Foro de Spyware - Ver Mensaje Individual - Trojanos que siempre vuelven

Tema: Trojanos que siempre vuelven

Ver Mensaje Individual

post #3 (permalink)

28/02/08, 14:28:31

Totto

Usuario

Registrado: feb 2008

Ubicación: Argentina

Mensajes: 5

Re: Trojanos que siempre vuelven

Bueno aca van los logs, reinicie y la maquina no detecto nada por ahora.

Malwarebytes' Anti-Malware 1.05
Database version: 421

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 88324
Time elapsed: 18 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\basevrkq32.dll (Trojan.Downloader) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{3e6201fa-02dd-4a0b-8699-1328e0602314} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{df16c60e-f85b-4459-86ae-4977656339ec} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\windowsupdate.windowsupdate (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\windowsupdate.windowsupdate.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\UninstallSXS (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\ssnipe (Rogue.SpySnipe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsUpdate. WindowsUpdate (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsUpdate. WindowsUpdate.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080228-145001-154.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\NT7732.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\NT7E32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\baseskpsb32.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\basevrkq32.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bns.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.

ComboFix 08-02-21 - Totto 2008-02-28 15:16:26.8 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1776 [GMT -3:00]
Running from: C:\Documents and Settings\Totto\Desktop\Proteccion\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys

.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.

2008-02-28 14:42 . 2008-02-28 14:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-28 14:42 . 2008-02-28 14:42 <DIR> d-------- C:\Documents and Settings\Totto\Application Data\Malwarebytes
2008-02-28 14:42 . 2008-02-28 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-27 18:00 . 2008-02-27 18:00 49,184 --a------ C:\Documents and Settings\Totto\Application Data\GDIPFONTCACHEV1.DAT
2008-02-23 15:15 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-02-23 15:07 . 2008-02-23 15:07 <DIR> d-------- C:\Program Files\Sierra OnLine
2008-02-23 15:07 . 2008-02-23 15:07 <DIR> d-------- C:\Documents and Settings\Totto\WINDOWS
2008-02-23 15:07 . 1999-05-20 11:27 1,022,976 --a------ C:\WINDOWS\system32\SierraNW.dll
2008-02-23 15:07 . 1999-05-20 11:27 231,936 --a------ C:\WINDOWS\system32\SNWValid.dll
2008-02-23 15:07 . 2008-02-23 15:09 352 --a------ C:\WINDOWS\SIERRA.INI
2008-02-23 12:34 . 2008-02-23 12:34 23,207 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-02-23 12:02 . 2008-02-23 12:02 <DIR> d-------- C:\WINDOWS\nview
2008-02-23 12:02 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-02-23 12:02 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-02-23 12:02 . 2008-02-23 12:04 163,353 --a------ C:\WINDOWS\system32\nvapps.xml
2008-02-23 12:02 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-02-23 10:41 . 2008-02-23 10:44 1,731,047,424 --a------ C:\2A.tmp
2008-02-23 10:02 . 2008-02-23 10:04 1,534,050,816 --a------ C:\1C.tmp
2008-02-23 09:54 . 2008-02-23 09:58 2,143,289,856 --a------ C:\E.tmp
2008-02-22 15:29 . 2008-02-26 15:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-22 15:29 . 2008-02-26 15:32 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-22 15:29 . 2008-02-26 15:32 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-22 15:29 . 2008-02-26 15:32 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-18 00:49 . 2008-02-18 00:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-17 21:16 . 2008-02-26 14:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-17 21:16 . 2008-02-17 21:16 <DIR> d-------- C:\Program Files\CCleaner
2008-02-17 21:16 . 2008-02-17 21:16 <DIR> d-------- C:\Documents and Settings\Totto\Application Data\SUPERAntiSpyware.com
2008-02-17 21:16 . 2008-02-17 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-17 21:10 . 2008-02-17 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 21:07 . 2008-02-23 11:40 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-17 21:07 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-02-17 09:20 . 2008-02-17 09:18 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-17 09:20 . 2008-02-17 09:20 3,442 --a------ C:\WINDOWS\unins000.dat
2008-02-03 14:23 . 2003-07-22 00:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-02-03 14:23 . 2005-01-05 15:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-02-03 03:31 . 2008-02-03 03:31 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-03 03:30 . 2008-02-03 03:30 <DIR> d-------- C:\WINDOWS\ShellNew

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-02-26 21:26 --------- d-----w C:\Program Files\FlashGet
2008-02-26 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 13:03 --------- d-----w C:\Program Files\DAEMON Tools
2008-02-17 12:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-10 16:13 --------- d-----w C:\Program Files\eMule
2008-02-03 17:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-12-04 10:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 09:19 729088]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2007-12-05 01:41 81920]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\M SCONFIG.exe" [2004-08-03 22:07 158208]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-02-21 19:50 605904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:07 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-04 17:41:37 110592]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lineage II Elwyn.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lineage II Elwyn.lnk
backup=C:\WINDOWS\pss\Lineage II Elwyn.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 07:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:55 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2006-04-10 09:19 729088 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
-ra------ 2006-04-30 23:07 843776 C:\Program Files\Analog Devices\Core\smax4pnp.exe

S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-02-21 19:50]
S3 XDva019;XDva019;C:\WINDOWS\system32\XDva019.sys []
S3 XDva031;XDva031;C:\WINDOWS\system32\XDva031.sys []
S3 XDva064;XDva064;C:\WINDOWS\system32\XDva064.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 09:02:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-05-05 17:25:11 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1170177911.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 15:19:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-02-28 15:20:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-28 18:20:00
ComboFix2.txt 2008-02-21 00:19:12

Última edición por Totto fecha: 28/02/08 a las 14:30:41.