Infeccion con Security Tool

Aprende y comparte como combatir objetos maliciosos en computacion.
Responder
Avatar de Usuario
LeThe
Site Admin
Mensajes: 7046
Registrado: Vie Jun 15, 2007 5:11 pm
Ubicación: Florida, Estados Unidos
Contactar:

Infeccion con Security Tool

Mensaje por LeThe »

Este si fue un reto eliminar. Se habia apoderado completamente de Windows XP;
- No se podia ejecutar el Administrador de Tareas (Task manager).
- No se podia ejecutar ningun archivo .exe
- No se podia ejecutar Regedit.exe o integrar archivos .reg
- Si intentabas entrar en Safe Mode o Modo Seguro, te salia una pantalla Azul.

Logre eliminarlo entrando con Hiren's Boot CD al Mini Windows XP y ejecutando el Avira Free. Este me dio la opcion de actualizar y despues escanear y eliminar todos los archivos infectados. Con este tipo de infeccion, es bueno crear una imagen porque muchas veces al eliminar un Virus ya integrado al sistema, entonces es posible que se dañe el Windows y no puedas entrar de nuevo. Cree una imagen del disco por si acaso tenia que restaurar y empezar de nuevo con otro metodo para eliminar el Virus.

Despues de Avira, logre entrar a Windows sin la infeccion activa, donde ejecute Malwarebytes Antimalware cual termino de limpiar el disco completo.
Aunque no lo use porque no me funciono a mi, aqui hay un articulo que habla de como eliminar este Virus: h[url]ttp://www.howtogeek.com/howto/9505/how-to-rem ... s-malware/[/url]

Imagen

Log de Avira:

