gcornejo
18/07/08, 02:29:42
Estimados,
acudo por su ayuda. Tengo en mi maquina un virus, pues me sale junto a la hora el mensaje VIRUS ALERT! A continuación pongo el log generado por el Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:22: VIRUS ALERT!, on 18/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
**Editado**
No colocar logs de HJT fuera de su Foro Oficial (http://www.forospyware.com/foro-oficial-de-hijackthis-en-espanol/). Utilizar versión más nueva (http://www.forospyware.com/292279-post1.html).
Leer Políticas:
http://www.forospyware.com/4-post1.html
http://www.forospyware.com/3-post1.html
Leer las Políticas del Foro es la manera más facil y rápida de obtener ayuda. (http://www.forospyware.com/foro-oficial-de-hijackthis-en-espanol/aviso-2.html)
Agradezco de antemano su ayuda.
Gustavo.
anleg_30
18/07/08, 23:42:44
Hola gcornejo,
Primero y principal, esta prohibido colocar los reportes de Hijackthis fuera de su foro correspondiente: Foro oficial de Hijack this en español (http://www.forospyware.com/foro-oficial-de-hijackthis-en-espanol/)
, esas son las reglas.
Si tienes problemas de infección con el Virus alert porfavor realiza estos pasos:
Eliminar familia PSGuard, AntiVirGear, VirusProtectPro, AntiVermins, SpyLocked (http://www.forospyware.com/t4239.html)
Suerte y nos comentas si solucionastes.. :Bien:
gcornejo
20/07/08, 19:19:16
estimado Anleg_30,
de acuerdo a lo indicado en el link: Eliminar familia PSGuard, AntiVirGear, VirusProtectPro, AntiVermins, SpyLocked (http://www.forospyware.com/t4239.html), apagué el modo "Restaurar sistema", reinicie en "modo a prueba de fallos", y pasé el HijackThis, pero no encontré ninguna entrada que está listado en el link. Luego ejecuté el DelPSGuard, además del Antispyware y por último el Malwarebytes; este último fue el que detectó el virus y lo eliminó. Sin embargo, me di cuenta que no se había eliminado en otras dos sesiones de windows, por lo que tuve que pasarle de nuevo en esas otras sesiones. A continuación el log:
Malwarebytes' Anti-Malware 1.21
Versión de la Base de Datos: 967
Windows 5.1.2600 Service Pack 3
2:04:35 20/07/2008
mbam-log-7-20-2008 (02-04-35).txt
Tipo de examen : Examen Completo (C:\|)
Objetos examinados: 196839
Tiempo transcurrido: 2 hour(s), 32 minute(s), 41 second(s)
Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 4
Valores del Registro Infectados: 3
Elementos de Datos del Registro Infectados: 5
Carpetas Infectadas: 23
Ficheros Infectados: 30
Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)
Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)
Claves del Registro Infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\rhcv6lj0e15l (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcv6lj0e15l (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Valores del Registro Infectados:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Elementos de Datos del Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-640-9483191-23056) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (H:mm:ss) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Carpetas Infectadas:
C:\Archivos de programa\rhcv6lj0e15l (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Datos de programa\rhcv6lj0e15l (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Datos de programa\rhcv6lj0e15l\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun\HKCU\RunO nce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun\HKLM\RunO nce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun\StartMenu AllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun\StartMenu CurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Datos de programa\rhcv6lj0e15l\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Datos de programa\rhcv6lj0e15l\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\gcornejo\Datos de programa\rhcv6lj0e15l (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\gcornejo\Datos de programa\rhcv6lj0e15l\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\gcornejo\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\gcornejo\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\gcornejo\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun\HKCU\RunO nce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\gcornejo\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\gcornejo\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun\HKLM\RunO nce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\gcornejo\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun\StartMenu AllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\gcornejo\Datos de programa\rhcv6lj0e15l\Quarantine\Autorun\StartMenu CurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\gcornejo\Datos de programa\rhcv6lj0e15l\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\gcornejo\Datos de programa\rhcv6lj0e15l\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
Ficheros Infectados:
C:\WINDOWS\emxf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Archivos de programa\rhcv6lj0e15l\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Archivos de programa\rhcv6lj0e15l\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Archivos de programa\rhcv6lj0e15l\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Archivos de programa\rhcv6lj0e15l\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Archivos de programa\rhcv6lj0e15l\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Archivos de programa\rhcv6lj0e15l\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Archivos de programa\rhcv6lj0e15l\rhcv6lj0e15l.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Archivos de programa\rhcv6lj0e15l\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\agpqlrfm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Configuración local\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Escritorio\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Escritorio\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Escritorio\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Favoritos\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Favoritos\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\mbdrouet\Favoritos\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
Luego reinicie la computadora en modo normal, y pasé el CCleaner y por último analicé la máquina con el Ewido Online.
Espero que con esto esté todo eliminado.
Gracias, y saludos,
Gustavo.
anleg_30
20/07/08, 20:01:03
Hola gcornejo,
El MalwareBytes ya realizó su trabajo, dime si solventastes definitivamente y si se puede dar por solucionado el tema. ¿? ¿?
gcornejo
21/07/08, 09:31:56
Es correcto, está solventado el trabajo, y se puede dar por cerrado el tema. Gracias por la ayuda.
Gustavo.
LeandroMed
21/07/08, 16:49:53
Muy bien gcornejo, doy tu tema por Solucionado.:Bien:
Si necesitás continuarlo, das las razones de reapertura por medio de este botón: http://www.forospyware.com/images/buttons/report.gif arriba a la derecha de tu post...
Saludos. :adios: