Help - Search - Members
Full Version: Creo que esto es un rootkit
Kaspersky Lab Forum > Forum para usuarios hispanohablantes > Virus
hector_orjuela
11.10.2008 22:45
Hola, soy nuevo en este foro y mi problema doméstico consiste en un posible rootkit que no es detectado por el antivirus, pero que Kaspersky puede ver cada vez que intenta cambiar el registro. He formateado el equipo pero no es una solución, y lo unico que sé es que al inicio del sistema, antes que cargue el KIS, va modificándolo progresivamente. Estoy muy preocupado porque la defensa proactiva deja ver la siguiente información:





le doy analizar el sistema en máxima protección y no detecta nada, por eso creo que es un rootkit. instalé el rkunhooker y este es el reporte:

>SSDT State
>Shadow
>Processes
>Drivers
>Stealth
Unknown page with executable code
Address: 0x8A274F2C
Size: 212
Unknown page with executable code
Address: 0x8A26F601
Size: 2559
Unknown page with executable code
Address: 0x8A2695AD
Size: 2643
Unknown page with executable code
Address: 0x8A26C4D0
Size: 2864
Unknown page with executable code
Address: 0x8A2764C2
Size: 2878
Unknown page with executable code
Address: 0x8A268478
Size: 2952
Unknown page with executable code
Address: 0x8A2A53AA
Size: 3158
Unknown page with executable code
Address: 0x8A2681FC
Size: 3588
Unknown page with executable code
Address: 0x8A26E1A6
Size: 3674
Unknown page with executable code
Address: 0x89B710E6
Size: 3866
Unknown page with executable code
Address: 0x899FFD0A
Size: 758
Unknown page with executable code
Address: 0x8A2A4D02
Size: 766
>Files
Suspect File: C:\Documents and Settings\usuario\Configuración local\Datos de programa\Microsoft\Messenger\h.orjuela@gmail.com\SharingMetadata\Working\database_E8E4_43B9_E443_88B0\fsr00033.log Status: Hidden
Suspect File: C:\Documents and Settings\usuario\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\7hol1kta.default\Cache5579FFAd01 Status: Hidden
Suspect File: C:\Documents and Settings\usuario\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\7hol1kta.default\Cache\125712CAd01 Status: Hidden
Suspect File: C:\Documents and Settings\usuario\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\7hol1kta.default\Cache\2DFECC32d01 Status: Hidden
Suspect File: C:\Documents and Settings\usuario\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\7hol1kta.default\Cache\9B10DE77d01 Status: Hidden
Suspect File: C:\Documents and Settings\usuario\Configuración local\Datos de programa\Mozilla\Firefox\Profiles\7hol1kta.default\Cache\FA11A575d01 Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~aa3fd22d1.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~aa3fd2677.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~abc7cc686.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~abc7ccd4b.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~adceb4e53.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~adceb515e.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~add47821c.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~add47852a.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~add47f147.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~add47fbde.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~add480bb1.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~add480ee4.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~add4861e5.htp Status: Hidden
Suspect File: C:\WINDOWS\Temp\cch~add4864e8.htp Status: Hidden
>Hooks
fastfat.sys-->ntkrnlpa.exe-->IoCreateDevice, Type: IAT modification at address 0xB48F990C hook handler located in [unknown_code_page]
ntkrnlpa.exe+0x0006AA5A, Type: Inline - RelativeJump at address 0x80541A5A hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe-->FsRtlCheckLockForReadAccess, Type: Inline - RelativeJump at address 0x804E9F90 hook handler located in [klif.sys]
ntkrnlpa.exe-->IoCreateDevice, Type: EAT modification at address 0x806647F4 hook handler located in [unknown_code_page]
ntkrnlpa.exe-->IoIsOperationSynchronous, Type: Inline - RelativeJump at address 0x804EE86E hook handler located in [klif.sys]
tcpip.sys-->ntkrnlpa.exe-->IoCreateDevice, Type: IAT modification at address 0xB5C8F488 hook handler located in [unknown_code_page]
wanarp.sys-->ntkrnlpa.exe-->IoCreateDevice, Type: IAT modification at address 0xB9641C08 hook handler located in [unknown_code_page]
[1196]spoolsv.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x010010EC hook handler located in [kernel32.dll]
[1196]spoolsv.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010BC hook handler located in [kernel32.dll]
[1420]winlogon.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001234 hook handler located in [kernel32.dll]
[1420]winlogon.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010013DC hook handler located in [kernel32.dll]
[1420]winlogon.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x01001408 hook handler located in [kernel32.dll]
[1420]winlogon.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x01001384 hook handler located in [kernel32.dll]
[1420]winlogon.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x01001238 hook handler located in [kernel32.dll]
[1468]services.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001124 hook handler located in [kernel32.dll]
[1468]services.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010C0 hook handler located in [kernel32.dll]
[1468]services.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x0100117C hook handler located in [kernel32.dll]
[1648]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[1648]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[1648]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
[1756]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[1756]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[1756]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
[1896]avp.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification at address 0x00422150 hook handler located in [unknown_code_page]
[1896]avp.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification at address 0x004221BC hook handler located in [unknown_code_page]