ALERT: [TR/Dropper.Gen] C:\Documents and Settings\All Users\Application Data\63275225\63275225.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dldr.FraudLoad.doe] C:\Documents and Settings\All Users\Application Data\AV1\AV1i.exe <<< Is the Trojan horse TR/Dldr.FraudLoad.doe [deleted]
ALERT: [TR/Fake.Antivirus.2010.I] C:\Documents and Settings\All Users\Application Data\AV1\AV1i2.exe <<< Is the Trojan horse TR/Fake.Antivirus.2010.I [deleted]
ALERT: [TR/ATRAPS.Gen2] C:\Documents and Settings\All Users\Application Data\AV1\svchost.exe <<< Is the Trojan horse TR/ATRAPS.Gen2 [deleted]
ALERT: [PHISH/Fraud.SecurityCenter.BP] C:\Documents and Settings\All Users\Application Data\gav\gav.exe <<< Contains signature of Phish-Datei/Email PHISH/Fraud.SecurityCenter.BP [deleted]
ALERT: [DR/Fraud.SecurityCenter.BP] C:\Documents and Settings\All Users\Application Data\gav\GAVBi.exe <<< Contains signature of the dropper DR/Fraud.SecurityCenter.BP [deleted]
ALERT: [TR/BHO.xwz] C:\Documents and Settings\All Users\Application Data\gav\QWProtect.vir <<< Is the Trojan horse TR/BHO.xwz [deleted]
ALERT: [TR/Dropper.Gen] C:\Documents and Settings\All Users\Application Data\gav\wsdt05.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Scar.adgt] C:\Documents and Settings\LocalService\ntuser.dll <<< Is the Trojan horse TR/Scar.adgt [deleted]
ALERT: [HEUR/HTML.Malware] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\41QF81YZ\downloader[1].vbs <<< Contains suspicious code HEUR/HTML.Malware [deleted]
ALERT: [JS/Gord.A.1] C:\Documents and Settings\usuario\Local Settings\Application Data\{DC0C9925-39E4-48E9-B993-1FCC6004D562}\chrome\content\overlay.xul <<< Contains signature of the Java script virus JS/Gord.A.1 [deleted]
ALERT: [TR/Spy.300556] C:\Documents and Settings\usuario\Local Settings\Temp\12397617220.exe <<< Is the Trojan horse TR/Spy.300556 [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\1642668126.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\2737889784.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\307376836.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\3599827382.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\4246719132.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\646585506.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [HTML/Malicious.PDF.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\Acr25.tmp <<< Contains signature of the HTML script virus HTML/Malicious.PDF.Gen [deleted]
ALERT: [HTML/Malicious.PDF.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\Acr329.tmp <<< Contains signature of the HTML script virus HTML/Malicious.PDF.Gen [deleted]
ALERT: [TR/Dldr.Stration.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\debug.exe <<< Is the Trojan horse TR/Dldr.Stration.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\installb[1].com <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\install[1].exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dldr.Stration.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\lsass.exe <<< Is the Trojan horse TR/Dldr.Stration.Gen [deleted]
ALERT: [TR/Dldr.FraudLo.sxm] C:\Documents and Settings\usuario\Local Settings\Temp\msupd_2.exe <<< Is the Trojan horse TR/Dldr.FraudLo.sxm [deleted]
ALERT: [TR/Dldr.Stration.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\notepad.exe <<< Is the Trojan horse TR/Dldr.Stration.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\pixiq8b.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Scar.adgt] C:\Documents and Settings\usuario\Local Settings\Temp\rundll32.dll <<< Is the Trojan horse TR/Scar.adgt [deleted]
ALERT: [TR/Dldr.Stration.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\smss.exe <<< Is the Trojan horse TR/Dldr.Stration.Gen [deleted]
ALERT: [TR/Dldr.Stration.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\win16.exe <<< Is the Trojan horse TR/Dldr.Stration.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\y7lc0za3.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Dldr.Agent.vzm] C:\Documents and Settings\usuario\Local Settings\Temp\~TM2B.tmp <<< Is the Trojan horse TR/Dldr.Agent.vzm [deleted]
ALERT: [TR/ATRAPS.Gen2] C:\Documents and Settings\usuario\Local Settings\Temporary Internet Files\Content.IE5\0L8VAVAD\svchost[1].exe <<< Is the Trojan horse TR/ATRAPS.Gen2 [deleted]
ALERT: [TR/Crypt.XPACK.Gen2] C:\Documents and Settings\usuario\Local Settings\Temporary Internet Files\Content.IE5\6Q46TNB0\SetupAdvancedVirusRemover[1].exe <<< Is the Trojan horse TR/Crypt.XPACK.Gen2 [deleted]
ALERT: [TR/Spy.Gen] C:\Documents and Settings\usuario\Local Settings\Temporary Internet Files\Content.IE5\73KYLSSO\dfghfghgfj[1].dll <<< Is the Trojan horse TR/Spy.Gen [deleted]
ALERT: [TR/FakeAV.1172480] C:\Documents and Settings\usuario\Local Settings\Temporary Internet Files\Content.IE5\B5NS7IYM\SetupAdvancedVirusRemover[1].exe <<< Is the Trojan horse TR/FakeAV.1172480 [deleted]
ALERT: [TR/Crypt.XPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temporary Internet Files\Content.IE5\P5S8OY1V\dfghfghgfj[1].dll <<< Is the Trojan horse TR/Crypt.XPACK.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\Preview-T-3545425-shone florida.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\Preview-T-3545427-birdwalk.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\Preview-T-3545427-orange & blue everything.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\Preview-T-3545427-rock star lil wayne juelz.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\Preview-T-3615672-dope boy money.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\Preview-T-5745425-heart revolver.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\T-3615672-dope boy money.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\birdwalk.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [TR/Dldr.WMA.Wimad.BG] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\heart revolver lil wayne.wma <<< Is the Trojan horse TR/Dldr.WMA.Wimad.BG [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\heart revolver.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\orange & blue everything.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\rock star lil wayne juelz.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [TR/Dldr.WMA.Wimad.BG] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\rock star lil wayne juelz.wma <<< Is the Trojan horse TR/Dldr.WMA.Wimad.BG [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\shone florida.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\what them girls like.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\birdwalk.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [TR/Dldr.WMA.Wimad.BG] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\heart revolver lil wayne.wma <<< Is the Trojan horse TR/Dldr.WMA.Wimad.BG [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\heart revolver.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\orange & blue everything.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\rock star lil wayne juelz.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [TR/Dldr.WMA.Wimad.BG] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\rock star lil wayne juelz.wma <<< Is the Trojan horse TR/Dldr.WMA.Wimad.BG [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\shone florida.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\what them girls like.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [TR/Scar.adgt] C:\Documents and Settings\usuario\ntuser.dll <<< Is the Trojan horse TR/Scar.adgt [deleted]
