Foro de InfoSpyware - Foro de Hijackthis - Foro de Virus

Hace días tuve un virus que al parecer desparecio, tengo el Eset y cuando lo paso no me detecta nada, pero cuando paso el panda online me dice que tengo amenazas. Me da la sensacion de que el ordenata ya no me funciona igual, descarga mas lento y algun programa que necesita internet no me va a pesar de haberlo desistalado y vuelto a instalar.
os paso el reporter de panda

;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-11-02 08:33:32
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 2
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
ESET NOD32 Antivirus 3.0 3.0 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00954094 Rootkit/Bagle.UV Virus/Worm No 1 Yes No c:\windows\system32\srosa2.sys
02898935 W32/Bagle.RC.worm Virus/Worm No 0 Yes No c:\documents and settings\administrador\doctorweb\quarantine\wfsint wq.sys
04569440 W32/Bagle.KV.worm Virus No 1 Yes No c:\_qbagle\qmoveex\desktop\catbkups_23-42-39_30-10-2009.zip[flec003.exe]
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location
;================================================= ================================================== ================================================== ==============================
No c:\_qbagle\qmoveex\c\docume~1\admini~1\datosd~1\dr ivers\winupgro.exe.moveex
No c:\_qbagle\qmoveex\c\docume~1\admini~1\datosd~1\hi dires\file.exe.moveex
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description
;================================================= ================================================== ================================================== ==============================
214076 HIGH MS09-059
971486 HIGH MS09-058
214074 HIGH MS09-057
214073 HIGH MS09-056
214072 HIGH MS09-055
214071 HIGH MS09-054
213109 HIGH MS09-046
212494 HIGH MS09-042
212493 HIGH MS09-041
212490 HIGH MS09-038
212530 HIGH MS09-034
211784 HIGH MS09-032
211781 HIGH MS09-029
210625 HIGH MS09-026
210624 HIGH MS09-025
210621 HIGH MS09-022
210618 HIGH MS09-019
208380 HIGH MS09-015
208379 HIGH MS09-014
208378 HIGH MS09-013
208377 HIGH MS09-012
206981 HIGH MS09-007
206980 HIGH MS09-006
205735 HIGH MS09-002
204670 HIGH MS09-001
203806 HIGH MS08-078
203508 HIGH MS08-073
203505 HIGH MS08-071
202465 HIGH MS08-068
201683 HIGH MS08-067
201258 HIGH MS08-066
201256 HIGH MS08-064
201255 HIGH MS08-063
201253 HIGH MS08-061
201250 HIGH MS08-058
209275 HIGH MS08-049
209273 HIGH MS08-045
196455 MEDIUM MS08-037
194862 HIGH MS08-032
194861 HIGH MS08-031
194860 HIGH MS08-030
191617 HIGH MS08-024
;================================================= ================================================== ================================================== ==============================

Buenas juankaya

Aun no podemos estar tranquilos.

A continuación te voy a dejar una serie de pasos a seguir. Por favor tomate tu tiempo para leer los manuales y ten paciencia.
Para tu mayor comodida imprimi esta hoja.
Nota: si tenes dificultad para realizar algún paso lo salteas y seguís con el siguiente.


Paso 1° - Descarga instala y/o actualiza :

Cclener - Manual.
Malwarebytes' Anti-Malware - Manual.
FS-FixBagle (al final del post)

Paso 2° - Reinicia en "Modo Seguro" (Si no puede iniciar en Modo Seguro, omite este paso).

Paso 3° -

Descomprima FS-FixBagle.zip en el Escritorio.
Abra la Carpeta FS-Fix
Ejecute FS-FixBagle.exe
Elija la opción "1", Iniciar la Busqueda del Malware Bagle.
Al termino del Analisis, FS-FixBagle, preguntara si desea reiniciar el ordenador, acepta, para que los cambios surtan efecto.
FS-FixBagle.exe, genera un reporte, el cual se encuentra generalmente en C:\BagleReport.txt.
*Nota* Si FS-FixBagle, encuentra el Driver/Rootkit, srosa.sys, sera necesario reiniciar el odenador, por lo que debe permitir que FS-FixBagle, reinicie el ordenador nuevamente en modo seguro.

