Partition is ACTIVE.
      Partition starts at LBA: 2048 Numsec = 819200
      Partition file system is NTFS
      Partition is bootable

      Partition 1 type is Primary (0x7)
      Partition is NOT ACTIVE.
      Partition starts at LBA: 821248 Numsec = 488386560

      Partition 2 type is Primary (0x7)
      Partition is NOT ACTIVE.
      Partition starts at LBA: 489207808 Numsec = 487565312

      Partition 3 type is Empty (0x0)
      Partition is NOT ACTIVE.
      Partition starts at LBA: 0 Numsec = 0

      Disk Size: 500107862016 bytes
      Sector size: 512 bytes

      Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
      Done!
      Performing system, memory and registry scan...
      Read File: File "c:\ProgramData\{1B8159AF-694B-46F6-B8A1-B76EEB7E710B}\BearShare_V10_es_Setup.dat" is compressed (flags = 1)
      Read File: File "c:\ProgramData\{1B8159AF-694B-46F6-B8A1-B76EEB7E710B}\BearShare_V10_es_Setup.lnk" is compressed (flags = 1)
      Read File: File "c:\ProgramData\{1B8159AF-694B-46F6-B8A1-B76EEB7E710B}\instance.dat" is compressed (flags = 1)
      Read File: File "c:\ProgramData\{1B8159AF-694B-46F6-B8A1-B76EEB7E710B}\BearShare_V10_es_Setup.dat" is compressed (flags = 1)
      Read File: File "c:\ProgramData\{1B8159AF-694B-46F6-B8A1-B76EEB7E710B}\BearShare_V10_es_Setup.lnk" is compressed (flags = 1)
      Read File: File "c:\ProgramData\{1B8159AF-694B-46F6-B8A1-B76EEB7E710B}\instance.dat" is compressed (flags = 1)
      Read File: File "c:\ProgramData\{1B8159AF-694B-46F6-B8A1-B76EEB7E710B}\BearShare_V10_es_Setup.dat" is compressed (flags = 1)
      Read File: File "c:\ProgramData\{1B8159AF-694B-46F6-B8A1-B76EEB7E710B}\BearShare_V10_es_Setup.lnk" is compressed (flags = 1)
      Read File: File "c:\ProgramData\{1B8159AF-694B-46F6-B8A1-B76EEB7E710B}\instance.dat" is compressed (flags = 1)
      Infected: c:\Windows\System32\services.exe --> [Rootkit.0Access.S]
      Backup file found for a file c:\Windows\System32\services.exe
      Done!
      Scan finished
      Creating System Restore point...
      Could not create restore point...
      Scheduling clean up...
      <<<2>>>
      Device number: 0, partition: 2
      <<<3>>>
      Volume: C:
      File system type: NTFS
      SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
      Removal scheduling successful. System shutdown needed.
      =======================================


      ---------------------------------------
      Malwarebytes Anti-Rootkit BETA 1.01.0.1021

      (c) Malwarebytes Corporation 2011-2012

      OS version: 6.1.7600 Windows 7 x64

      Account is Administrative

      Internet Explorer version: 8.0.7600.16385

      Java version: 1.6.0_14

      File system is: NTFS
      Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
      CPU speed: 2.261000 GHz
      Memory total: 4149850112, free: 3121799168

      Removal queue found; removal started
      Removal finished
      =======================================

      Los ficheros los pude eliminar con el unlocker, los que salian en la carpeta c:/windows/installer, pero con el proceso no podia hacer nada. Voy a pasar los analisis y te cuento, segun esto dice que esta eliminado. Ahora te digo. Gracias por la ayuda.

      ********************************************


      Pues en principio todo perfecto. Esta ultima utilidad se ha cepillado lo que quedaba. Muchas gracias y un saludo.
      Última edición por @Javier_HF fecha: 18/03/13 a las 14:19:02 Razón: Unir mensajes.

    6. #6
      Moderador Gral.
      Avatar de @Javier_HF
      Registrado
      jun 2006
      Ubicación
      Spain.
      Mensajes
      21.711

      Re: Sirefefp-sirefef2 imposibles de eliminar

      Antes de terminar, realiza este paso :

      1.- Abre el Notepad (Bloc de notas)
      • En Windows XP
        Ve a Inicio >> Selecciona Ejecutar >> Escribe dentro Notepad.

      • En Windows Vista y/o Windows 7
        Ve a Inicio >> Todos los programas >> Accesorios >> Selecciona Ejecutar >> Escribe dentro Notepad.


      2.-
      Ahora copia y pega la información, del interior del siguiente recuadro, dentro del Notepad.

      Atención : la palabra "Código:" NO se copia.
      Código:
      KillAll::
      ClearJavaCache::
      Driver::
      916cc3d4ebcd9a86
      File::
      c:\windows\\SystemRoot\System32\Drivers\916cc3d4ebcd9a86.sys
      Reglock::
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

      3.-
      Guarda este archivo con el nombre CFScript.txt dentro del Escritorio.

      4.- Arrastra y suelta el archivo CFScript.txt dentro del archivo ComboFix.exe como muestra la animación aquí abajo. Esto activara ComboFix nuevamente.
      Antes de usar el CFScript....
      Súbenos el nuevo informe de ComboFix e indícanos como funciona tu equipo.

      Saludos, Javier.
      Quien no lo intenta no lo consigue | ;-)

      * Síguenos en nuestro Twitter y hazte nuestro amigo en Facebook.
      * Infórmate de las ultimas amenazas de la red desde: InfoSpyware Blog
      * No se resuelven dudas por Privados ni por E-mail, ya que para eso esta el foro.