Tema Anterior Siguiente Tema

Ayuda como eliminar troyano RootkitW32/TDSS

Cerrado
unmistake - 14 mar 2010 a las 21:35
 D4pimp - 14 mar 2010 a las 22:35
Hola,
ya realicé las acciones recomendadas por uds en el foro en este link
https://es.ccm.net/faq/2996-como-eliminar-el-rootkit-w32-tdss

la ultima herramienta que utilice fue el combo fix adjunto reporteComboFix 10-03-14.01
- jaime 14/03/2010 14:52:32.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.57.3082.18.1791.736 [GMT -5:00]
Running from: c:\users\jaime\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\nvstor32.sys? was found and disinfected
Restored copy from - c:\windows\System32\drivers\nvstor32.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-14 to 2010-03-14 )))))))))))))))))))))))))))))))
.

2010-03-14 20:02 . 2010-03-14 20:04 -------- d-----w- c:\users\jaime\AppData\Local\temp
2010-03-14 20:02 . 2010-03-14 20:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-14 16:56 . 2010-03-14 16:56 7168 ----a-w- c:\windows\system32\drivers\utm5mjc2.sys
2010-03-14 15:22 . 2010-03-14 16:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 23:21 . 2010-03-13 23:21 -------- d-----w- c:\users\jaime\AppData\Local\Threat Expert
2010-03-13 23:11 . 2010-03-13 23:29 -------- d-----w- c:\program files\Spyware Doctor
2010-03-13 17:50 . 2010-03-13 23:47 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-13 14:01 . 2010-03-14 12:07 -------- d-----w- c:\program files\trend micro
2010-03-13 14:01 . 2010-03-13 14:03 -------- d-----w- C:\rsit
2010-03-13 13:32 . 2010-03-13 13:56 110624 ----a-w- c:\windows\system32\drivers\kav_nvstor32.sys
2010-03-12 11:23 . 2010-03-13 12:48 -------- d-----w- c:\programdata\avg9
2010-03-12 11:15 . 2010-03-12 11:15 -------- d-----w- c:\program files\CCleaner
2010-03-12 01:51 . 2010-03-14 20:04 -------- d-----w- c:\programdata\Kaspersky Lab
2010-03-12 01:51 . 2010-03-12 01:51 -------- d-----w- c:\program files\Kaspersky Lab
2010-03-12 01:49 . 2010-03-12 01:49 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-03-10 17:26 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 17:26 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-10 17:26 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-24 01:13 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 01:11 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 01:11 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 01:11 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 01:11 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 01:11 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 01:11 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 01:11 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 01:11 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 01:11 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 01:11 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 01:10 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 01:10 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 19:57 . 2006-11-02 15:46 667728 ----a-w- c:\windows\system32\perfh00A.dat
2010-03-14 19:57 . 2006-11-02 15:46 129514 ----a-w- c:\windows\system32\perfc00A.dat
2010-03-14 19:53 . 2007-08-09 23:12 110624 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-03-14 19:48 . 2010-03-14 19:48 110624 ----a-w- c:\windows\system32\drivers\nvstor32.svs
2010-03-14 16:50 . 2010-01-29 15:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-14 16:45 . 2010-01-29 15:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-13 13:11 . 2010-03-13 13:11 80400 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-03-13 13:11 . 2010-03-13 13:11 397328 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\oeas.dll
2010-03-13 13:11 . 2010-03-13 13:11 311312 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\6.0\klif.sys
2010-03-13 13:11 . 2010-03-13 13:11 19472 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\kloehk.dll
2010-03-13 13:11 . 2010-03-13 13:11 109072 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-03-13 13:11 . 2010-03-13 13:11 80400 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-03-13 13:11 . 2010-03-13 13:11 397328 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\oeas.dll
2010-03-13 13:11 . 2010-03-13 13:11 311312 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\6.0\klif.sys
2010-03-13 13:11 . 2010-03-13 13:11 17936 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\kloehk.dll
2010-03-13 13:11 . 2010-03-13 13:11 109072 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-03-13 13:02 . 2010-03-13 13:02 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-13 13:02 . 2010-03-13 13:02 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-10 22:51 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-10 17:30 . 2008-01-21 16:52 -------- d-----w- c:\programdata\Microsoft Help
2010-02-24 14:16 . 2009-10-03 11:50 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 01:31 . 2008-01-20 20:04 100432 ----a-w- c:\users\jaime\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-05 15:12 . 2008-01-21 00:37 -------- d-----w- c:\users\jaime\AppData\Roaming\Skype
2010-02-05 15:09 . 2008-01-21 00:39 -------- d-----w- c:\users\jaime\AppData\Roaming\skypePM
2010-01-28 22:31 . 2010-01-28 22:25 -------- d-----w- c:\users\jaime\AppData\Roaming\CBS Interactive
2010-01-28 22:12 . 2010-01-28 22:12 -------- d-----w- c:\users\jaime\AppData\Roaming\Malwarebytes
2010-01-28 22:12 . 2010-01-28 22:12 -------- d-----w- c:\programdata\Malwarebytes
2010-01-25 23:09 . 2010-01-25 23:09 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-22 18:33 . 2008-03-05 13:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 14:21 . 2010-01-22 14:21 -------- d-----w- c:\users\jaime\AppData\Roaming\TeamViewer
2010-01-21 12:02 . 2008-02-29 19:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-06 15:38 . 2010-02-24 01:10 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 01:10 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-24 01:10 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 01:10 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-02 06:38 . 2010-01-22 11:41 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 11:41 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 11:41 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 11:41 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 07:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 4390912]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1458176]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2007-01-24 319488]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~1\KASPER~1\KASPER~1\kloehk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^jaime^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Recorte de pantalla e Inicio rápido de OneNote 2007.lnk]
path=c:\users\jaime\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recorte de pantalla e Inicio rápido de OneNote 2007.lnk
backup=c:\windows\pss\Recorte de pantalla e Inicio rápido de OneNote 2007.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCRCATS]
2006-11-21 17:27 106496 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\lxcrtime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd]
2004-06-10 17:48 286720 ----a-w- c:\windows\vsnpstd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Speech Recognition]
2008-01-19 07:33 49664 ----a-w- c:\windows\Speech\Common\sapisvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):1b,4d,8e,71,d6,f5,c9,01

