Otra infeccion, esta ves inicio con un tal programa que se llamaba Digital Protection. Esta computadora tenia varias infecciones y el dueño cree que entraron varios por un torrent que descargo y el resto por Internet Explorer. Lo pude eliminar viendo entradas raras con Hijackthis, despues en Safe Mode lleve el archivo actualizado de malwarebytes.org, rules.ref y escanee en Modo Seguro (Safe Mode). El nombre del usuario se ha cambiado por XX en el log por razones de privacidad.
Malwarebytes' Anti-Malware 1.46
Database version: 4052
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.11
5/3/2010 9:30:12 PM
mbam-log-2010-05-03 (21-30-12).txt
Scan type: Quick scan
Objects scanned: 136109
Time elapsed: 7 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 19
Registry Values Infected: 12
Registry Data Items Infected: 10
Folders Infected: 13
Files Infected: 96
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Documents and Settings\XX\Local Settings\Application Data\Windows Server\erfzjf.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{e398aa09-5ebc-4c11-9ba6-2839e24333ca} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{061a47f1-2824-4530-a56e-aae5ceb0db87} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{235929f5-0da2-47a6-9a61-0a04f0f98626} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{4b78647e-4999-49b0-a6c3-01d1fda18830} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{5054c24e-f55a-42ac-b4b4-6f02c7d95f8b} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{5bd0230c-b859-4727-9b71-281da08a604c} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{65cf3732-3a5c-441e-9538-9ec8144ae84a} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{9e926b27-6b24-4d56-b2f2-e14f50d19fa7} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\Interface\{fcfc4f42-4fd6-4805-9414-435a15f19bb5} (Trojan.Downloader) ->
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) ->
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) ->
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) ->
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) ->
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ezLife (Adware.EzLife) ->
HKEY_LOCAL_MACHINE\SOFTWARE\ezLife (Adware.EzLife) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) ->
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) ->
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) ->
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iaanotif (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmxlauncher (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\logitech hardware abstraction layer (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\logitechcommunicationsmanager (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\logitechquickcamribbon (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\applesyncnotifier (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituneshelper (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe reader speed launcher (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe arm (Trojan.Downloader) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) ->
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\XX\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\XX\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\XX\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.94,93.188.166.122 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{64ed4e10-c580-4c0a-950a-87c1ff46bedd}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.94,93.188.166.122 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a293223-ff22-4e5d-83b5-e97daa827f7a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.94,93.188.166.122 ->
Folders Infected:
C:\Program Files\Smart-Ads-Solutions (Adware.SmartAds) ->
C:\Program Files\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) ->
C:\Program Files\Smart-Ads-Solutions\SmartAds\1.5.2.0 (Adware.SmartAds) ->
C:\Documents and Settings\XX\Application Data\ezLife (Adware.EzLife) ->
C:\Documents and Settings\XX\Application Data\ezLife\ezLife (Adware.EzLife) ->
C:\Program Files\ezLife (Adware.EzLife) ->
C:\Program Files\ezLife\ezLife (Adware.EzLife) ->
C:\Program Files\ezLife\ezLife\1.5.2.0 (Adware.EzLife) ->
C:\Program Files\Digital Protection (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection (Rogue.DigitalProtection) ->