Ejecuta Malwarebytes' Anti-Malware. Seleccionas su opción de hacer un "escaneo completo". Cuando termine presiona la opción "Quitar todo lo seleccionado".

Reinicia en modo normal

Paso 4° - Ejecuta Ccleaner como lo indica su manual.

Paso 5° - Repite el Analisis con panda Active Scan 2.0

En tu próxima respuesta subes los reportes de FIX BAGLE MALWAREBYTES y de el ESCAN ONLINE (fundamental leer manual para saber como pegarlos) y comentanos como funciona la pc.

Saludos.

os pego reportes:

--------------------------------------|FS-FixBge V 2.8

# Nombre del sistema operativo: # Microsoft Windows XP Professional
# Versi¢n del sistema operativo: # 5.1.2600 Service Pack 3 Compilaci¢n 2600
# usuario:# Administrador [Administrador]
# Boot:# Inicio Normal
# Inicio:# 9:20:50 Fecha:# 02/11/2009

# Antivirus: ESET NOD32 Antivirus 3.0# [Activo] # [Actualizado]

# Navegador preferido:# "C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE"
# Browser:# Mozilla Firefox 2.0.0.11 (es-AR)
# Browser:# Internet explorer 7.0.5730.13

# A:\# Puerto USB
# C:\# Disco Local # [ NTFS | Total:111 | Libre:43 ]
# D:\# CD\DVD
# E:\# CD\DVD # [ CDFS | Total:0 | Libre:0 ]
# F:\# CD\DVD

# Ejecutado desde:# [FS-FixBge.exe]
# Opcion:# [ 1 | Desinfeccion ]

--------------------------------------|Bagle Procesos

# No se encontraron procesos maliciosos ... OK


--------------------------------------|Bagle Archivos

# No se encontraron archivos infectados ... OK


--------------------------------------|Bagle Carpetas

# No se encontraron Carpeas infectadas ... OK


--------------------------------------|Bagle Registro

# No se encontraron claves del registro infectadas ... Ok


--------------------------------------|Rogue Software

# No se encontro Rogue Software ... OK


--------------------------------------|Verificar

# No se encontraron elementos suplantados .. OK

--------------------------------------|Claves Run

"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr entVersion\Run"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run"
# Valor: [ SoundMan | SOUNDMAN.EXE ]
# Valor: [ ATIModeChange | Ati2mdxx.exe ]
# Valor: [ ATIPTA | C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe ]
# Valor: [ CHotkey | mHotkey.exe ]
# Valor: [ Malwarebytes Anti-Malware (reboot) | "C:\Archivos de programa\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript ]
# Valor: [ Babylon Client | C:\Archivos de programa\Babylon\Babylon-Pro\Babylon.exe -AutoStart ]
# Valor: [ egui | "C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice ]


--------------------------------------|Catchme Report

# catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
# Rootkit scan 2009-11-02 09:22:31
# Windows 5.1.2600 Service Pack 3 NTFS
# scanning hidden processes ...
# scanning hidden files ...
# scan completed successfully
# hidden processes: 0
# hidden files: 0


--------------------------------------|END : EOF : FIN

Malwarebytes' Anti-Malware 1.41
Versión de la Base de Datos: 3047
Windows 5.1.2600 Service Pack 3

02/11/2009 13:56:14
mbam-log-2009-11-02 (13-56-14).txt

Tipo de examen : Examen Completo (C:\|)
Objetos examinados: 132439
Tiempo transcurrido: 15 minute(s), 41 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 0

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
(No se han detectado elementos maliciosos)