[1896]avp.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification at address 0x004220D4 hook handler located in [unknown_code_page]
[1896]avp.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification at address 0x004220C8 hook handler located in [unknown_code_page]
[1896]avp.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x004221B8 hook handler located in [unknown_code_page]
[1896]avp.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004221B4 hook handler located in [unknown_code_page]
[1896]avp.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x00422210 hook handler located in [unknown_code_page]
[1896]avp.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification at address 0x00422118 hook handler located in [unknown_code_page]
[1896]avp.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification at address 0x00422198 hook handler located in [unknown_code_page]
[1896]avp.exe-->user32.dll+0x00002A78, Type: Inline - RelativeJump at address 0x7E392A78 hook handler located in [user32.dll]
[1960]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[1960]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[1960]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
[2016]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[2016]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[2016]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
[2308]GrooveMonitor.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x004040D0 hook handler located in [kernel32.dll]
[2308]GrooveMonitor.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004040B4 hook handler located in [kernel32.dll]
[2308]GrooveMonitor.exe-->shell32.dll+0x000088D0, Type: Inline - RelativeJump at address 0x7E6A88D0 hook handler located in [shell32.dll]
[2316]VTTimer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x004090BC hook handler located in [kernel32.dll]
[2316]VTTimer.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004090B8 hook handler located in [kernel32.dll]
[2348]PDVDServ.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00405028 hook handler located in [kernel32.dll]
[2348]PDVDServ.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00405048 hook handler located in [kernel32.dll]
[2368]usnsvc.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00401128 hook handler located in [kernel32.dll]
[2368]usnsvc.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004011A0 hook handler located in [kernel32.dll]
[2388]WinSys2.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x004211E4 hook handler located in [kernel32.dll]
[2388]WinSys2.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004211D0 hook handler located in [kernel32.dll]
[2396]RTHDCPL.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00720508 hook handler located in [kernel32.dll]
[2396]RTHDCPL.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0072059C hook handler located in [kernel32.dll]
[2396]RTHDCPL.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x007205A0 hook handler located in [kernel32.dll]
[2412]rundll32.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001028 hook handler located in [kernel32.dll]
[2412]rundll32.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x01001034 hook handler located in [kernel32.dll]
[2420]qttask.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0040F038 hook handler located in [kernel32.dll]
[2420]qttask.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0040F02C hook handler located in [kernel32.dll]
[2432]jusched.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x004170D8 hook handler located in [kernel32.dll]
[2432]jusched.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004170DC hook handler located in [kernel32.dll]
[2432]jusched.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x004170C8 hook handler located in [kernel32.dll]
[2472]winampa.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0040301C hook handler located in [kernel32.dll]
[2480]Communications_Helper.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00428168 hook handler located in [kernel32.dll]
[2480]Communications_Helper.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00428164 hook handler located in [kernel32.dll]
[2488]WebCam10.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00493220 hook handler located in [kernel32.dll]
[2488]WebCam10.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0049311C hook handler located in [kernel32.dll]
[2488]WebCam10.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x00493248 hook handler located in [kernel32.dll]
[248]nvsvc32.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0041D21C hook handler located in [kernel32.dll]
[248]nvsvc32.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0041D240 hook handler located in [kernel32.dll]
[248]nvsvc32.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x0041D218 hook handler located in [kernel32.dll]
[2496]avp.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification at address 0x00422150 hook handler located in [unknown_code_page]
[2496]avp.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification at address 0x004221BC hook handler located in [unknown_code_page]
[2496]avp.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification at address 0x004220D4 hook handler located in [unknown_code_page]
[2496]avp.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification at address 0x004220C8 hook handler located in [unknown_code_page]
[2496]avp.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x004221B8 hook handler located in [unknown_code_page]
[2496]avp.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004221B4 hook handler located in [unknown_code_page]
[2496]avp.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x00422210 hook handler located in [unknown_code_page]
[2496]avp.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification at address 0x00422118 hook handler located in [unknown_code_page]
[2496]avp.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification at address 0x00422198 hook handler located in [unknown_code_page]
[2496]avp.exe-->user32.dll+0x00002A78, Type: Inline - RelativeJump at address 0x7E392A78 hook handler located in [user32.dll]