C:\WINDOWS\PRAGMAstspqqhevb (Trojan.DNSChanger) ->
C:\Documents and Settings\XX\Application Data\APManager (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages (Rogue.APManager) ->
Files Infected:
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe (Trojan.Downloader) ->
C:\Program Files\Dell\Media Experience\DMXLauncher.exe (Trojan.Downloader) ->
C:\WINDOWS\system32\lbtwiz.exe (Trojan.Downloader) ->
C:\WINDOWS\system32\khalmnpr.exe (Trojan.Downloader) ->
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe (Trojan.Downloader) ->
C:\Program Files\Logitech\QuickCam\quickcam.exe (Trojan.Downloader) ->
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Trojan.Downloader) ->
C:\Program Files\Java\jre6\bin\jusched.exe (Trojan.Downloader) ->
C:\Program Files\iTunes\iTunesHelper.exe (Trojan.Downloader) ->
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Trojan.Downloader) ->
C:\Program Files\Common Files\Adobe\ARM\1.0\adobearm.exe (Trojan.Downloader) ->
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) ->
C:\Program Files\Mozilla Firefox\Components\ffxShot.dll (Adware.Adrotator) ->
C:\WINDOWS\system32\ezeiaozabctbd.dll (Adware.IEhlpr) ->
C:\WINDOWS\system32\gwjllcugnixibt.exe (Adware.Adrotator) ->
C:\WINDOWS\system32\khalmnpr .exe (Trojan.Downloader) ->
C:\WINDOWS\system32\lbtwiz .exe (Trojan.Downloader) ->
C:\WINDOWS\system32\net.net (Trojan.Downloader) ->
C:\WINDOWS\system32\nwiz .exe (Trojan.Downloader) ->
C:\WINDOWS\system32\nwiz.exe (Trojan.Downloader) ->
C:\WINDOWS\system32\stsystra .exe (Trojan.Downloader) ->
C:\WINDOWS\system32\tkzbxyid.dll (Trojan.BHO) ->
C:\WINDOWS\system32\v8lpcw2.dll (Trojan.Ertfor) ->
C:\Documents and Settings\XX\Local Settings\Temp\geurge.exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\Local Settings\Temp\vcf .exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\Local Settings\Temp\wmpscfgs.exe (Trojan.Downloader) ->
C:\WINDOWS\Temp\0000195b.sys (Trojan.Alureon) ->
C:\WINDOWS\Temp\wmpscfgs.exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\khalmnpr.exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\lbtwiz.exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\nwiz.exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\rundll32 .exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\rundll32.exe (Trojan.Downloader) ->
C:\Documents and Settings\XX\Local Settings\Temporary Internet Files\Content.IE5\7ERZ7WEN\stpee9b6[1].exe (Trojan.Hiloti) ->
C:\Documents and Settings\XX\Local Settings\Temporary Internet Files\Content.IE5\Q3IM6GD2\load[1].exe (Trojan.Dropper) ->
C:\Documents and Settings\XX\Local Settings\Temporary Internet Files\Content.IE5\Q3IM6GD2\stp916d2[1].exe (Trojan.FraudTool) ->
C:\Documents and Settings\XX\Local Settings\Temporary Internet Files\Content.IE5\Z2KL4T7U\rvqxfn[1].htm (Trojan.Downloader) ->
C:\WINDOWS\skecodlT.dll (Trojan.Hiloti) ->
C:\WINDOWS\system32\spool\prtprocs\w32x86\00000e20.tmp (Rootkit.TDSS) ->
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000648d.tmp (Rootkit.TDSS) ->
C:\Program Files\Smart-Ads-Solutions\SmartAds\1.5.2.0\uninstall.exe (Adware.SmartAds) ->
C:\Documents and Settings\XX\Application Data\ezLife\ezLife\log.xml (Adware.EzLife) ->
C:\Program Files\ezLife\ezLife\1.5.2.0\uninstall.exe (Adware.EzLife) ->
C:\Program Files\Digital Protection\about.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\activate.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\buy.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\dig.db (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\digext.dll (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\dighook.dll (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\digprot.exe (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\help.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\scan.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\settings.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\splash.mp3 (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\Uninstall.exe (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\update.ico (Rogue.DigitalProtection) ->
C:\Program Files\Digital Protection\virus.mp3 (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\About.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Activate.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Buy.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Digital Protection Support.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Digital Protection.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Scan.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Settings.lnk (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Start Menu\Programs\Digital Protection\Update.lnk (Rogue.DigitalProtection) ->
C:\WINDOWS\PRAGMAstspqqhevb\PRAGMAcfg.ini (Trojan.DNSChanger) ->
C:\Documents and Settings\XX\Application Data\APManager\apmanager.exe (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\files (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\iplog (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\settings.ini (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\uninstall.exe (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\wallpaper.jpg (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Czech.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Danish.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Dutch.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\English.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\French.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\German.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Italian.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Portuguese.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Slovak.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\Spanish.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Application Data\APManager\languages\template.lng (Rogue.APManager) ->
C:\Documents and Settings\XX\Desktop\AP Manager.lnk (Rogue.APManager) ->
C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) ->
C:\WINDOWS\Temp\pragmamainqt.dll (Rootkit.TDSS) ->
C:\Documents and Settings\XX\Application Data\Microsoft\Internet Explorer\Quick Launch\Digital Protection.LNK (Rogue.DigitalProtection) ->
C:\Documents and Settings\XX\Desktop\Digital Protection.LNK (Rogue.DigitalProtection) ->
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) ->
C:\Program Files\Mozilla Firefox\components\nsFFxSHot.xpt (Adware.Adrotator) ->
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) ->
C:\Documents and Settings\XX\Local Settings\Temp\svchost.exe (Trojan.Agent) ->
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) ->
C:\Program Files\Adobe\acrotray .exe (Trojan.Agent) ->
C:\Documents and Settings\XX\Local Settings\Application Data\Windows Server\erfzjf.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\XX\Desktop\explorer.com (Heuristics.Reserved.Word.Exploit) ->
Infeccion virus Digital Protection
-
LeThe
- Site Admin
- Mensajes: 7046
- Registrado: Vie Jun 15, 2007 5:11 pm
- Ubicación: Florida, Estados Unidos
- Contactar:
Infeccion virus Digital Protection
Ing. Joshua Marius
Windows 10 Pro x64 20H2
Intel Core i7-3770K, 4.5 Ghz
ASUS P8Z68-V LX
Disco 1: Samsung SSD 850 EVO 500 GB
RAID 1: Seagate ST3000DM001 3TB
CORSAIR Vengeance 16 GB DDR3 1600
NVIDIA GeForce GTX 1060
Windows 10 Pro x64 20H2
Intel Core i7-3770K, 4.5 Ghz
ASUS P8Z68-V LX
Disco 1: Samsung SSD 850 EVO 500 GB
RAID 1: Seagate ST3000DM001 3TB
CORSAIR Vengeance 16 GB DDR3 1600
NVIDIA GeForce GTX 1060
Re: Digital Protection
Gracias por compartir, solo por curiosidad que antivirus tenía?
Otra pregunta, veo que en muchas infecciones el más afectado es adobe, haría alguna forma de que no suceda infectarlo?
Otra pregunta, veo que en muchas infecciones el más afectado es adobe, haría alguna forma de que no suceda infectarlo?
No hay que empezar siempre por la noción primera de las cosas que se estudian,
sino por aquello que puede facilitar el aprendizaje.
sino por aquello que puede facilitar el aprendizaje.
-
LeThe
- Site Admin
- Mensajes: 7046
- Registrado: Vie Jun 15, 2007 5:11 pm
- Ubicación: Florida, Estados Unidos
- Contactar:
Re: Digital Protection
Buena pregunta. De lo que pudo observar el solo tenia Threat Fire cual fue desactivado entonces intento instalar AVAST Free.
Ing. Joshua Marius
Windows 10 Pro x64 20H2
Intel Core i7-3770K, 4.5 Ghz
ASUS P8Z68-V LX
Disco 1: Samsung SSD 850 EVO 500 GB
RAID 1: Seagate ST3000DM001 3TB
CORSAIR Vengeance 16 GB DDR3 1600
NVIDIA GeForce GTX 1060
Windows 10 Pro x64 20H2
Intel Core i7-3770K, 4.5 Ghz
ASUS P8Z68-V LX
Disco 1: Samsung SSD 850 EVO 500 GB
RAID 1: Seagate ST3000DM001 3TB
CORSAIR Vengeance 16 GB DDR3 1600
NVIDIA GeForce GTX 1060