| nestor |  |
|
2009-02-24 20:32 - Respuestas: 3 - Tema nº: 2576842
Características: Windows 2003 HP Proliant ML350, servidor Win 2003....
Hola...
Este es el reporte del antivirus Symantec:
Date Filename Threat Threat Type Action Taken Computer User Original Location Status Current Location Primary Action Secondary Action Scan Type Action Des-c-r-i-p-tion
24/02/2009 02:28:44 p.m. zfyspqu.u W32.Downadup.B File Quarantined SERVER Administrator C:\WINDOWS\System32\ Infected Quarantine Quarantine infected file Clean virus from file Auto-Protect scan The file was quarantined successfully.
24/02/2009 02:25:33 p.m. zfyspqu.u W32.Downadup.B File Quarantined SERVER COORFACTURACION C:\WINDOWS\System32\ Infected Quarantine Quarantine infected file Clean virus from file Auto-Protect scan The file was quarantined successfully.
24/02/2009 02:25:33 p.m. zfyspqu.u W32.Downadup.B File Left alone SERVER COORFACTURACION C:\WINDOWS\system32\ Infected C:\WINDOWS\system32\ Quarantine infected file Clean virus from file Auto-Protect scan The file was left unchanged.
24/02/2009 02:23:52 p.m. zfyspqu.u W32.Downadup.B File Quarantined SERVER CONTESORERIA C:\WINDOWS\System32\ Infected Quarantine Quarantine infected file Clean virus from file Auto-Protect scan The file was quarantined successfully.
24/02/2009 02:23:52 p.m. zfyspqu.u W32.Downadup.B File Left alone SERVER CONTESORERIA C:\WINDOWS\system32\ Infected C:\WINDOWS\system32\ Quarantine infected file Clean virus from file Auto-Protect scan The file was left unchanged.
24/02/2009 02:19:07 p.m. ulziaii[1].jpg W32.Downadup File Left alone SERVER SYSTEM C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPE3AZID\ Infected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPE3AZID\ Quarantine infected file Clean virus from file Auto-Protect scan The file was left unchanged.
24/02/2009 02:18:35 p.m. ltiwj[1].jpg W32.Downadup File Left alone SERVER SYSTEM C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GZC7ELSB\ Infected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GZC7ELSB\ Quarantine infected file Clean virus from file Auto-Protect scan The file was left unchanged.
24/02/2009 02:14:59 p.m. ebohhknl[1].jpg Downloader File Left alone SERVER SYSTEM C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9ATIJ29\ Infected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9ATIJ29\ Quarantine infected file Clean virus from file Auto-Protect scan The file was left unchanged.
24/02/2009 02:14:22 p.m. rlghgu[1].jpg W32.Downadup File Quarantined SERVER SYSTEM C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I189MH61\ Infected Quarantine Quarantine infected file Clean virus from file Auto-Protect scan The file was quarantined successfully.
24/02/2009 02:12:33 p.m. zfyspqu.u W32.Downadup.B File Quarantined SERVER PROMOCION C:\WINDOWS\System32\ Infected Quarantine Quarantine infected file Clean virus from file Auto-Protect scan The file was quarantined successfully.
24/02/2009 02:12:05 p.m. mbcw[1].jpg W32.Downadup File Quarantined SERVER SYSTEM C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPE3AZID\ Infected Quarantine Quarantine infected file Clean virus from file Auto-Protect scan The file was quarantined successfully.
24/02/2009 02:12:02 p.m. zfyspqu.u W32.Downadup.B File Quarantined SERVER COMPROBADOR C:\WINDOWS\System32\ Infected Quarantine Quarantine infected file Clean virus from file Auto-Protect scan The file was quarantined successfully.
24/02/2009 02:12:02 p.m. zfyspqu.u W32.Downadup.B File Left alone SERVER COMPROBADOR C:\WINDOWS\system32\ Infected C:\WINDOWS\system32\ Quarantine infected file Clean virus from file Auto-Protect scan The file was left unchanged.
24/02/2009 02:11:19 p.m. tgbf[1].jpg W32.Downadup.B File Quarantined SERVER SYSTEM C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GZC7ELSB\ Infected Quarantine Quarantine infected file Clean virus from file Auto-Protect scan The file was quarantined successfully.
24/02/2009 02:11:18 p.m. tgbf[1].jpg W32.Downadup.B File Left alone SERVER SYSTEM C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GZC7ELSB\ Infected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GZC7ELSB\ Quarantine infected file Clean virus from file Auto-Protect scan The file was left unchanged.
Por favor me pueden dar una mano para poder eliminarlo del servidor
| |
|
|
| necromantika |  |
|
Re: Como elimino este virus? - 2009-02-24 20:37 - Respuesta 2
Haz lo siguiente:
Deshabilita restaurar sistema haciendo click con el btón derecho sobre mipc/proiedades y en la solapa restaurar sistema marca la casilla
Inicia a modo prueba de fallos o modo seguro con conexión de red (f8 al arrancar)
Borra archivos temporales: inicio/ejecutar teclea %temp% y borra el contenido de la carpeta que ves.
Pásale un antivirus actualizado, el spybot search & destroy, Ad-Aware y avg antiSpyware actualizados.
Limpia el registro con Regseek, regcleaner o similar.
Haz también un scandisk y defragmenta el disco duro
Si el problema sigue pasa el hijackthis v2.0.2 en modo “normal” y dándole a “do a system scan and save logfile”, copias y pegas el resultado aquí para que te lo revisen.
salu2
| |
|
|
| nestor | |
|
Re: Como elimino este virus? - 2009-02-25 16:31 - Respuesta 3
Me sigue saliendo.... este es el log....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:13, on 25/02/2009
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Boot mode: Normal
Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\compaq\hpdiags\hpdiags.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.12:4480
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Documents and Settings\Administrator\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://latam.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sanjuan.local
O17 - HKLM\Software\..\Telephony: DomainName = sanjuan.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DC7BC80-BA77-43B2-A446-C24E5D1FE9CD}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sanjuan.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sanjuan.local
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Insight Diagnostics (hpdiags) - Unknown owner - C:\compaq\hpdiags\hpdiags.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
End of file - 8325 bytes
| |
|
|
| nestor | |
|
Re: Como elimino este virus? - 2009-02-25 16:43 - Respuesta 4
Creo que es importante comentar: Abro el administrador de tareas en la pestaña de procesos y me sale los siguientes archivos muchas veces y a cada momento crea y crea mas hasta que la memoria ram llega al tope....
son: rundll32.exe y el svchost.exe | |
|
|
|
