Infeccion virus Digital Protection

[LeThe]

Otra infeccion, esta ves inicio con un tal programa que se llamaba Digital Protection. Esta computadora tenia varias infecciones y el dueño cree que entraron varios por un torrent que descargo y el resto por Internet Explorer. Lo pude eliminar viendo entradas raras con Hijackthis, despues en Safe Mode lleve el archivo actualizado de malwarebytes.org, rules.ref y escanee en Modo Seguro (Safe Mode). El nombre del usuario se ha cambiado por XX en el log por razones de privacidad.

Malwarebytes' Anti-Malware 1.46
Database version: 4052
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.11
5/3/2010 9:30:12 PM
mbam-log-2010-05-03 (21-30-12).txt

Scan type: Quick scan
Objects scanned: 136109
Time elapsed: 7 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 19
Registry Values Infected: 12
Registry Data Items Infected: 10
Folders Infected: 13
Files Infected: 96

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\XX\Local Settings\Application Data\Windows Server\erfzjf.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{e398aa09-5ebc-4c11-9ba6-2839e24333ca} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{061a47f1-2824-4530-a56e-aae5ceb0db87} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{235929f5-0da2-47a6-9a61-0a04f0f98626} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{4b78647e-4999-49b0-a6c3-01d1fda18830} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{5054c24e-f55a-42ac-b4b4-6f02c7d95f8b} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{5bd0230c-b859-4727-9b71-281da08a604c} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{65cf3732-3a5c-441e-9538-9ec8144ae84a} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{9e926b27-6b24-4d56-b2f2-e14f50d19fa7} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{fcfc4f42-4fd6-4805-9414-435a15f19bb5} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) ->
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) ->
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) ->
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) ->
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ezLife (Adware.EzLife) ->
HKEY_LOCAL_MACHINE\SOFTWARE\ezLife (Adware.EzLife) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) ->
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) ->
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) ->

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iaanotif (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmxlauncher (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\logitech hardware abstraction layer (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\logitechcommunicationsmanager (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\logitechquickcamribbon (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\applesyncnotifier (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituneshelper (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe reader speed launcher (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe arm (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) ->

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\XX\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\XX\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\XX\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.94,93.188.166.122 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{64ed4e10-c580-4c0a-950a-87c1ff46bedd}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.94,93.188.166.122 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a293223-ff22-4e5d-83b5-e97daa827f7a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.94,93.188.166.122 ->

Folders Infected:
C:\Program Files\Smart-Ads-Solutions (Adware.SmartAds) ->
C:\Program Files\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) ->
C:\Program Files\Smart-Ads-Solutions\SmartAds\1.5.2.0 (Adware.SmartAds) ->
C:\Documents and Settings\XX\Application Data\ezLife (Adware.EzLife) ->
C:\Documents and Settings\XX\Application Data\ezLife\ezLife (Adware.EzLife) ->
C:\Program Files\ezLife (Adware.EzLife) ->
C:\Program Files\ezLife\ezLife (Adware.EzLife) ->
C:\Program Files\ezLife\ezLife\1.5.2.0 (Adware.EzLife) ->
C:\Program Files\Digital Protection (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection (Rogue.DigitalProtection) ->
C:\WINDOWS\PRAGMAstspqqhevb (Trojan.DNSChanger) ->
C:\Documents and Settings\XX\Application Data\APManager (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages (Rogue.APManager) ->

