virus PUP/MultiToolbar.A no se elimina con formateo

[pablo dipas]

hola, soy nuevo en este foro, hace unas semanas atras mi pc se empezo a descomponer, se congelaba, internet se ponia superlenta, me pedia que compruebe el disco c: y esas cosas, como vi que eran sintomas tipicos de virus me dispuse a usar panda activescan on line que es una herramienta que uso siempre y resulta que encuentra un virus muy fuerte PUP/MultiToolbar.A HackTools c:\users\doctor picado\appdata\local\google\chrome\user data\default\file system\000\t\00\00000000

luego de probar distintos programas y otros antivirus el unico que me reconocia este virus era el panda, utilize el panda cloud a ver si me lo eliminaba y tampoco pude, asi que me dispuse a formatear, luego de formatear pase nuevamente el panda activescan on line y me tiro el resultado de que la pc estaba limpia este fue el informe:



ANALYSIS: 2014-05-11 23:46:12

PROTECTIONS: 1

MALWARE: 8

SUSPECTS: 0

;***********************************************************************************************************************************************************************************

PROTECTIONS

Description Version Active Updated

;===================================================================================================================================================================================

Avira Desktop Yes Yes

;===================================================================================================================================================================================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===================================================================================================================================================================================

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\homero_jimeno@casalemedia[1].txt]

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@casalemedia[1].txt]

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@doubleclick[1].txt]

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\homero_jimeno@doubleclick[1].txt]

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\doctor picado\appdata\roaming\microsoft\windows\cookies\low\doctor_picado@doubleclick[1].txt

00167647 Cookie/Yadro TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@yadro[1].txt]

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@statcounter[2].txt]

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@serving-sys[2].txt]

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\homero_jimeno@serving-sys[2].txt]

00168106 Cookie/Weborama TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@weborama[1].txt]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\homero_jimeno@advertising[2].txt]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@advertising[1].txt]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@zedo[1].txt]

;====================================================================================

SUSPECTS

Sent Location

;====================================================================================

VULNERABILITIES

Id Severity Description





una semana despues note cosas raras en la pc como por ejemplo, algo de lentitud y por si acaso pase de nuevo el panda active scan on line ya que siempre lo uso y es el unico que me reconoce este virus y me encontre que el virus estaba alli seguia latente cuando antes me habia desaparecido, no se si se escondio luego del formateo o hay algo que yo hice que me lo pego de nuevo, no se estoy bastante desesperado, ojala me puedan ayudar, aca les dejo el ultimo informe del panda active scan on line:



ANALYSIS: 2014-05-17 04:22:22

PROTECTIONS: 1

MALWARE: 9

SUSPECTS: 0

;***********************************************************************************************************************************************************************************

PROTECTIONS

Description Version Active Updated

;===================================================================================================================================================================================

Avira Desktop Yes Yes

;===================================================================================================================================================================================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===================================================================================================================================================================================

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\homero_jimeno@casalemedia[1].txt]

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@casalemedia[1].txt]

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\homero_jimeno@doubleclick[1].txt]

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@doubleclick[1].txt]

00167647 Cookie/Yadro TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@yadro[1].txt]

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@statcounter[2].txt]

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\homero_jimeno@serving-sys[2].txt]

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@serving-sys[2].txt]

00168106 Cookie/Weborama TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@weborama[1].txt]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\homero_jimeno@advertising[2].txt]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@advertising[1].txt]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No d:\kwijibo\backup set 2013-07-21 190001\backup files 2013-07-21 190001\backup files 18.zip[c\users\homero jimeno\appdata\roaming\microsoft\windows\cookies\low\homero_jimeno@zedo[1].txt]

14620318 PUP/MultiToolbar.A HackTools No 0 Yes No c:\users\doctor picado\appdata\local\google\chrome\user data\default\file system\000\t\00\00000000

;====================================================================================

SUSPECTS

Sent Location

;====================================================================================

VULNERABILITIES

Id Severity Description

[msc hotline sat]

Los PUP (potentially Unwanted Program) o programas indeseables, acostumbran a ser instalados por downwares que los ofrecen al instalar programas desde wevs que no son las del fabricante.



Asi este MULTITOOLBAR: 14620318 PUP/MultiToolbar.A HackTools No 0 Yes No c:\users\doctor picado\appdata\local\google\chrome\user data\default\file system\000\t\00\00000000 posiblemente lo descargó la instalacion del Chrome, desde una web que no era de Google, y, aunque ofrecía no instalarlo desmarcando la correspondiente casilla, si no se dijo lo contrario, hizo lo que quiso...