[2512]ctfmon.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00401098 hook handler located in [kernel32.dll]
[2512]ctfmon.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00401060 hook handler located in [kernel32.dll]
[2520]NMBgMonitor.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0040D0B4 hook handler located in [kernel32.dll]
[2520]NMBgMonitor.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0040D10C hook handler located in [kernel32.dll]
[2520]NMBgMonitor.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0040D0AC hook handler located in [kernel32.dll]
[2532]WlanCU.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0044A2B4 hook handler located in [kernel32.dll]
[2532]WlanCU.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0044A288 hook handler located in [kernel32.dll]
[2896]msnmsgr.exe-->kernel32.dll-->CreateEventA, Type: IAT modification at address 0x0040143C hook handler located in [MessengerDiscovery.dll]
[2896]msnmsgr.exe-->kernel32.dll-->FindResourceW, Type: IAT modification at address 0x0040159C hook handler located in [MessengerDiscovery.dll]
[2896]msnmsgr.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00401490 hook handler located in [MessengerDiscovery.dll]
[2896]msnmsgr.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004014BC hook handler located in [MessengerDiscovery.dll]
[2896]msnmsgr.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x004015FC hook handler located in [kernel32.dll]
[2896]msnmsgr.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0040141C hook handler located in [kernel32.dll]
[2896]msnmsgr.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x0040146C hook handler located in [kernel32.dll]
[2896]msnmsgr.exe-->kernel32.dll-->LoadResource, Type: IAT modification at address 0x004015A0 hook handler located in [MessengerDiscovery.dll]
[2896]msnmsgr.exe-->kernel32.dll-->LockResource, Type: IAT modification at address 0x004015A4 hook handler located in [MessengerDiscovery.dll]
[2896]msnmsgr.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - RelativeJump at address 0x7C8449FD hook handler located in [msnmsgr.exe]
[2896]msnmsgr.exe-->kernel32.dll-->SizeofResource, Type: IAT modification at address 0x004015A8 hook handler located in [MessengerDiscovery.dll]
[2896]msnmsgr.exe-->shell32.dll+0x00008698, Type: Inline - RelativeJump at address 0x7E6A8698 hook handler located in [shell32.dll]
[2896]msnmsgr.exe-->shell32.dll+0x00008EA0, Type: Inline - RelativeJump at address 0x7E6A8EA0 hook handler located in [shell32.dll]
[2896]msnmsgr.exe-->user32.dll-->CreateDialogParamW, Type: IAT modification at address 0x00401700 hook handler located in [MessengerDiscovery.dll]
[2896]msnmsgr.exe-->user32.dll-->FlashWindow, Type: IAT modification at address 0x00401800 hook handler located in [MessengerDiscovery.dll]
[2896]msnmsgr.exe-->user32.dll-->SetMenu, Type: IAT modification at address 0x004017CC hook handler located in [MessengerDiscovery.dll]
[2896]msnmsgr.exe-->user32.dll-->TrackPopupMenuEx, Type: IAT modification at address 0x00401848 hook handler located in [MessengerDiscovery.dll]
[3128]LVComSX.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00425158 hook handler located in [kernel32.dll]
[3128]LVComSX.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00425150 hook handler located in [kernel32.dll]
[3128]LVComSX.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x00425140 hook handler located in [kernel32.dll]
[312]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[312]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[312]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
[3652]firefox.exe-->shell32.dll+0x00008698, Type: Inline - RelativeJump at address 0x7E6A8698 hook handler located in [shell32.dll]
[3652]firefox.exe-->shell32.dll+0x0000E1CC, Type: Inline - RelativeJump at address 0x7E6AE1CC hook handler located in [shell32.dll]
[3652]firefox.exe-->shell32.dll+0x00032DE4, Type: Inline - RelativeJump at address 0x7E6D2DE4 hook handler located in [shell32.dll]
[3992]taskmgr.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001104 hook handler located in [kernel32.dll]
[3992]taskmgr.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010E4 hook handler located in [kernel32.dll]
[3992]taskmgr.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x01001188 hook handler located in [kernel32.dll]
[788]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]
[788]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010011D4 hook handler located in [kernel32.dll]
[788]explorer.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0100112C hook handler located in [kernel32.dll]
[788]explorer.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100117C hook handler located in [kernel32.dll]
[788]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x01001254 hook handler located in [kernel32.dll]
[788]explorer.exe-->shell32.dll+0x0000850C, Type: Inline - RelativeJump at address 0x7E6A850C hook handler located in [shell32.dll]
[788]explorer.exe-->shell32.dll+0x000085F8, Type: Inline - RelativeJump at address 0x7E6A85F8 hook handler located in [shell32.dll]
[788]explorer.exe-->shell32.dll+0x0000A6E8, Type: Inline - RelativeJump at address 0x7E6AA6E8 hook handler located in [shell32.dll]
[788]explorer.exe-->shell32.dll+0x0000EE30, Type: Inline - RelativeJump at address 0x7E6AEE30 hook handler located in [shell32.dll]
[788]explorer.exe-->shell32.dll+0x0001A404, Type: Inline - RelativeJump at address 0x7E6BA404 hook handler located in [shell32.dll]
[788]explorer.exe-->shell32.dll+0x00045644, Type: Inline - RelativeJump at address 0x7E6E5644 hook handler located in [shell32.dll]
[788]explorer.exe-->shell32.dll+0x00055B70, Type: Inline - RelativeJump at address 0x7E6F5B70 hook handler located in [shell32.dll]
[912]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001058 hook handler located in [kernel32.dll]
[912]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [kernel32.dll]
[912]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x0100105C hook handler located in [kernel32.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

