PDA

Ver la Versión Completa : Win32/PSW.QQRob

baquero21
06/08/07, 08:26:28
Hola a todos. Les cuento que la semana pasada en una maquina que corre con windows vista encontre en el nod el siguiente registro de amenaza:

Hora: 7/23/2007 3:30:20 AM
Módulo: AMON
Objeto: Archivo
Nombre: F:\Autorun.inf
Amenaza: Win32/PSW.QQRob (Troyano)
Acción predeterminada: Cambiado el nombre a por K?\Device\HarddiskVolume3\Autorun.Vinf
Usuario: NT AUTHORITY\SYSTEM
Información general del sistema: Suceso ocurrido cuando se produjo un intento de acceso al archivo por la aplicación C:\Windows\system32\svchost.exe.

La maquina generalmente no la uso yo, por lo que no se que pudo haber pasado en ese momento, supongo que algo relacionado con una memoria flash, pero no se exactamente.

Hasta ahora reinicie en modo a prueba de fallos, pasé el spyboot, el nod y el cclean. Pasé ademas el Pando online. Ningun programa encontró nada relacionado con esto. En el foro leí algunos casos parecidos pero realmente no se como seguir, porque no estoy seguro si se infecto algun archivo del ordenador o no.

Gracias, saludos.

PD: como puedo desbloquear carpetas en Windows XP Home o Windows Vista?
jdrp2089
06/08/07, 08:28:37
Hola! como estás?

Usa CCleaner para limpiar cookies y temporales (Lee el Manual (http://www.forospyware.com/t39511.html)).


Haz un escaneo online con:

* Ewido (http://www.ewido.net/en/onlinescan/) con la opción Remove Infections activada (lee el Manual (http://www.forospyware.com/t42048.html)) <-- Elimina todo lo que encuentre.

Karpersky (http://www.kaspersky.com/kos/spanish/kavwebscan.html) (lee el Manual (http://www.forospyware.com/t55793.html))

Pega los reportes que te generen.

Exitos!
baquero21
06/08/07, 19:10:48
Aca viene el primero:

__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Yieldmanager
Path: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\C ookies\Low\owner@ad.yieldmanager[2].txt
Risk: Medium

Name: TrackingCookie.Netflame
Path: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\C ookies\Low\owner@ssl-hints.netflame[2].txt
Risk: Medium

Name: TrackingCookie.Netflame
Path: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\C ookies\owner@ssl-hints.netflame[2].txt
Risk: Medium



Aca el segundo

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, August 06, 2007 7:52:33 PM
Operating System: Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/08/2007
Kaspersky Anti-Virus database records: 376207
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 67427
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:52:50

Infected Object Name / Virus Name / Last Action
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{5279374D-87FE-4879-9385-F17278EBB9D3}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{620BBA5E-F848-4D56-8BDA-584E44584C5E}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{A644254B-92F6-4970-8635-AB0775371E72}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\setup.ilg Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Exp lorer\thumbcache_96.db Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\His tory\History.IE5\MSHist012007080620070807\index.da t Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Tem porary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Tem porary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Usr Class.dat Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Usr Class.dat.LOG1 Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Usr Class.dat.LOG2 Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Usr Class.dat{e53a0cdb-f5e5-11db-b28d-0016d4f6bc48}.TM.blf Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Usr Class.dat{e53a0cdb-f5e5-11db-b28d-0016d4f6bc48}.TMContainer00000000000000000001.regt rans-ms Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Usr Class.dat{e53a0cdb-f5e5-11db-b28d-0016d4f6bc48}.TMContainer00000000000000000002.regt rans-ms Object is locked skipped
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\C ookies\index.dat Object is locked skipped
C:\Users\Owner\NTUSER.DAT Object is locked skipped
C:\Users\Owner\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Owner\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Owner\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\Owner\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regt rans-ms Object is locked skipped
C:\Users\Owner\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regt rans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Installer\MSI1D0.tmp Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regt rans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regt rans-ms Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C97 21E744C05D78DBACFD3.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evt x Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.1 6386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped

Scan process completed.

Eso es todo
Kirigi
06/08/07, 19:15:57
Hola baquero21 y con permiso de jdrp2089 el log esta limpio y no hay ninguna infeccion detectada, ahora mi pregunta es ya solucionastes el problema que tenias??

Salu2:adios:
baquero21
06/08/07, 19:26:19
Si, todo solucionado!

Gracias.
jdrp2089
06/08/07, 19:36:39
***solucionado***

© Copyright 2005 - 2008 InfoSpyware ® Todos los derechos reservados.
InfoSpyware Security Blog