ALERT: [TR/Scar.adgt] C:\Documents and Settings\usuario\Start Menu\Programs\Startup\scandisk.dll <<< Is the Trojan horse TR/Scar.adgt [deleted]
ALERT: [TR/ExeDot.FH] C:\Program Files\Common\helper.dll <<< Is the Trojan horse TR/ExeDot.FH [deleted]
ALERT: [TR/ExeDot.FI] C:\Program Files\Common\_helper.dll <<< Is the Trojan horse TR/ExeDot.FI [deleted]
ALERT: [HEUR/HTML.Malware] C:\Program Files\Norton PC Checkup\downloader.vbs <<< Contains suspicious code HEUR/HTML.Malware [deleted]
ALERT: [HEUR/HTML.Malware] C:\Program Files\Norton PC Checkup\executables\productScanner\downloader.vbs <<< Contains suspicious code HEUR/HTML.Malware [deleted]
ALERT: [TR/ExeDot.YY] C:\Program Files\Shared\lib.dll <<< Is the Trojan horse TR/ExeDot.YY [deleted]
ALERT: [DR/HTML.Fraud.T.1] C:\Program Files\Windows Police Pro\Windows Police Pro.exe <<< Contains signature of the dropper DR/HTML.Fraud.T.1 [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\braviax.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Hiloti.50688A.1] C:\WINDOWS\cdiecsvm.dll <<< Is the Trojan horse TR/Hiloti.50688A.1 [deleted]
ALERT: [TR/Crypt.XPACK.Gen] C:\WINDOWS\cru629.dat <<< Is the Trojan horse TR/Crypt.XPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen2] C:\WINDOWS\eqafaneroko.dll <<< Is the Trojan horse TR/Crypt.ZPACK.Gen2 [deleted]
ALERT: [TR/PCK.Krap.AH.13] C:\WINDOWS\system32\ad1race23.dll <<< Is the Trojan horse TR/PCK.Krap.AH.13 [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\system32\braviax.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\butugagu.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Scar.adgt] C:\WINDOWS\system32\calc.dll <<< Is the Trojan horse TR/Scar.adgt [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4T2JSHMB\logo[1].htm <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Dldr.FraudLoa.WD] C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4T2JSHMB\logo[2].htm <<< Is the Trojan horse TR/Dldr.FraudLoa.WD [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4T2JSHMB\logo[3].htm <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Scar.adgt] C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll <<< Is the Trojan horse TR/Scar.adgt [deleted]
ALERT: [HTML/FakeAV.741] C:\WINDOWS\system32\critical_warning.html <<< Contains signature of the HTML script virus HTML/FakeAV.741 [deleted]
ALERT: [TR/Crypt.XPACK.Gen] C:\WINDOWS\system32\cru629.dat <<< Is the Trojan horse TR/Crypt.XPACK.Gen [deleted]
ALERT: [TR/PWS.Sinowal.Gen] C:\WINDOWS\system32\dllcache\beep.sys <<< Is the Trojan horse TR/PWS.Sinowal.Gen [deleted]
ALERT: [TR/PWS.Sinowal.Gen] C:\WINDOWS\system32\dllcache\figaro.sys <<< Is the Trojan horse TR/PWS.Sinowal.Gen [deleted]
ALERT: [TR/PWS.Sinowal.Gen] C:\WINDOWS\system32\drivers\beep.sys <<< Is the Trojan horse TR/PWS.Sinowal.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\dukareyo.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\durunora.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [DR/Agent.X.50] C:\WINDOWS\system32\fefizidu.exe <<< Contains signature of the dropper DR/Agent.X.50 [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\gukejibu.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/BHO.9216] C:\WINDOWS\system32\iehelper.dll <<< Is the Trojan horse TR/BHO.9216 [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\jekatuji.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\jelulede.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\system32\kezuroha.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Scar.zmi.3] C:\WINDOWS\system32\kipavapi.exe <<< Is the Trojan horse TR/Scar.zmi.3 [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\kuweyohi.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\lebihumu.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\legidonu.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\system32\mcenspc.dll <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\memurisu.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Spy.Gen] C:\WINDOWS\system32\mst120.dll <<< Is the Trojan horse TR/Spy.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\system32\pafusiri.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dldr.FraudLoa.WD] C:\WINDOWS\system32\pekiboba.dll <<< Is the Trojan horse TR/Dldr.FraudLoa.WD [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\peyehebe.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\system32\pumejigo.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Vundo.Gen2] C:\WINDOWS\system32\ruhegozi.dll <<< Is the Trojan horse TR/Vundo.Gen2 [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\suluyeba.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Dldr.FraudLoa.WD] C:\WINDOWS\system32\tosilihu.dll <<< Is the Trojan horse TR/Dldr.FraudLoa.WD [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\vunakifa.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Dldr.Agent.vzm] C:\WINDOWS\system32\wbem\proquota.exe <<< Is the Trojan horse TR/Dldr.Agent.vzm [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\system32\winupdate.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Dldr.FraudLo.sxm] C:\WINDOWS\system32\wisdstr.exe <<< Is the Trojan horse TR/Dldr.FraudLo.sxm [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\yunizapa.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\system32\~.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\Temp\2466730626.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\Temp\658390430.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\Temp\drweb.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\Temp\login.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\Temp\services.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\Temp\smss.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\Temp\taskmgr.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\Temp\user.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
Ing. Joshua Marius
Windows 10 Pro x64 20H2
Intel Core i7-3770K, 4.5 Ghz
ASUS P8Z68-V LX
Disco 1: Samsung SSD 850 EVO 500 GB
RAID 1: Seagate ST3000DM001 3TB
CORSAIR Vengeance 16 GB DDR3 1600
NVIDIA GeForce GTX 1060
Avatar de Usuario
LeThe
Site Admin
Mensajes: 7046
Registrado: Vie Jun 15, 2007 5:11 pm
Ubicación: Florida, Estados Unidos
Contactar:

Re: Infeccion con Security Tool

Mensaje por LeThe »

Log de Malwarebytes

Registry Keys Detected: 24
HKCR\AppID\{29256442-2C14-48CA-B756-3EE0F8BDC774} (Rogue.AntiVirus1)
HKCR\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F} (Trojan.BHO)
HKCR\CLSID\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7} (Rogue.AntiVirus1)
HKCR\TypeLib\{512E801E-2F02-4ADE-ACAA-58F08A22B2F8} (Rogue.AntiVirus1)
HKCR\Interface\{051C9A06-FB08-486F-B09B-8B33B261637D} (Rogue.AntiVirus1)
HKCR\QWProtect.QWProtectBHO.1 (Rogue.AntiVirus1)
HKCR\QWProtect.QWProtectBHO (Rogue.AntiVirus1)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7} (Rogue.AntiVirus1)
HKCR\CLSID\{A2234B15-23F2-42AD-F4E4-00AAC39C0004} (Trojan.Ertfor)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A2234B15-23F2-42AD-F4E4-00AAC39C0004} (Trojan.Ertfor)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A2234B15-23F2-42AD-F4E4-00AAC39C0004} (Trojan.Ertfor)
HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO)
HKCR\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573} (Trojan.BHO)
HKCR\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867} (Trojan.BHO)
HKCR\main.BHO.1 (Trojan.BHO)
HKCR\main.BHO (Trojan.BHO)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO)
HKCR\CLSID\{C9C42510-9B21-41c1-9DCD-8382A2D07C61} (Trojan.FakeAlert)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C9C42510-9B21-41C1-9DCD-8382A2D07C61} (Trojan.FakeAlert)
HKCR\AppID\QWProtect.DLL (Rogue.AntiVirus1)
HKCU\SOFTWARE\AV1 (Trojan.Agent)
HKCU\SOFTWARE\AvScan (Trojan.FakeAlert)
HKCU\SOFTWARE\QW2010 (Rogue.AntiVirus2010)

Registry Values Detected: 21
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler|{A2234B15-23F2-42AD-F4E4-00AAC39C0004} (Trojan.Ertfor) Data: gsajkfh873whdngo8wuidgs4rgfr4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{A2234B15-23F2-42AD-F4E4-00AAC39C0004} (Trojan.Ertfor) Data:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|calc (Trojan.Agent) Data: rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0
HKCR\main.BHO.1\CLSID| (Adware.DeepDive) Data: {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
HKCR\main.BHO\CLSID| (Adware.DeepDive) Data: {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
HKCU\Control Panel\don't load|scui.cpl (Hijack.SecurityCenter) Data: No
HKCU\Control Panel\don't load|wscui.cpl (Hijack.SecurityCenter) Data: No
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General|Wallpaper (Hijack.Wallpaper) Data: %SystemRoot%\system32\critical_warning.html
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer|WINID (Malware.Trace) Data: 1CA5122F420AB00
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer|idstrf (Malware.Trace) Data: 1-1CA5123D4ABCEC
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) Data: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoFolderOptions (Hijack.FolderOptions) Data: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|system tool (Rogue.SysGuard) Data: C:\WINDOWS\sysguard.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Yjafosi8kdf98winmdkmnkmfnwe (Trojan.Agent) Data: C:\DOCUME~1\usuario\LOCALS~1\Temp\notepad.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Login Software 2009 (Trojan.Agent) Data: C:\DOCUME~1\usuario\LOCALS~1\Temp\y7lc0za3.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|inixs (Trojan.FakeAlert) Data: C:\WINDOWS\system32\minix32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|winupdate.exe (Trojan.Downloader) Data: C:\WINDOWS\system32\winupdate.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|calc (Trojan.Downloader) Data: rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|63275225 (Trojan.SCTool.Gen) Data: C:\Documents and Settings\All Users\Application Data\63275225\63275225.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|lomulatibi (Trojan.Vundo) Data: Rundll32.exe "kuweyohi.dll",s
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|braviax (Trojan.Downloader) Data: braviax.exe