;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-11-02 19:22:47
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 0
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
ESET NOD32 Antivirus 3.0 3.0 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00954094 Rootkit/Bagle.UV Virus/Worm No 1 Yes No c:\windows\system32\srosa2.sys
02898935 W32/Bagle.RC.worm Virus/Worm No 0 Yes No c:\documents and settings\administrador\doctorweb\quarantine\wfsint wq.sys
04569440 W32/Bagle.KV.worm Virus No 1 Yes No c:\_qbagle\qmoveex\desktop\catbkups_23-42-39_30-10-2009.zip[flec003.exe]
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description
;================================================= ================================================== ================================================== ==============================
214076 HIGH MS09-059
971486 HIGH MS09-058
214074 HIGH MS09-057
214073 HIGH MS09-056
214072 HIGH MS09-055
214071 HIGH MS09-054
213109 HIGH MS09-046
212494 HIGH MS09-042
212493 HIGH MS09-041
212490 HIGH MS09-038
212530 HIGH MS09-034
211784 HIGH MS09-032
211781 HIGH MS09-029
210625 HIGH MS09-026
210624 HIGH MS09-025
210621 HIGH MS09-022
210618 HIGH MS09-019
208380 HIGH MS09-015
208379 HIGH MS09-014
208378 HIGH MS09-013
208377 HIGH MS09-012
206981 HIGH MS09-007
206980 HIGH MS09-006
205735 HIGH MS09-002
204670 HIGH MS09-001
203806 HIGH MS08-078
203508 HIGH MS08-073
203505 HIGH MS08-071
202465 HIGH MS08-068
201683 HIGH MS08-067
201258 HIGH MS08-066
201256 HIGH MS08-064
201255 HIGH MS08-063
201253 HIGH MS08-061
201250 HIGH MS08-058
209275 HIGH MS08-049
209273 HIGH MS08-045
196455 MEDIUM MS08-037
194862 HIGH MS08-032
194861 HIGH MS08-031
194860 HIGH MS08-030
191617 HIGH MS08-024
;================================================= ================================================== ================================================== ==============================

La verdad que el ordenador va como quiere, me da la sensacion que no descarga bien ni archivos y le cuesta abrir las paginas.

OK.

Descarga:

OTM by OldTimer (anteriormente OTMoveIt3) | InfoSpyware

• Asegurarse que esté marcado "Unregister Dll's and Ocx's".

• Copiar en el recuadro "Paste instruccions for items to be moved ". lo siguiente

• dar clic sobre el boton MoveIt!

• Espere hasta cuando el resultado aparezca en el marco Results. - Simultáneamente se abrirá un aviso preguntando si deseamos reiniciar el PC, pulse sobre Yes para reiniciar.si no sale ese aviso lo reinicias

• En su proximo mensaje envie reporte de OTM situado sobre C: \ _ OTM\MovedFiles\***_***.log (Donde sale "***_***" es la fecha y hora)

Nos paegas el reporte de OTM.

Saludos.

Ahí va el reporter:

All processes killed
========== FILES ==========
c:\windows\system32\srosa2.sys moved successfully.
File/Folder c:\documents and settings\administrador\doctorweb\quarantine\wfsint wq.sys not found.
c:\_qbagle\qmoveex\desktop\Catbkups_23-42-39_30-10-2009.zip moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrador
->Temp folder emptied: 461838 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 46245422 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2352086 bytes
%systemroot%\System32 .tmp files removed: 245597 bytes
Windows Temp folder emptied: 16384 bytes
RecycleBin emptied: 64970 bytes

Total Files Cleaned = 47,19 mb


OTM by OldTimer - Version 3.0.0.6 log created on 11022009_230805

Files moved on Reboot...

Registry entries deleted on Reboot...

Repetimos PAnda online.


Nos pegas el reporte.

Ahí va el reporter, parece que cada vez hay mas virus.