por favor ayúdenme. Si el proceso es largo y complicado, estoy dispuesto a aprender lo que sea necesario. Gracias.

PD: el fallo en las graficas se debia a que mi tarjeta de video se dañó, y ya la cambié. No sé si ésta también fue víctima del rootkit.
nachete75
11.10.2008 23:05
Supongo que ya has hehco un analisi en modo seguro con el kis a tope y analizando rootkits. Si ello no te dió resultado puedes hacerlo mediante un cd de rescate actualizado o con el rescue disk que puedes descargar de aqui:

http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

Si despues de eso no hay resultados, habría que probar con otras herramientas, pero prueba primero una de esas dos posibilidades. El rescue disk sólo tienes que quemarlo y decirle a la bios que bootee desde la lectora de CD. el Cd de rescate tendrías que crearlo, así que tu decides lo que eliges je,je.

Una curiosidad, has instalado algun barra o complemento de IE ultimamente?

Un saludo b_punk.gif
RadarpSP
12.10.2008 14:01
QUOTE(hector_orjuela @ 11.10.2008 21:45) *
Hola, soy nuevo en este foro y mi problema doméstico consiste en un posible rootkit que no es detectado por el antivirus, pero que Kaspersky puede ver cada vez que intenta cambiar el registro. He formateado el equipo pero no es una solución, y lo unico que sé es que al inicio del sistema, antes que cargue el KIS, va modificándolo progresivamente. Estoy muy preocupado porque la defensa proactiva deja ver la siguiente información:

Bienvenido al foro.
Primero como indican los mensajes del principio debes darnos más información.
Parece que usas XP y que la version de Kaspesky es la 7.
Danos más detalles sobre tu configuración.
De todas formas, recuerdo que yo tenía un aviso similar en algunas versiones de la 7. En mi caso no era un virus, sino algo relacionado con alguna barra del internet explorer. Puedes bloquear esa aplicación o permitirla.
Al margen, debes actualizar tu Kaspersky a la ultima version la 8.0.0.454. Ha mejorado mucho la opción anti rootkits.
De los programas específicos antirootkit no te puedes fiar mucho, ya que suelen dar muchos falsos positivos.
En tu caso creo que detecta que Kaspersky vigila los ficheros de sistema y se vuelve loco el programa.
hector_orjuela
14.10.2008 18:59
gente, creo que ahora ESTOY EN PROBLEMAS SERIOS. siguiendo la sugerencia de nachete75 inicié con el disco de arranque, y buscando darle un full análisis seleccioné todas las unidades. Después de más de 30 horas no terminaba y, peor todavía, no encontró nada. Suspendí el análisis porque no pasó del 90% después de esperar todo el tiempo que les menciono y cuando iba a iniciar el windows normalmente me encuentro con la pantalla que ofrece las opciones de iniciar windows en modo seguro porque el sistema no puede arrancar -lo que sí podía hacer antes de aplicarle el mentado disco de arranque-. si le doy iniciar modo seguro, se reinicia; si le doy iniciar windows normalmente, sale una BSOD que aparece unos segundos y el sistema se reinicia, de nuevo a la pantalla que ofrece las opciones de iniciar windows en modo seguro. Entre esta y la otra opción que me dieron, la de comprar una versión más reciente del antivirus, no la tuve en cuenta dado que no puedo pagarla. La versión que uso es la 7.0.0.125. Si alguien sabe cómo hacer para iniciar el sistema, así sea en modo DOS para recuperar la información del disco duro sin perderla, una vez formatee y vuelva a instalar el sistema operativo, apenas vuelva a aparecer el rootkit, podría volver a tratar este asunto. Si ahora podéis ayudarme en esta urgencia, lo agradezco mucho.