R3 utm5mjc2;AVZ Kernel Driver;c:\windows\system32\Drivers\utm5mjc2.sys [2010-03-14 7168]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-15 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-09-14 21520]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-03 19472]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-14 c:\windows\Tasks\User_Feed_Synchronization-{AD7AC28C-FB6D-441F-8879-24B2F7A89E1D}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.co/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://es.yahoo.com
uSearchURL,(Default) = hxxp://es.rd.yahoo.com/customize/ie/defaults/su/msgr9/*https://es.search.yahoo.com/
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki...
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
MSConfigStartUp-lxcrmon - (no file)
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-14 15:09
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3436)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-03-14 15:12:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-14 20:12

Pre-Run: 89.586.647.040 bytes libres
Post-Run: 89.571.041.280 bytes libres

- - End Of File - - E4E761E0B70E25D0FBA380FBC63DBD6E


Ahora como lo elimino ya intenté con el Kaspersky tool remover lo detecto pero no lo pudo desinfectar o eliminar . el malware no detecto nada ni el spybot tampoco.
Me aparece en la boveda de virus de mi antivirus que es el Kaspersky internet security 2010 en cuarentena mi maquina al comienzo no dejaba conectar a internet por medio de ningún explorador, esta funcionando muy bien como si nada pasara.

El formateo funcionaría ??

ya que según la información de Este Rootkit es que a veces se instala en el mismo nucleo? por favor ayudenme gracias a todos
en este link esta toda la información detallada realizada por el GSI parser Versión 2.96 http://www.getsysteminfo.com/read.php?file=5e5ab067f05739b2f5c5e0303ad538d3

1 respuesta

Respuesta 1 / 1
D4pimp
14 mar 2010 a las 22:35
simplemente bajate el nuevo avast
ese antivirus es lo maximo
ponelo a escaneo profundo
se tardara unas 3 - 4 hrs pero
todo bien
0

Discusiones similares

Virus (Troyano) Win32/PSW.Delf.ABX.
Lerry -
yuri -

68 respuestas
Eliminar cuenta en Facebook con contraseña olvidada
amigotimber -
EnderVargas -

288 respuestas
Link para eliminar tu Facebook definitivamente
ChristianM33 -
eliasasumumbami -

18 respuestas
Eliminar páginas porno visitadas en mi móvil
Naya1616 -
Si -

22 respuestas