;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-11-03 08:29:50
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 6
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
ESET NOD32 Antivirus 3.0 3.0 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\administrador\cookies\administrador@atdmt[2].txt
00954094 Rootkit/Bagle.UV Virus/Worm No 1 Yes No c:\_otm\movedfiles\11022009_230805\windows\system3 2\srosa2.sys
02898935 W32/Bagle.RC.worm Virus/Worm No 0 Yes No c:\documents and settings\administrador\doctorweb\quarantine\wfsint wq.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\archivos de programa\emule\incoming\babylon_english-english_6.0_[with_crack].zip[serial.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\documents and settings\administrador\escritorio\fs-fix\utils\box.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\documents and settings\administrador\escritorio\fs-fix\utils\bscript.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\documents and settings\administrador\mis documentos\programas\fs-fix\bscript.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\_qbagle\qmoveex\c\docume~1\admini~1\datosd~1\dr ivers\winupgro.exe.moveex
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\documents and settings\administrador\mis documentos\programas\fs-fix\utils\bscript.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\garmin\gstart.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{a97a54a0-bece-47b9-8dd7-faf22374e9ea}\rp14\a0001807.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\documents and settings\administrador\mis documentos\programas\fs-fix\utils\box.exe
04569440 W32/Bagle.KV.worm Virus No 1 Yes No c:\_otm\movedfiles\11022009_230805\_qbagle\qmoveex \desktop\catbkups_23-42-39_30-10-2009.zip[flec003.exe]
05559878 W32/Bagle.KV.worm Virus No 1 Yes No c:\archivos de programa\emule\incoming\babylon_english-english_6.0_[with_crack].zip[crack/patch.exe]
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location
;================================================= ================================================== ================================================== ==============================
No c:\archivos de programa\emule\incoming\dream aquarium screensaver v1.202+.rar[dream aquarium screensaver v1.202\dream aquarium screensaver v1.202\dreamaquariumxp.exe]
No c:\documents and settings\administrador\mis documentos\programas\dream aquarium screensaver v1.202+\dream aquarium screensaver v1.202\dream aquarium screensaver v1.202\dreamaquariumxp.exe
No c:\documents and settings\administrador\doctorweb\quarantine\filemo veex.exe
No c:\documents and settings\administrador\escritorio\fs-fix\utils\filemoveex.exe
No c:\documents and settings\administrador\escritorio\fs-fix\utils\sysinfo.adexe
No c:\documents and settings\administrador\mis documentos\programas\fs-fix\utils\sysinfo.adexe
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description
;================================================= ================================================== ================================================== ==============================
214076 HIGH MS09-059
971486 HIGH MS09-058
214074 HIGH MS09-057
214073 HIGH MS09-056
214072 HIGH MS09-055
214071 HIGH MS09-054
213109 HIGH MS09-046
212494 HIGH MS09-042
212493 HIGH MS09-041
212490 HIGH MS09-038
212530 HIGH MS09-034
211784 HIGH MS09-032
211781 HIGH MS09-029
210625 HIGH MS09-026
210624 HIGH MS09-025
210621 HIGH MS09-022
210618 HIGH MS09-019
208380 HIGH MS09-015
208379 HIGH MS09-014
208378 HIGH MS09-013
208377 HIGH MS09-012
206981 HIGH MS09-007
206980 HIGH MS09-006
205735 HIGH MS09-002
204670 HIGH MS09-001
203806 HIGH MS08-078
203508 HIGH MS08-073
203505 HIGH MS08-071
202465 HIGH MS08-068
201683 HIGH MS08-067
201258 HIGH MS08-066
201256 HIGH MS08-064
201255 HIGH MS08-063
201253 HIGH MS08-061
201250 HIGH MS08-058
209275 HIGH MS08-049
209273 HIGH MS08-045
196455 MEDIUM MS08-037
194862 HIGH MS08-032
194861 HIGH MS08-031
194860 HIGH MS08-030
191617 HIGH MS08-024
;================================================= ================================================== ================================================== ==============================

Buenas.

