Infeccion con Security Tool

Aprende y comparte como combatir objetos maliciosos en computacion.
Mensaje
Autor
Avatar de Usuario
LeThe
Site Admin
Mensajes: 6948
Registrado: Vie Jun 15, 2007 5:11 pm
Ubicación: Florida, Estados Unidos
Contactar:

Infeccion con Security Tool

#1 Mensajepor LeThe » Mié Feb 15, 2012 9:47 am

Este si fue un reto eliminar. Se habia apoderado completamente de Windows XP;
- No se podia ejecutar el Administrador de Tareas (Task manager).
- No se podia ejecutar ningun archivo .exe
- No se podia ejecutar Regedit.exe o integrar archivos .reg
- Si intentabas entrar en Safe Mode o Modo Seguro, te salia una pantalla Azul.

Logre eliminarlo entrando con Hiren's Boot CD al Mini Windows XP y ejecutando el Avira Free. Este me dio la opcion de actualizar y despues escanear y eliminar todos los archivos infectados. Con este tipo de infeccion, es bueno crear una imagen porque muchas veces al eliminar un Virus ya integrado al sistema, entonces es posible que se dañe el Windows y no puedas entrar de nuevo. Cree una imagen del disco por si acaso tenia que restaurar y empezar de nuevo con otro metodo para eliminar el Virus.

Despues de Avira, logre entrar a Windows sin la infeccion activa, donde ejecute Malwarebytes Antimalware cual termino de limpiar el disco completo.
Aunque no lo use porque no me funciono a mi, aqui hay un articulo que habla de como eliminar este Virus: http://www.howtogeek.com/howto/9505/how-to-remove-security-tool-and-other-roguefake-antivirus-malware/

Imagen

Log de Avira:

ALERT: [TR/Dropper.Gen] C:\Documents and Settings\All Users\Application Data\63275225\63275225.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dldr.FraudLoad.doe] C:\Documents and Settings\All Users\Application Data\AV1\AV1i.exe <<< Is the Trojan horse TR/Dldr.FraudLoad.doe [deleted]
ALERT: [TR/Fake.Antivirus.2010.I] C:\Documents and Settings\All Users\Application Data\AV1\AV1i2.exe <<< Is the Trojan horse TR/Fake.Antivirus.2010.I [deleted]
ALERT: [TR/ATRAPS.Gen2] C:\Documents and Settings\All Users\Application Data\AV1\svchost.exe <<< Is the Trojan horse TR/ATRAPS.Gen2 [deleted]
ALERT: [PHISH/Fraud.SecurityCenter.BP] C:\Documents and Settings\All Users\Application Data\gav\gav.exe <<< Contains signature of Phish-Datei/Email PHISH/Fraud.SecurityCenter.BP [deleted]
ALERT: [DR/Fraud.SecurityCenter.BP] C:\Documents and Settings\All Users\Application Data\gav\GAVBi.exe <<< Contains signature of the dropper DR/Fraud.SecurityCenter.BP [deleted]
ALERT: [TR/BHO.xwz] C:\Documents and Settings\All Users\Application Data\gav\QWProtect.vir <<< Is the Trojan horse TR/BHO.xwz [deleted]
ALERT: [TR/Dropper.Gen] C:\Documents and Settings\All Users\Application Data\gav\wsdt05.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Scar.adgt] C:\Documents and Settings\LocalService\ntuser.dll <<< Is the Trojan horse TR/Scar.adgt [deleted]
ALERT: [HEUR/HTML.Malware] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\41QF81YZ\downloader[1].vbs <<< Contains suspicious code HEUR/HTML.Malware [deleted]
ALERT: [JS/Gord.A.1] C:\Documents and Settings\usuario\Local Settings\Application Data\{DC0C9925-39E4-48E9-B993-1FCC6004D562}\chrome\content\overlay.xul <<< Contains signature of the Java script virus JS/Gord.A.1 [deleted]
ALERT: [TR/Spy.300556] C:\Documents and Settings\usuario\Local Settings\Temp\12397617220.exe <<< Is the Trojan horse TR/Spy.300556 [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\1642668126.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\2737889784.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\307376836.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\3599827382.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\4246719132.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\646585506.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [HTML/Malicious.PDF.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\Acr25.tmp <<< Contains signature of the HTML script virus HTML/Malicious.PDF.Gen [deleted]
ALERT: [HTML/Malicious.PDF.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\Acr329.tmp <<< Contains signature of the HTML script virus HTML/Malicious.PDF.Gen [deleted]
ALERT: [TR/Dldr.Stration.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\debug.exe <<< Is the Trojan horse TR/Dldr.Stration.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\installb[1].com <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\install[1].exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dldr.Stration.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\lsass.exe <<< Is the Trojan horse TR/Dldr.Stration.Gen [deleted]
ALERT: [TR/Dldr.FraudLo.sxm] C:\Documents and Settings\usuario\Local Settings\Temp\msupd_2.exe <<< Is the Trojan horse TR/Dldr.FraudLo.sxm [deleted]
ALERT: [TR/Dldr.Stration.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\notepad.exe <<< Is the Trojan horse TR/Dldr.Stration.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\pixiq8b.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Scar.adgt] C:\Documents and Settings\usuario\Local Settings\Temp\rundll32.dll <<< Is the Trojan horse TR/Scar.adgt [deleted]
ALERT: [TR/Dldr.Stration.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\smss.exe <<< Is the Trojan horse TR/Dldr.Stration.Gen [deleted]
ALERT: [TR/Dldr.Stration.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\win16.exe <<< Is the Trojan horse TR/Dldr.Stration.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temp\y7lc0za3.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Dldr.Agent.vzm] C:\Documents and Settings\usuario\Local Settings\Temp\~TM2B.tmp <<< Is the Trojan horse TR/Dldr.Agent.vzm [deleted]
ALERT: [TR/ATRAPS.Gen2] C:\Documents and Settings\usuario\Local Settings\Temporary Internet Files\Content.IE5\0L8VAVAD\svchost[1].exe <<< Is the Trojan horse TR/ATRAPS.Gen2 [deleted]
ALERT: [TR/Crypt.XPACK.Gen2] C:\Documents and Settings\usuario\Local Settings\Temporary Internet Files\Content.IE5\6Q46TNB0\SetupAdvancedVirusRemover[1].exe <<< Is the Trojan horse TR/Crypt.XPACK.Gen2 [deleted]
ALERT: [TR/Spy.Gen] C:\Documents and Settings\usuario\Local Settings\Temporary Internet Files\Content.IE5\73KYLSSO\dfghfghgfj[1].dll <<< Is the Trojan horse TR/Spy.Gen [deleted]
ALERT: [TR/FakeAV.1172480] C:\Documents and Settings\usuario\Local Settings\Temporary Internet Files\Content.IE5\B5NS7IYM\SetupAdvancedVirusRemover[1].exe <<< Is the Trojan horse TR/FakeAV.1172480 [deleted]
ALERT: [TR/Crypt.XPACK.Gen] C:\Documents and Settings\usuario\Local Settings\Temporary Internet Files\Content.IE5\P5S8OY1V\dfghfghgfj[1].dll <<< Is the Trojan horse TR/Crypt.XPACK.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\Preview-T-3545425-shone florida.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\Preview-T-3545427-birdwalk.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\Preview-T-3545427-orange & blue everything.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\Preview-T-3545427-rock star lil wayne juelz.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\Preview-T-3615672-dope boy money.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\Preview-T-5745425-heart revolver.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Incomplete\T-3615672-dope boy money.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\birdwalk.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [TR/Dldr.WMA.Wimad.BG] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\heart revolver lil wayne.wma <<< Is the Trojan horse TR/Dldr.WMA.Wimad.BG [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\heart revolver.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\orange & blue everything.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\rock star lil wayne juelz.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [TR/Dldr.WMA.Wimad.BG] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\rock star lil wayne juelz.wma <<< Is the Trojan horse TR/Dldr.WMA.Wimad.BG [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\shone florida.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\LimeWire\Saved\what them girls like.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\birdwalk.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [TR/Dldr.WMA.Wimad.BG] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\heart revolver lil wayne.wma <<< Is the Trojan horse TR/Dldr.WMA.Wimad.BG [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\heart revolver.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\orange & blue everything.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\rock star lil wayne juelz.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [TR/Dldr.WMA.Wimad.BG] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\rock star lil wayne juelz.wma <<< Is the Trojan horse TR/Dldr.WMA.Wimad.BG [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\shone florida.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [EXP/ASF.GetCodec.Gen] C:\Documents and Settings\usuario\My Documents\My Music\iTunes\MY MUSIC\what them girls like.mp3 <<< Contains signature of the exploits EXP/ASF.GetCodec.Gen [deleted]