Seguramente en Agregar o Quitar Programas habrá el desinstalador para ello, sino pruebe nuestro ELIPUPS.EXE y posteenos el fichero resultante c:\PROGRAMLOG.TXT y trataremos de decirle cual es el que ha de ejecutar para desinstalarlo



saludos



ms, 17-5-2014

[pablo dipas]

pase el elipups 1.6 y no hizo nada, me tiro un mensaje que decia que no detectaba nada, aqui el informe



(17-5-2014 22:00:34 (GMT))

EliPUPs v1.7 (c)2014 S.G.H. / Satinfo S.L. (Modificado el 15 de Mayo del 2014)

-------------------------------------------

Sistema Operativo: Windows 7 Home Premium (6.1.NULL2) NULL2



Lista de Todos los Programas Instalados.

Descripción -> Cadena de Desinstalación.

----------------------------------------



Panda ActiveScan 2.0 -> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe

Adobe Flash Player 13 Plugin -> C:\Windows\system32\Macromed\Flash\FlashUtil32_13_0_0_214_Plugin.exe -maintain plugin

AIMP2 -> C:\Program Files\AIMP2\UnInstall.exe

Avira Free Antivirus -> C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE

CCleaner (remove only) -> "C:\Program Files\CCleaner\uninst.exe"

FormatFactory 2.70 -> C:\Program Files\FreeTime\FormatFactory\uninst.exe

Google Chrome -> "C:\Program Files\Google\Chrome\Application\34.0.1847.137\Installer\setup.exe" --uninstall --multi-install --chrome --system-level

NVIDIA ForceWare Network Access Manager -> "C:\Program Files\InstallShield Installation Information\{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}\setup.exe" -runfromtemp -l0x0409 -removeonly

Mozilla Firefox 29.0.1 (x86 es-AR) -> "C:\Program Files\Mozilla Firefox\uninstall\helper.exe"

Mozilla Maintenance Service -> "C:\Program Files\Mozilla Maintenance Service\uninstall.exe"

Nero 8.3.2.1 -> "C:\Program Files\Nero\unins000.exe"

NVIDIA Drivers -> C:\Windows\system32\nvuninst.exe UninstallGUI

Sonic Foundry SoundForge v4.5 -> C:\audio\SOUNDF~1\UNWISE.EXE C:\audio\SOUNDF~1\INSTALL.LOG

VLC media player 2.0.0 -> C:\Program Files\VideoLAN\VLC\uninstall.exe

Winamp (remove only) -> "C:\Program Files\Winamp\UninstWA.exe"

Compresor WinRAR -> C:\Program Files\WinRAR\uninstall.exe

Yahoo! Install Manager -> C:\Windows\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 -> MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}

Microsoft Visual C++ 2005 Redistributable -> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

NVIDIA ForceWare Network Access Manager -> MsiExec.exe /I{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}

Microsoft Office Professional Edition 2003 -> MsiExec.exe /I{90110C0A-6000-11D3-8CFE-0150048383C9}

Paquete de compatibilidad para 2007 Office system -> MsiExec.exe /X{90120000-0020-0C0A-0000-0000000FF1CE}

Google Update Helper -> MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

Adobe Reader 8.1.1 - Español -> MsiExec.exe /I{AC76BA86-7AD7-1034-7B44-A81000000003}

NVIDIA Controlador de gráficos 285.62 -> "C:\Windows\system32\RunDll32.EXE" "C:\Program Files\NVIDIA Corporation\Installer2\installer.2\NVI2.DLL",UninstallPackage Display.Driver

Actualización de NVIDIA 1.5.20 -> "C:\Windows\system32\RunDll32.EXE" "C:\Program Files\NVIDIA Corporation\Installer2\installer.2\NVI2.DLL",UninstallPackage Display.Update

WinZip 11.1 -> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 -> MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}

Realtek High Definition Audio Driver -> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -removeonly



Lista de PUPs conocidos.

Descripción -> Cadena de Desinstalación.

----------------------------------------



como seguimos?

[msc hotline sat]

Pues ya que dices que el Panda lo detectó en el Chrome instalado, desinstala desde Agregar o Quitar programas esta aplicacion:



Google Chrome -> "C:\Program Files\Google\Chrome\Application\34.0.1847.137\Installer\setup.exe" --uninstall --multi-install --chrome --system-level





y tras reiniciar vuelve a instalarlo desde la web del fabricante, www.google.com:



https://www.google.com/intl/es/chrome/browser/



Y tras ello, nos cuentas el resultado, gracias



saludos



ms, 18-7-2014