Tema: Troyano imposible! Log Hijackthis
Ver Mensaje Individual
  post #3 (permalink)  
Antiguo 02/03/08, 13:21:17
Xanderpe Xanderpe está offline
Usuario
  
Registrado: ago 2005
Ubicación: España
Mensajes: 9
Reportes de Sdfix Y Combo
Hola, estos son los reportes de ambos programas, el primero de ellos del Combo y el último de Sdfix:

* Creado un nuevo punto de restauración

ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION!
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - ntoskrnl.exe: deleted 228 bytes in 1 streams.
ADS - explorer.exe: deleted 132 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mary\Datos de programa\hidires
C:\Documents and Settings\Mary\ResErrors.log
C:\WINDOWS\exefld
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_M_HOOK
-------\m_hook


(((((((((((((((((( Archivos creados desde 2008-02-02 - 2008-03-02 )))))))))))))))))))))))))))))))))
.

2008-03-02 16:40 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-02 16:40 . 2007-07-30 19:18 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-02 16:40 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-02 16:40 . 2007-07-30 19:18 20,824 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-02 16:19 . 2008-03-02 16:19 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-01 10:54 . 2008-03-02 16:42 <DIR> d-------- C:\SDFix
2008-03-01 10:44 . 2008-03-01 10:52 <DIR> d-------- C:\Archivos de programa\CCleaner
2008-02-28 15:58 . 2008-02-28 15:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-28 15:50 . 2008-02-28 15:50 <DIR> d-------- C:\Documents and Settings\Mary\Datos de programa\discoseguro
2008-02-28 11:00 . 2008-02-28 20:20 <DIR> d-------- C:\Archivos de programa\DiscoSeguro
2008-02-28 11:00 . 2008-02-28 20:20 <DIR> d-------- C:\Archivos de programa\Archivos comunes\DiscoSeguro
2008-02-28 10:59 . 2008-02-28 10:59 262,664 --a------ C:\Documents and Settings\Mary\Datos de programa\setup_es[1].exe
2008-02-27 23:31 . 2008-02-27 23:31 <DIR> d-------- C:\Documents and Settings\Mary\Datos de programa\Symantec
2008-02-27 16:44 . 2008-02-27 23:39 47,136 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-27 16:44 . 2008-02-27 23:39 27,424 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-27 16:44 . 2008-02-27 23:39 3,620 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-27 16:44 . 2008-02-27 23:39 2,672 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-27 16:43 . 2008-02-27 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab Setup Files
2008-02-27 16:23 . 2008-02-27 16:23 <DIR> d-------- C:\Documents and Settings\Mary\Datos de programa\BarreraIntegral
2008-02-27 16:23 . 2008-02-27 16:23 <DIR> d--hs---- C:\BarreraIntegral
2008-02-27 16:23 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-27 16:22 . 2008-02-28 08:47 251,160 --a------ C:\Documents and Settings\Mary\Datos de programa\install_es[1].exe
2008-02-19 22:01 . 2008-02-19 22:01 <DIR> d-------- C:\KAV5.0
2008-02-19 21:56 . 2008-02-27 16:44 <DIR> d-------- C:\kav
2008-02-16 11:58 . 2008-02-27 23:46 <DIR> d-------- C:\Descargas

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2008-02-27 16:06 --------- d-----w C:\Archivos de programa\eMule
2008-02-16 12:01 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy
2008-02-16 11:51 --------- d-----w C:\Archivos de programa\Ares
2008-02-16 11:45 --------- d-----w C:\Archivos de programa\DivX
2008-01-18 18:38 --------- d-----w C:\Documents and Settings\Mary\Datos de programa\U3
2007-12-18 17:54 92,064 ----a-w C:\Documents and Settings\Mary\mqdmmdm.sys
2007-12-18 17:54 9,232 ----a-w C:\Documents and Settings\Mary\mqdmmdfl.sys
2007-12-18 17:54 79,328 ----a-w C:\Documents and Settings\Mary\mqdmserd.sys
2007-12-18 17:54 66,656 ----a-w C:\Documents and Settings\Mary\mqdmbus.sys
2007-12-18 17:54 6,208 ----a-w C:\Documents and Settings\Mary\mqdmcmnt.sys
2007-12-18 17:54 5,936 ----a-w C:\Documents and Settings\Mary\mqdmwhnt.sys
2007-12-18 17:54 4,048 ----a-w C:\Documents and Settings\Mary\mqdmcr.sys
2007-12-18 17:54 25,600 ----a-w C:\Documents and Settings\Mary\usbsermptxp.sys
2007-12-18 17:54 22,768 ----a-w C:\Documents and Settings\Mary\usbsermpt.sys
2006-12-22 21:13 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Archivos de programa\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe" [2006-02-01 15:45 98304]
"updateMgr"="C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 15:53 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-12-02 03:21 5427200]
"nwiz"="nwiz.exe" [2004-12-02 03:21 1490944 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2004-12-02 03:21 86016]
"HP Component Manager"="C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18 241664]
"HP Software Update"="C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2006-01-12 14:40 155648]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 13:43 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\j2re1.4.2_13\bin\jusched.exe" [2006-10-18 11:42 32881]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 13:42 15360]
Microsoft Windows XP [Versi¢n 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.





Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Installer\{e45ec07c-4c17-4ab5-9df2-0ebe9ad83f32}\AlrtKernel.dll - Deleted
C:\WINDOWS\Installer\{c13916bc-5c9a-41ef-9876-ee2cfc863e3c}\RamSrv.dll - Deleted
C:\Documents and Settings\Mary\Escritorio\Error Cleaner.url - Deleted
C:\Documents and Settings\Mary\Favoritos\Error Cleaner.url - Deleted
C:\Documents and Settings\Mary\Escritorio\Privacy Protector.url - Deleted
C:\Documents and Settings\Mary\Favoritos\Privacy Protector.url - Deleted
C:\Documents and Settings\Mary\Escritorio\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Mary\Favoritos\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\DOCUME~1\Mary\CONFIG~1\Temp\ac8zt2.dat - Deleted
C:\WINDOWS\alofkmn.dll - Deleted
C:\WINDOWS\bxlrvps.dll - Deleted
C:\WINDOWS\dgtxrdflko.dll - Deleted
C:\WINDOWS\ekvgsnw.dll - Deleted
C:\WINDOWS\fkxvkns.exe - Deleted
C:\WINDOWS\rs.txt - Deleted



Folder C:\WINDOWS\Installer\{e45ec07c-4c17-4ab5-9df2-0ebe9ad83f32} - Removed
Folder C:\WINDOWS\Installer\{c13916bc-5c9a-41ef-9876-ee2cfc863e3c} - Removed
Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed
Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 16:40:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\BTHPORT\Parameters\Keys\0009dd109925]
"0018c51c4332"=hex:2f,59,69,4d,35,cb,1f,ba,5b,44,7 e,16,a3,8b,d8,35
"0018c51c4329"=hex:9c,f0,5f,ad,26,28,09,50,80,d2,c d,bb,a6,f6,5d,ce
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\BTHPORT\Parameters\Keys\001060d18080]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\B THPORT\Parameters\Keys\0009dd109925]
"0018c51c4332"=hex:2f,59,69,4d,35,cb,1f,ba,5b,44,7 e,16,a3,8b,d8,35
"0018c51c4329"=hex:9c,f0,5f,ad,26,28,09,50,80,d2,c d,bb,a6,f6,5d,ce
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\B THPORT\Parameters\Keys\001060d18080]

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 15


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\eMule\\emule.exe"="D:\\eMule\\emule.exe:*:Ena bled:eMule"
"D:\\Medal Of Honor\\moh_spearhead.exe"="D:\\Medal Of Honor\\moh_spearhead.exe:*:Enabled:Medal of Honor Allied Assault(tm) Spearhead"
"D:\\isspro5\\PES5.exe"="D:\\isspro5\\PES5.exe:*:E nabled:pes5.exe"
"C:\\Archivos de programa\\Ares\\Ares.exe"="C:\\Archivos de programa\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Archivos de programa\\MSN Messenger\\msncall.exe"="C:\\Archivos de programa\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\MSN Messenger\\msncall.exe"="C:\\Archivos de programa\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 22 Dec 2006 952 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 28 Jun 2006 67,584 ...H. --- "C:\Documents and Settings\Mary\Mis documentos\~WRL0005.tmp"
Wed 4 Jul 2007 39,424 ...H. --- "C:\Documents and Settings\Mary\Mis documentos\~WRL0525.tmp"
Wed 4 Jul 2007 54,272 ...H. --- "C:\Documents and Settings\Mary\Mis documentos\~WRL0825.tmp"
Wed 28 Jun 2006 66,048 ...H. --- "C:\Documents and Settings\Mary\Mis documentos\~WRL1084.tmp"
Mon 17 Dec 2007 26,112 ...H. --- "C:\Documents and Settings\Mary\Mis documentos\~WRL1698.tmp"
Sun 3 Dec 2006 26,624 ...H. --- "C:\Documents and Settings\Mary\Mis documentos\~WRL2355.tmp"
Mon 11 Dec 2006 99,840 ...H. --- "C:\Documents and Settings\Mary\Mis documentos\~WRL3117.tmp"
Wed 4 Jul 2007 31,232 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Plantillas\~WRL0868.tmp"
Sat 23 Sep 2006 27,648 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Plantillas\~WRL0979.tmp"
Sun 10 Dec 2006 28,672 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Plantillas\~WRL3160.tmp"
Sun 3 Dec 2006 28,672 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Plantillas\~WRL3643.tmp"
Mon 17 Dec 2007 26,624 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Plantillas\~WRL3696.tmp"
Mon 27 Nov 2006 82,944 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Word\~WRL0064.tmp"
Mon 17 Dec 2007 28,672 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Word\~WRL0548.tmp"
Mon 17 Dec 2007 25,088 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Word\~WRL1386.tmp"
Mon 17 Dec 2007 28,672 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Word\~WRL1592.tmp"
Mon 17 Dec 2007 24,576 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Word\~WRL2505.tmp"
Mon 17 Dec 2007 26,624 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Word\~WRL3265.tmp"
Mon 17 Dec 2007 24,064 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Word\~WRL3527.tmp"
Fri 9 Dec 2005 19,456 ...H. --- "C:\Documents and Settings\Mary\Datos de programa\Microsoft\Word\~WRL3604.tmp"
Mon 8 Oct 2007 1,032,192 ..SH. --- "C:\Documents and Settings\Mary\Mis documentos\Nueva carpeta\Mis im*genes\Nueva carpeta (2)\cosme 1\SIV3.tmp"

Finished!



Antes que nada darles las gracias, creo q ya no ocurren las cosas de antes, pero ahi dejo los reportes por si acaso queda algo.
Responder Con Cita