ALERT: [TR/Scar.adgt] C:\Documents and Settings\usuario\ntuser.dll <<< Is the Trojan horse TR/Scar.adgt [deleted]
ALERT: [TR/Scar.adgt] C:\Documents and Settings\usuario\Start Menu\Programs\Startup\scandisk.dll <<< Is the Trojan horse TR/Scar.adgt [deleted]
ALERT: [TR/ExeDot.FH] C:\Program Files\Common\helper.dll <<< Is the Trojan horse TR/ExeDot.FH [deleted]
ALERT: [TR/ExeDot.FI] C:\Program Files\Common\_helper.dll <<< Is the Trojan horse TR/ExeDot.FI [deleted]
ALERT: [HEUR/HTML.Malware] C:\Program Files\Norton PC Checkup\downloader.vbs <<< Contains suspicious code HEUR/HTML.Malware [deleted]
ALERT: [HEUR/HTML.Malware] C:\Program Files\Norton PC Checkup\executables\productScanner\downloader.vbs <<< Contains suspicious code HEUR/HTML.Malware [deleted]
ALERT: [TR/ExeDot.YY] C:\Program Files\Shared\lib.dll <<< Is the Trojan horse TR/ExeDot.YY [deleted]
ALERT: [DR/HTML.Fraud.T.1] C:\Program Files\Windows Police Pro\Windows Police Pro.exe <<< Contains signature of the dropper DR/HTML.Fraud.T.1 [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\braviax.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Hiloti.50688A.1] C:\WINDOWS\cdiecsvm.dll <<< Is the Trojan horse TR/Hiloti.50688A.1 [deleted]
ALERT: [TR/Crypt.XPACK.Gen] C:\WINDOWS\cru629.dat <<< Is the Trojan horse TR/Crypt.XPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen2] C:\WINDOWS\eqafaneroko.dll <<< Is the Trojan horse TR/Crypt.ZPACK.Gen2 [deleted]
ALERT: [TR/PCK.Krap.AH.13] C:\WINDOWS\system32\ad1race23.dll <<< Is the Trojan horse TR/PCK.Krap.AH.13 [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\system32\braviax.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\butugagu.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Scar.adgt] C:\WINDOWS\system32\calc.dll <<< Is the Trojan horse TR/Scar.adgt [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4T2JSHMB\logo[1].htm <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Dldr.FraudLoa.WD] C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4T2JSHMB\logo[2].htm <<< Is the Trojan horse TR/Dldr.FraudLoa.WD [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4T2JSHMB\logo[3].htm <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Scar.adgt] C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll <<< Is the Trojan horse TR/Scar.adgt [deleted]
ALERT: [HTML/FakeAV.741] C:\WINDOWS\system32\critical_warning.html <<< Contains signature of the HTML script virus HTML/FakeAV.741 [deleted]
ALERT: [TR/Crypt.XPACK.Gen] C:\WINDOWS\system32\cru629.dat <<< Is the Trojan horse TR/Crypt.XPACK.Gen [deleted]
ALERT: [TR/PWS.Sinowal.Gen] C:\WINDOWS\system32\dllcache\beep.sys <<< Is the Trojan horse TR/PWS.Sinowal.Gen [deleted]
ALERT: [TR/PWS.Sinowal.Gen] C:\WINDOWS\system32\dllcache\figaro.sys <<< Is the Trojan horse TR/PWS.Sinowal.Gen [deleted]
ALERT: [TR/PWS.Sinowal.Gen] C:\WINDOWS\system32\drivers\beep.sys <<< Is the Trojan horse TR/PWS.Sinowal.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\dukareyo.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\durunora.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [DR/Agent.X.50] C:\WINDOWS\system32\fefizidu.exe <<< Contains signature of the dropper DR/Agent.X.50 [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\gukejibu.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/BHO.9216] C:\WINDOWS\system32\iehelper.dll <<< Is the Trojan horse TR/BHO.9216 [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\jekatuji.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\jelulede.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\system32\kezuroha.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Scar.zmi.3] C:\WINDOWS\system32\kipavapi.exe <<< Is the Trojan horse TR/Scar.zmi.3 [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\kuweyohi.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\lebihumu.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\legidonu.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\system32\mcenspc.dll <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\memurisu.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Spy.Gen] C:\WINDOWS\system32\mst120.dll <<< Is the Trojan horse TR/Spy.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\system32\pafusiri.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dldr.FraudLoa.WD] C:\WINDOWS\system32\pekiboba.dll <<< Is the Trojan horse TR/Dldr.FraudLoa.WD [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\peyehebe.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\system32\pumejigo.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Vundo.Gen2] C:\WINDOWS\system32\ruhegozi.dll <<< Is the Trojan horse TR/Vundo.Gen2 [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\suluyeba.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Dldr.FraudLoa.WD] C:\WINDOWS\system32\tosilihu.dll <<< Is the Trojan horse TR/Dldr.FraudLoa.WD [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\vunakifa.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Dldr.Agent.vzm] C:\WINDOWS\system32\wbem\proquota.exe <<< Is the Trojan horse TR/Dldr.Agent.vzm [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\system32\winupdate.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Dldr.FraudLo.sxm] C:\WINDOWS\system32\wisdstr.exe <<< Is the Trojan horse TR/Dldr.FraudLo.sxm [deleted]
ALERT: [TR/Vundo.Gen] C:\WINDOWS\system32\yunizapa.dll <<< Is the Trojan horse TR/Vundo.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\system32\~.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\Temp\2466730626.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Crypt.ZPACK.Gen] C:\WINDOWS\Temp\658390430.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\Temp\drweb.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\Temp\login.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\Temp\services.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\Temp\smss.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\Temp\taskmgr.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
ALERT: [TR/Dropper.Gen] C:\WINDOWS\Temp\user.exe <<< Is the Trojan horse TR/Dropper.Gen [deleted]
Ing. Joshua Marius
Windows 8.1 Enterprise x64
Intel Core i5-2500K, 3.3 Ghz
ASUS P8Z68-V LX
Disco 1: Intel SSDSC2CW180A3 180 GB
RAID 1: Seagate ST3000DM001 3TB
CORSAIR Vengeance 8 GB DDR3 1600
NVIDIA GeForce GTX 670

Avatar de Usuario
LeThe
Site Admin
Mensajes: 6948
Registrado: Vie Jun 15, 2007 5:11 pm
Ubicación: Florida, Estados Unidos
Contactar:

Re: Infeccion con Security Tool

#2 Mensajepor LeThe » Mié Feb 15, 2012 9:50 am

Log de Malwarebytes

Registry Keys Detected: 24
HKCR\AppID\{29256442-2C14-48CA-B756-3EE0F8BDC774} (Rogue.AntiVirus1)
HKCR\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F} (Trojan.BHO)
HKCR\CLSID\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7} (Rogue.AntiVirus1)
HKCR\TypeLib\{512E801E-2F02-4ADE-ACAA-58F08A22B2F8} (Rogue.AntiVirus1)
HKCR\Interface\{051C9A06-FB08-486F-B09B-8B33B261637D} (Rogue.AntiVirus1)
HKCR\QWProtect.QWProtectBHO.1 (Rogue.AntiVirus1)
HKCR\QWProtect.QWProtectBHO (Rogue.AntiVirus1)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7} (Rogue.AntiVirus1)
HKCR\CLSID\{A2234B15-23F2-42AD-F4E4-00AAC39C0004} (Trojan.Ertfor)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A2234B15-23F2-42AD-F4E4-00AAC39C0004} (Trojan.Ertfor)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A2234B15-23F2-42AD-F4E4-00AAC39C0004} (Trojan.Ertfor)
HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO)
HKCR\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573} (Trojan.BHO)
HKCR\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867} (Trojan.BHO)
HKCR\main.BHO.1 (Trojan.BHO)
HKCR\main.BHO (Trojan.BHO)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO)
HKCR\CLSID\{C9C42510-9B21-41c1-9DCD-8382A2D07C61} (Trojan.FakeAlert)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C9C42510-9B21-41C1-9DCD-8382A2D07C61} (Trojan.FakeAlert)
HKCR\AppID\QWProtect.DLL (Rogue.AntiVirus1)
HKCU\SOFTWARE\AV1 (Trojan.Agent)
HKCU\SOFTWARE\AvScan (Trojan.FakeAlert)
HKCU\SOFTWARE\QW2010 (Rogue.AntiVirus2010)

Registry Values Detected: 21
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler|{A2234B15-23F2-42AD-F4E4-00AAC39C0004} (Trojan.Ertfor) Data: gsajkfh873whdngo8wuidgs4rgfr4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{A2234B15-23F2-42AD-F4E4-00AAC39C0004} (Trojan.Ertfor) Data:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|calc (Trojan.Agent) Data: rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0
HKCR\main.BHO.1\CLSID| (Adware.DeepDive) Data: {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
HKCR\main.BHO\CLSID| (Adware.DeepDive) Data: {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
HKCU\Control Panel\don't load|scui.cpl (Hijack.SecurityCenter) Data: No
HKCU\Control Panel\don't load|wscui.cpl (Hijack.SecurityCenter) Data: No
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General|Wallpaper (Hijack.Wallpaper) Data: %SystemRoot%\system32\critical_warning.html
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer|WINID (Malware.Trace) Data: 1CA5122F420AB00
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer|idstrf (Malware.Trace) Data: 1-1CA5123D4ABCEC
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) Data: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoFolderOptions (Hijack.FolderOptions) Data: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|system tool (Rogue.SysGuard) Data: C:\WINDOWS\sysguard.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Yjafosi8kdf98winmdkmnkmfnwe (Trojan.Agent) Data: C:\DOCUME~1\usuario\LOCALS~1\Temp\notepad.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Login Software 2009 (Trojan.Agent) Data: C:\DOCUME~1\usuario\LOCALS~1\Temp\y7lc0za3.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|inixs (Trojan.FakeAlert) Data: C:\WINDOWS\system32\minix32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|winupdate.exe (Trojan.Downloader) Data: C:\WINDOWS\system32\winupdate.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|calc (Trojan.Downloader) Data: rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|63275225 (Trojan.SCTool.Gen) Data: C:\Documents and Settings\All Users\Application Data\63275225\63275225.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|lomulatibi (Trojan.Vundo) Data: Rundll32.exe "kuweyohi.dll",s
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|braviax (Trojan.Downloader) Data: braviax.exe

