SEGURIDAD INFORMATICA, Firewall, parches, vacunas, antivirus, anti troyanos, spyware etc > Seguridad Informatica - Firewall - Virus - Troyanos - Spyware - Ad Aware - Malware
LOG DE HIJACKTHIS
Mr_X:
1.-Deja sólo un antivirus instalado (o sólo un residente en memoria)
2.-¿Está completo el Log?
El problema parece estar aquí:
--- Código: ---O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\j00slad71d0.dll
--- Fin del código ---
Elimina la entrada con el HijackThis (ejecutándolo desde una carpeta "fija", es decir, que no esté en los temporales)
3.-Pasa el Spybot S&D y el Adaware y saca un nuevo Log del HijackThis, además, regálanos un Log del Autoruns de Sysinternals: doble clic al archivo AUTORUNS.EXE, ve al menú "Options" y marca las tres primeras opciones y oprime la tecla F5, ve al menú "File", "Save as", dale un nombre y guárdalo, ahora abre el archivo en el Bloc de notas, copia el contenido y pégalo aquí...
Aprendiz:
;-) Jeje, es que esta en sueco. Ademas grave lo siguiente:
StartupList report, 2006-02-19, 14:06:15
StartupList version: 1.52.2
Started from : C:\DOCUME~1\WINDOW~1\LOKALA~1\Temp\Rar$EX01.902\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program\WinRAR\WinRAR.exe
C:\DOCUME~1\WINDOW~1\LOKALA~1\Temp\Rar$EX01.902\HijackThis.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
AAW =
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msnmsgr = "C:\Program\MSN Messenger\msnmsgr.exe" /background
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\sstext3d.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Task Scheduler jobs:
Norton AntiVirus - Scan my computer - Windows XP.job
Norton SystemWorks One Button Checkup.job
Symantec Drmc.job
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
--------------------------------------------------
Enumerating Winsock LSP files:
Protocol #1: C:\Program\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Protocol #2: C:\Program\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
Protocol #8: C:\Program\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
--------------------------------------------------
End of report, 3 610 bytes
Report generated in 0,100 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Aprendiz:
Hola muchachos, les cuento que en este momento estoy haciendo lo que me dicen ya en un momento pongo los LOG y es que deveras todo el fin de semana se me haa ido en esto, que fregado puede ser estar bonbardeado por estas paginas verdad. pero ya veo la la luz al final del tunel.
gracias por su ayuda. saludos.
Aprendiz:
Bueno ya hice lo que me han recomendado aa lo adjunto
El Log de HijackThis, es todo lo que sale y ya puse el programa instalado en la pc
esto es del boton Do a system scan and save a logfile:
Logfile of HijackThis v1.99.1
Scan saved at 22:18:20, on 2006-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Windows XP\Skrivbord\Carpeta solo para el HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google-sökning - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Översätt engelskt ord - res://C:\Program\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Bakåtlänkar - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Lagrad bild på sida - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Liknande sidor - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\ir60l5jm1.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
esto es del boton(no tengo idea si sirve |o| en este momento) Hosts File Manager
# Copyright (c) 1993-1999 Microsoft Corp.
#
# Det här är HOSTS-exempelfilen som används av Microsoft TCP/IP för Windows.
#
# Den här filen innehåller mappningar av IP-adresser till värdnamn. Du bör
# inte ange fler än en post per rad. IP-adressen bör anges
# i den första kolumnen och följas av motsvarande värddatornamn.
# IP-adressen och värdnamnet måste åtskiljas av minst ett blanksteg.
#
# Kommentarer (som dessa) kan infogas på en egen rad eller
#
# Till exempel:
#
# 38.25.63.10 x.acme.com # klientvärddatorn x
127.0.0.1 localhost
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.qoolaid.com
127.0.0.1 www.qoologic.com
127.0.0.1 www.CLKPrecision.com
127.0.0.1 www.urllogic.com
127.0.0.1 www.clkoptimizer.com
127.0.0.1 www.isearch.com
127.0.0.1 isearch.com
127.0.0.1 www.idownload.com
127.0.0.1 idownload.com
127.0.0.1 www.mytotalsearch.com
127.0.0.1 mytotalsearch.com
127.0.0.1 www.lop.com
127.0.0.1 lop.com
127.0.0.1 www.websearch.com
127.0.0.1 websearch.com
127.0.0.1 www.page-not-found.net
127.0.0.1 page-not-found.net
127.0.0.1 www.isearchhere.com
127.0.0.1 isearchhere.com
127.0.0.1 as.adwave.com
127.0.0.1 sr.adwave.com
127.0.0.1 www.adwave.com
127.0.0.1 adwave.com EVENT:HOST:127.0.0.1
127.0.0.1 www.pacimedia.com
127.0.0.1 www.exactsearch.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.contextplus.net
#
#
127.0.0.1 www.contextplus.net
-Pase el Spybot S&D y me dio como respuesta: problema: winfixer
3 cookies
cookie de seguimiento [firefox:default]
firefox [default] : www.winfixer.com/[gl]
cookie de seguimiento [firefox:default]
firefox [default] : . winfixer.com/[lid]
cookie de seguimiento [firefox:default]
firefox [default] : . winfixer.com/[aid]
le di solucionar problema y me dijo 3 problemas reparados.