Por favor, no realices descargas, hasta no terminar de desinfectar. Cerra el emule que estan entrando por ahi . Si no vamos a estar desinfectando todo los dias nuevas infecciones.

1-°Ejecuta OTM.

• Asegurarse que esté marcado "Unregister Dll's and Ocx's".

• Copiar en el recuadro "Paste instruccions for items to be moved ". lo siguiente

• dar clic sobre el boton MoveIt!

• Espere hasta cuando el resultado aparezca en el marco Results. - Simultáneamente se abrirá un aviso preguntando si deseamos reiniciar el PC, pulse sobre Yes para reiniciar.si no sale ese aviso lo reinicias

• En su proximo mensaje envie reporte de OTM situado sobre C: \ _ OTM\MovedFiles\***_***.log (Donde sale "***_***" es la fecha y hora)

Pega los resultados de OTM.

Saludos.

Hola, ahí va:

All processes killed
========== FILES ==========
File/Folder c:\documents and settings\administrador\doctorweb\quarantine\wfsint wq.sys not found.
c:\archivos de programa\emule\incoming\Babylon_English-English_6.0_[With_Crack].zip moved successfully.
c:\documents and settings\administrador\escritorio\fs-fix\utils\Box.exe moved successfully.
c:\documents and settings\administrador\escritorio\fs-fix\utils\BScript.exe moved successfully.
c:\documents and settings\administrador\mis documentos\programas\fs-fix\BScript.exe moved successfully.
File/Folder c:\_qbagle\qmoveex\c\docume~1\admini~1\datosd~1\dr ivers\winupgro.exe.moveex not found.
c:\documents and settings\administrador\mis documentos\programas\fs-fix\utils\BScript.exe moved successfully.
File/Folder c:\garmin\gstart.exe not found.
c:\documents and settings\administrador\mis documentos\programas\fs-fix\utils\Box.exe moved successfully.
File/Folder c:\archivos de programa\emule\incoming\babylon_english-english_6.0_[with_crack].zip not found.
c:\archivos de programa\emule\incoming\Dream Aquarium Screensaver v1.202+.rar moved successfully.
c:\documents and settings\administrador\mis documentos\programas\dream aquarium screensaver v1.202+\dream aquarium screensaver v1.202\dream aquarium screensaver v1.202\DreamAquariumXP.exe moved successfully.
File/Folder c:\documents and settings\administrador\doctorweb\quarantine\filemo veex.exe not found.
c:\documents and settings\administrador\escritorio\fs-fix\utils\FileMoveEx.exe moved successfully.
c:\documents and settings\administrador\escritorio\fs-fix\utils\SysInfo.Adexe moved successfully.
c:\documents and settings\administrador\mis documentos\programas\fs-fix\utils\SysInfo.Adexe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrador
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 210398 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 35471913 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 9169504 bytes

Total Files Cleaned = 42,81 mb


OTM by OldTimer - Version 3.0.0.6 log created on 11032009_210133

Files moved on Reboot...

Registry entries deleted on Reboot...

Ok.



1° -Ejecuta OTM.exe

1. Asegurate de estar conectado a internet.
2. Presiona el botón CleanUp!
3. Confirma el inicio del proceso de limpieza pulsando en "Yes".
4. Aparecerá un listado de las herramientas usadas durante la desinfección.
5. OTMoveIt3 pedira que reinicie el sistema, confirmelo pulsando en "Yes".



2° - Descarga >>Kaspersky AVP-Tool


3° - Reinicia en "Modo Seguro" (Si no puede iniciar en Modo Seguro, omite este paso).

4°- Ejecuta AVP-Tool (Ver Manual Fundamental)
Al finalizar el analsis haz clic en report <-> save to file y guardas reporte. FUNDAMENTAL.

5° - Repeti Panda online.

Nos traes el reporte de AVP TOOL y PAnda Online

Saludos.