Files Infected:
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe (Trojan.Downloader) ->
C:\Program Files\Dell\Media Experience\DMXLauncher.exe (Trojan.Downloader) ->
C:\WINDOWS\system32\lbtwiz.exe (Trojan.Downloader) ->
C:\WINDOWS\system32\khalmnpr.exe (Trojan.Downloader) ->
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe (Trojan.Downloader) ->
C:\Program Files\Logitech\QuickCam\quickcam.exe (Trojan.Downloader) ->
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Trojan.Downloader) ->
C:\Program Files\Java\jre6\bin\jusched.exe (Trojan.Downloader) ->
C:\Program Files\iTunes\iTunesHelper.exe (Trojan.Downloader) ->
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Trojan.Downloader) ->
C:\Program Files\Common Files\Adobe\ARM\1.0\adobearm.exe (Trojan.Downloader) ->
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) ->
C:\Program Files\Mozilla Firefox\Components\ffxShot.dll (Adware.Adrotator) ->
C:\WINDOWS\system32\ezeiaozabctbd.dll (Adware.IEhlpr) ->
C:\WINDOWS\system32\gwjllcugnixibt.exe (Adware.Adrotator) ->
C:\WINDOWS\system32\khalmnpr .exe (Trojan.Downloader) ->
C:\WINDOWS\system32\lbtwiz .exe (Trojan.Downloader) ->
C:\WINDOWS\system32\net.net (Trojan.Downloader) ->
C:\WINDOWS\system32\nwiz .exe (Trojan.Downloader) ->
C:\WINDOWS\system32\nwiz.exe (Trojan.Downloader) ->
C:\WINDOWS\system32\stsystra .exe (Trojan.Downloader) ->
C:\WINDOWS\system32\tkzbxyid.dll (Trojan.BHO) ->
C:\WINDOWS\system32\v8lpcw2.dll (Trojan.Ertfor) ->
C:\Documents and Settings\XX\Local Settings\Temp\geurge.exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\Local Settings\Temp\vcf .exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\Local Settings\Temp\wmpscfgs.exe (Trojan.Downloader) ->
C:\WINDOWS\Temp\0000195b.sys (Trojan.Alureon) ->
C:\WINDOWS\Temp\wmpscfgs.exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\khalmnpr.exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\lbtwiz.exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\nwiz.exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\rundll32 .exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\rundll32.exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\Local Settings\Temporary Internet Files\Content.IE5\7ERZ7WEN\stpee9b6[1].exe (Trojan.Hiloti) ->
C:\Documents and Settings\XX\Local Settings\Temporary Internet Files\Content.IE5\Q3IM6GD2\load[1].exe (Trojan.Dropper) ->
C:\Documents and Settings\XX\Local Settings\Temporary Internet Files\Content.IE5\Q3IM6GD2\stp916d2[1].exe (Trojan.FraudTool) ->
C:\Documents and Settings\XX\Local Settings\Temporary Internet Files\Content.IE5\Z2KL4T7U\rvqxfn[1].htm (Trojan.Downloader) ->
C:\WINDOWS\skecodlT.dll (Trojan.Hiloti) ->
C:\WINDOWS\system32\spool\prtprocs\w32x86\00000e20.tmp (Rootkit.TDSS) ->
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000648d.tmp (Rootkit.TDSS) ->
C:\Program Files\Smart-Ads-Solutions\SmartAds\1.5.2.0\uninstall.exe (Adware.SmartAds) ->
C:\Documents and Settings\XX\Application Data\ezLife\ezLife\log.xml (Adware.EzLife) ->
C:\Program Files\ezLife\ezLife\1.5.2.0\uninstall.exe (Adware.EzLife) ->
C:\Program Files\Digital Protection\about.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\activate.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\buy.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\dig.db (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\digext.dll (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\dighook.dll (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\digprot.exe (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\help.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\scan.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\settings.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\splash.mp3 (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\Uninstall.exe (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\update.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\virus.mp3 (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\About.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Activate.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Buy.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Digital Protection Support.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Digital Protection.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Scan.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Settings.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Update.lnk (Rogue.DigitalProtection) ->
C:\WINDOWS\PRAGMAstspqqhevb\PRAGMAcfg.ini (Trojan.DNSChanger) ->
C:\Documents and Settings\XX\Application Data\APManager\apmanager.exe (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\files (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\iplog (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\settings.ini (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\uninstall.exe (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\wallpaper.jpg (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Czech.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Danish.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Dutch.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\English.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\French.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\German.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Italian.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Portuguese.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Slovak.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Spanish.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\template.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Desktop\AP Manager.lnk (Rogue.APManager) ->
C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) ->
C:\WINDOWS\Temp\pragmamainqt.dll (Rootkit.TDSS) ->
C:\Documents and Settings\XX\Application Data\Microsoft\Internet Explorer\Quick Launch\Digital Protection.LNK (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Desktop\Digital Protection.LNK (Rogue.DigitalProtection) ->
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) ->
C:\Program Files\Mozilla Firefox\components\nsFFxSHot.xpt (Adware.Adrotator) ->
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) ->
C:\Documents and Settings\XX\Local Settings\Temp\svchost.exe (Trojan.Agent) ->
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) ->
C:\Program Files\Adobe\acrotray .exe (Trojan.Agent) ->
C:\Documents and Settings\XX\Local Settings\Application Data\Windows Server\erfzjf.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\XX\Desktop\explorer.com (Heuristics.Reserved.Word.Exploit) ->

[Menfis]

Gracias por compartir, solo por curiosidad que antivirus tenía?

Otra pregunta, veo que en muchas infecciones el más afectado es adobe, haría alguna forma de que no suceda infectarlo?

[LeThe]

Buena pregunta. De lo que pudo observar el solo tenia Threat Fire cual fue desactivado entonces intento instalar AVAST Free.