-Le he pasado AdAwere y me dio 20 objetos criticos le di remover y me dio el mensaje "no se ha podido remover c:\WINDOWS\system32\g44olehm1h4a.dll
pase AdAwere de nuevo y ahora me dio 19 objetos criticos y los he puesto en cuarentena me dio el mensaje "30 objetos en cuarentena"
y por ultimo aca esta el log de Autoruns
HKCU\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
C:\Documents and Settings\All Users\Start-meny\Program\Autostart
C:\Documents and Settings\Windows XP\Start-meny\Program\Autostart
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ msnmsgr MSN Messenger (Not verified) Microsoft Corporation c:\program\msn messenger\msnmsgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ AVG7 Find Extension AVG Shell Extension (Not verified) GRISOFT, s.r.o. c:\program\grisoft\avg free\avgse.dll
+ AVG7 Shell Extension AVG Shell Extension (Not verified) GRISOFT, s.r.o. c:\program\grisoft\avg free\avgse.dll
+ eanclass.dll c:\windows\system32\eanclass.dll
+ guard.tmp c:\windows\system32\guard.tmp
+ iTunes iTunes Mini Player DLL (Not verified) Apple Computer, Inc. c:\program\itunes\itunesminiplayer.dll
+ Mi P910i File Manager interface (Not verified) Teleca Software Solutions AB c:\program\sony ericsson\mobile\auexpext.dll
+ mxasn1.dll c:\windows\system32\mxasn1.dll
+ PhotoToys Windows XP PowerToys (Not verified) Microsoft Corporation c:\windows\system32\phototoys.dll
+ Shell Extensions for RealOne Player RealPlayer Shell Extensions (Not verified) RealNetworks, Inc. c:\program\real\realone player\rpshell.dll
+ WinRAR shell extension c:\program\winrar\rarext.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
HKLM\Software\Microsoft\Internet Explorer\Toolbar
HKLM\Software\Microsoft\Internet Explorer\Extensions
Task Scheduler
+ Norton AntiVirus - Scan my computer - Windows XP.job Norton AntiVirus Scanner Module (Verified) Symantec Corporation c:\program\norton systemworks\norton antivirus\navw32.exe
+ Norton SystemWorks One Button Checkup.job One Button Checkup (Verified) Symantec Corporation c:\program\norton systemworks\obc.exe
+ Symantec Drmc.job Symantec Shared File (Not verified) Symantec Corporation c:\program\delade filer\symantec shared\symdrmc.exe
HKLM\System\CurrentControlSet\Services
+ Avg7Alrt AVG Alert Manager (Not verified) GRISOFT, s.r.o. c:\program\grisoft\avg free\avgamsvr.exe
+ Avg7UpdSvc AVG Update Service (Not verified) GRISOFT, s.r.o. c:\program\grisoft\avg free\avgupsvc.exe
+ ccEvtMgr Symantec Event Manager (Verified) Symantec Corporation c:\program\delade filer\symantec shared\ccevtmgr.exe
+ ccSetMgr Symantec Settings Manager (Verified) Symantec Corporation c:\program\delade filer\symantec shared\ccsetmgr.exe
+ navapsvc Handles Norton AntiVirus Auto-Protect events. (Verified) Symantec Corporation c:\program\norton systemworks\norton antivirus\navapsvc.exe
+ NPFMntor Detects installation of Symantec Firewall clients (Verified) Symantec Corporation c:\program\norton systemworks\norton antivirus\iwp\npfmntor.exe
+ SBService Norton AntiVirus ScripBlocking Service (Verified) Symantec Corporation c:\program\delade filer\symantec shared\script blocking\sbserv.exe
+ SNDSrvc Symantec Network Drivers Service (Verified) Symantec Corporation c:\program\delade filer\symantec shared\sndsrvc.exe
+ SPBBCSvc Symantec SPBBC (Verified) Symantec Corporation c:\program\delade filer\symantec shared\spbbc\spbbcsvc.exe
HKLM\System\CurrentControlSet\Services
+ Avg7Core AVG Scanning Engine (Not verified) GRISOFT, s.r.o. c:\windows\system32\drivers\avg7core.sys
+ Avg7RsW AVG Resident Shield Unload Helper (Not verified) GRISOFT, s.r.o. c:\windows\system32\drivers\avg7rsw.sys
+ Avg7RsXP AVG Resident Anti-Virus Shield (Not verified) GRISOFT, s.r.o. c:\windows\system32\drivers\avg7rsxp.sys
+ GEARAspiWDM CDRom Class Filter Driver (Verified) GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys
+ NAVENG AV Engine (Verified) Symantec Corporation c:\program\delade filer\symantec shared\virusdefs\20060215.006\naveng.sys
+ NAVEX15 AV Engine (Verified) Symantec Corporation c:\program\delade filer\symantec shared\virusdefs\20060215.006\navex15.sys
+ SAVRT AutoProtect (Verified) Symantec Corporation c:\program\norton systemworks\norton antivirus\savrt.sys
+ SAVRTPEL SAVRTPEL (Verified) Symantec Corporation c:\program\norton systemworks\norton antivirus\savrtpel.sys
+ SDdriver SDDRIVER (Not verified) Symantec Corporation c:\windows\system32\drivers\sddriver.sys
+ Secdrv SafeDisc driver (Not verified) Macrovision Europe Ltd c:\windows\system32\drivers\secdrv.sys
+ SPBBCDrv SPBBC Driver (Verified) Symantec Corporation c:\program\delade filer\symantec shared\spbbc\spbbcdrv.sys
+ SYMDNS DNS Filter Driver (Verified) Symantec Corporation c:\windows\system32\drivers\symdns.sys
+ SymEvent Symantec Event Library (Verified) Symantec Corporation c:\program\symantec\symevent.sys
+ SYMFW Firewall Filter Driver (Verified) Symantec Corporation c:\windows\system32\drivers\symfw.sys
+ SYMIDS IDS Filter Driver (Verified) Symantec Corporation c:\windows\system32\drivers\symids.sys
+ SYMIDSCO IDS Core Driver (Verified) Symantec Corporation c:\program\delade filer\symantec shared\symcdata\ids-diskless\20051208.051\symidsco.sys
+ symlcbrd Symantec Core Component (Not verified) Symantec Corporation c:\windows\system32\drivers\symlcbrd.sys
+ SYMNDIS NDIS Filter Driver (Verified) Symantec Corporation c:\windows\system32\drivers\symndis.sys
+ SYMREDRV Redirector Filter Driver (Verified) Symantec Corporation c:\windows\system32\drivers\symredrv.sys
+ SYMTDI Network Dispatch Driver (Verified) Symantec Corporation c:\windows\system32\drivers\symtdi.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\SOFTWARE\Microsoft\Command Processor\Autorun
HKCU\SOFTWARE\Microsoft\Command Processor\Autorun
HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ BITS c:\windows\system32\ir60l5jm1.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKCU\Control Panel\Desktop\Scrnsave.exe
HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImageName
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
+ Google Desktop c:\program\google\google desktop search\googledesktopnetwork1.dll
+ Google Desktop over [MSAFD Tcpip [TCP/IP]] c:\program\google\google desktop search\googledesktopnetwork1.dll
+ Google Desktop over [MSAFD Tcpip [UDP/IP]] c:\program\google\google desktop search\googledesktopnetwork1.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ Microsoft Document Imaging Writer Monitor Microsoft® Document Imaging (Not verified) Microsoft Corporation c:\windows\system32\mdimon.dll
ha quedado algo grandecito todo este royo verdad, :ciego:
Muy amables de su parte muchachos, que pasen feliz noche.-
Mr_X:
Pues tienes "basurilla"...
-Crea una copia de seguridad del registro:
Opción 1: Abre el registro de Windows (botón Inicio-->Ejecutar-->regedit), sitúate en la clave que correspone a "Mi PC" (la primera y raíz de todas), menú Archivo-->Exportar-->dale un nombre y guarda
Opción 2: Baja y ejecuta el ERUNT
-Reinicia en MODO SEGURO, ejecuta el Autoruns, busca las siguientes entradas, botón derecho y selecciona "Delete"... Reinicia y saca nuevos Logs...
--- Código: ---+ eanclass.dll c:\windows\system32\eanclass.dll
+ guard.tmp c:\windows\system32\guard.tmp
+ mxasn1.dll c:\windows\system32\mxasn1.dll
+ BITS c:\windows\system32\ir60l5jm1.dll
--- Fin del código ---
Reinicia en modo normal actualiza el antivirus y dale una pasada completa... Pega aquí nuevos Logs del HijackThis y el Autoruns y pega, también, el contenido del archivo HOSTS (WINDOWS\SYSTEM32\DRIVERS\ETC)...
Navegación
[#] Página Siguiente
[*] Página Anterior
Ir a la versión completa