PD: cualquier información extra que sea necesaria para que puedan hacerse una idea de mi problema estaré dipuesto a ampliarla.
RadarpSP
14.10.2008 19:04
Entra en modo seguro y restaura el sistema.
hector_orjuela
14.10.2008 19:43
precisamente no puedo entrar en modo seguro, se reinicia antes de entrar a windows
hector_orjuela
14.10.2008 20:06
precisamente no puedo entrar en modo seguro, se reinicia antes de entrar a windows
arquezvall2004
14.10.2008 20:14
QUOTE(hector_orjuela @ 14.10.2008 11:06) *
precisamente no puedo entrar en modo seguro, se reinicia antes de entrar a windows


Descarga esta herramienta:

Descargar RootkitRevealer (231 KB)

Informacion sobre esta herramienta:

http://www.microsoft.com/latam/technet/sys...itRevealer.mspx

Antes de ejeuctarla seria combeniente... cerrar todo programa en ejecucion... hasta el antivirus y navegadores...

Lugo de terminado el escaneo sube el informe al foro... para ver los resultados...!!!

Saludos...
nachete75
14.10.2008 21:39
Con cualquier live cd de Linux vas a poder acceder al contenido de tu disco duro, por eso no te preokcupes. Pero si tu problema es que no se inicia windows normalmente ni en modo seguro ni con ninguna otra de las opciones , creo que vas a tener que usar el Cd de instalación de Windows Xp y seleccionar Reparar:

http://www.forospyware.com/t69963.html
http://es.kioskea.net/faq/sujet-225-reparar-windows-xp
http://www.batiburrillo.net/adivina/adivina_sop61.php

una pregunta por curiosidad ¿eso te pasó con el rescue disk del enlace que te di (que es una versión beta) o con un cd de rescate creado por ti?

Un saludo b_punk.gif
Edgar Dulanto
14.10.2008 23:59
Te aconsejo para rescatar tus archivos el CD live de Linux Knoppix, versión 5.1.1, yo lo he usado, nunca falla, soporta escritura en NTFS (que usa Windows XP, 2003 y Vista), los anteriores knoppix sólo pueden leer particiones NTFS pero no pueden escribir encima. Descarga la Version para Cd 5.1.1, de su web http://www.knoppix-es.org/ , de su enlace Descargas, de un servidor Http, y quema en un CD esa imagen iso que bajaste, aca explican http://es.kioskea.net/faq/sujet-106-grabar...e-disco-iso-nrg ; metes el Cd, reinicias tu Pc y cargara Knoppixx, y de alli buscas en el escritorio el icono Hda1, ese es tu disco duro de Windows, y copia tus archivos a USBs; mayores explicaciones aca, http://es.kioskea.net/faq/sujet-107-knoppi...o-cd-de-rescate . Y si no te arranca tu PC desde el CD, aca te dice como configurar tu Bios para que arranque desde CD, http://es.kioskea.net/faq/sujet-1229-arran...cia-de-arranque
davile
15.10.2008 01:52
Dudo que sea un rootkit tiene toda la pinta de ser un virus que afecte al serctor de arenque del disco Duro !!

Pasale un Disco de Rescate !!

Saludos happy.gif
RadarpSP
15.10.2008 11:08
QUOTE(hector_orjuela @ 14.10.2008 19:06) *
precisamente no puedo entrar en modo seguro, se reinicia antes de entrar a windows

Mete el disco de xp sp2, ve a inicio ejecutar y escribe sfc /scannow
También puedes restaurar desde consola de comandos:
http://support.microsoft.com/kb/307545/es
aunque es complicado
hector_orjuela
19.10.2008 00:54
Bueno, he logrado dar con los malwares. Si bien el Knoppix me permitió recuperar los datos de la unidad donde tenía montado windows, lo agridulce de todo este asunto es que logré hallarlos con un kit de programas, los Uniblue SpyEraser, RegistryBooster y SpeedUp my Pc. Dado el interés que prestaron en el asunto les agradezco de esta manera, aunque tal vez conocieran estos programas de ya rato

http://www.liutilities.com/products/campaigns/powersuite/rb/

se darán cuenta por las reseñas que les hacen su funcionalidad.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.