Registry Data Items Detected: 13
HKCU\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop|NoChangingWallpaper (PUM.Hijack.DisplayProperties) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSetActiveDesktop (PUM.Hijack.DisplayProperties) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (PUM.Hijack.Regedit) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSetActiveDesktop (PUM.Hijack.DisplayProperties) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop|NoChangingWallpaper (PUM.Hijack.DisplayProperties) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3249D53A-A382-4079-A035-DB05D3D15B85}|NameServer (Trojan.DNSChanger) Bad: (83.149.115.182) Good: () Quarantined and repaired successfully.

Folders Detected: 2
C:\Documents and Settings\All Users\Application Data\63275225 (Rogue.Multiple)
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro)

Files Detected: 22
C:\Program Files\Hunting Unlimited\sys\input.dll (Trojan.Downloader)
C:\Program Files\Windows Police Pro\winivsetup.exe (Rogue.WindowsPolicePro)
C:\WINDOWS\system32\najebofi.dll (Trojan.FakeAlert)
C:\RECYCLER\ADAPT_Installer.exe (Trojan.Agent)
C:\Documents and Settings\All Users\Desktop\Green AV.lnk (Rogue.GreenAV)
C:\Documents and Settings\usuario\Desktop\Security Tool.lnk (Rogue.SecurityTool)
C:\Program Files\Common\_helper.sig (Malware.Trace)
C:\Program Files\Common\helper.sig (Trojan.Agent)
C:\Program Files\Shared\lib.sig (Adware.Deepdive)
C:\Documents and Settings\usuario\Start Menu\Programs\Security Tool.lnk (Rogue.SecurityTool)
C:\Documents and Settings\usuario\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader)
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader)
C:\WINDOWS\system32\AVR09.exe (Rogue.AdvancedVirusRemover)
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert)
C:\Documents and Settings\usuario\Local Settings\Temp\habnf88jkefh87ifiks.tmp (Trojan.Agent)
C:\Documents and Settings\usuario\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader)
C:\Documents and Settings\usuario\Local Settings\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent)
C:\WINDOWS\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent)
C:\Documents and Settings\NetworkService\ntuser.dll (Trojan.Agent)
C:\WINDOWS\system32\config\systemprofile\ntuser.dll (Trojan.Agent)
C:\WINDOWS\sysguard.exe (Rogue.SysGuard)
C:\Documents and Settings\All Users\Application Data\63275225\63275225.bat (Rogue.Multiple)
Ing. Joshua Marius
Windows 10 Pro x64 20H2
Intel Core i7-3770K, 4.5 Ghz
ASUS P8Z68-V LX
Disco 1: Samsung SSD 850 EVO 500 GB
RAID 1: Seagate ST3000DM001 3TB
CORSAIR Vengeance 16 GB DDR3 1600
NVIDIA GeForce GTX 1060
Avatar de Usuario
paulofutre
Mensajes: 3708
Registrado: Mar Sep 11, 2007 4:18 am
Ubicación: MADRID

Re: Infeccion con Security Tool

Mensaje por paulofutre »

...Logre eliminarlo entrando con Hiren's Boot CD al Mini Windows XP y ejecutando el Avira Free. Este me dio la opcion de actualizar y despues escanear y eliminar todos los archivos infectados...
Me quedo con este novedoso mètodo. Muy bueno :plano1
Gracias por reportarlo
Saludos.
Saludos y ♪Forzatleti♫
Responder

Volver a “Infecciones y Soluciones - Virus, Trojanos, Spyware, Rogue, Malware, etc.”