Registry Data Items Detected: 13
HKCU\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop|NoChangingWallpaper (PUM.Hijack.DisplayProperties) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSetActiveDesktop (PUM.Hijack.DisplayProperties) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (PUM.Hijack.Regedit) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSetActiveDesktop (PUM.Hijack.DisplayProperties) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop|NoChangingWallpaper (PUM.Hijack.DisplayProperties) Bad: (1) Good: (0) Quarantined and repaired successfully.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3249D53A-A382-4079-A035-DB05D3D15B85}|NameServer (Trojan.DNSChanger) Bad: (83.149.115.182) Good: () Quarantined and repaired successfully.

Folders Detected: 2
C:\Documents and Settings\All Users\Application Data\63275225 (Rogue.Multiple)
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro)

Files Detected: 22
C:\Program Files\Hunting Unlimited\sys\input.dll (Trojan.Downloader)
C:\Program Files\Windows Police Pro\winivsetup.exe (Rogue.WindowsPolicePro)
C:\WINDOWS\system32\najebofi.dll (Trojan.FakeAlert)
C:\RECYCLER\ADAPT_Installer.exe (Trojan.Agent)
C:\Documents and Settings\All Users\Desktop\Green AV.lnk (Rogue.GreenAV)
C:\Documents and Settings\usuario\Desktop\Security Tool.lnk (Rogue.SecurityTool)
C:\Program Files\Common\_helper.sig (Malware.Trace)
C:\Program Files\Common\helper.sig (Trojan.Agent)
C:\Program Files\Shared\lib.sig (Adware.Deepdive)
C:\Documents and Settings\usuario\Start Menu\Programs\Security Tool.lnk (Rogue.SecurityTool)
C:\Documents and Settings\usuario\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader)
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader)
C:\WINDOWS\system32\AVR09.exe (Rogue.AdvancedVirusRemover)
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert)
C:\Documents and Settings\usuario\Local Settings\Temp\habnf88jkefh87ifiks.tmp (Trojan.Agent)
C:\Documents and Settings\usuario\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader)
C:\Documents and Settings\usuario\Local Settings\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent)
C:\WINDOWS\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent)
C:\Documents and Settings\NetworkService\ntuser.dll (Trojan.Agent)
C:\WINDOWS\system32\config\systemprofile\ntuser.dll (Trojan.Agent)
C:\WINDOWS\sysguard.exe (Rogue.SysGuard)
C:\Documents and Settings\All Users\Application Data\63275225\63275225.bat (Rogue.Multiple)
Ing. Joshua Marius
Windows 8.1 Enterprise x64
Intel Core i5-2500K, 3.3 Ghz
ASUS P8Z68-V LX
Disco 1: Intel SSDSC2CW180A3 180 GB
RAID 1: Seagate ST3000DM001 3TB
CORSAIR Vengeance 8 GB DDR3 1600
NVIDIA GeForce GTX 670

Avatar de Usuario
paulofutre
Mensajes: 3660
Registrado: Mar Sep 11, 2007 4:18 am
Ubicación: MADRID

Re: Infeccion con Security Tool

#3 Mensajepor paulofutre » Jue Feb 16, 2012 2:40 am

...Logre eliminarlo entrando con Hiren's Boot CD al Mini Windows XP y ejecutando el Avira Free. Este me dio la opcion de actualizar y despues escanear y eliminar todos los archivos infectados...

Me quedo con este novedoso mètodo. Muy bueno :plano1
Gracias por reportarlo
Saludos.
Saludos y ♪Forzatleti♫


Volver a “Infecciones y Soluciones - Virus, Trojanos, Spyware, Rogue, Malware, etc.”

¿Quién está conectado?

Usuarios navegando por este Foro: No hay usuarios registrados visitando el Foro y 1 invitado