Tengo un W2003 server, en el cual me he encontrado con este virus...despues de notar que el servidor hacía cosas raras...sobre todo que no podía ver los ficheros ocultos.
NOD32 me ha detectado que hay un troyano -- Win32/PSW.OnLineGames.NMP en memoria, y que no podía ser elminado.
Además, me había detectado que se estaban creando autorun.inf en todas las unidades del servidor.
Al final me ha eliminado unos virus que parecia tenía...y en principio accediendo desde una máquina remota..., he podido eliminar los ficheros vamsoft.exe, kamsoft.exe, y además he accedido al registro del sistema y he eliminado cualquier entrada de vamsoft.exe,kamsoft.exe,rcukd.cmd...
En principio ahora NOD..., ya no me detecta ninguna amenza, ni siquiera se vuelven a generar lo ficheros autorun.inf..., pero sigue sin poder dejarme el servidor ver los archivos ocultos.
He visto en algún que otro foro de ejecutar un programita que se denomina Combofix.exe..., pero en W2003 Server no rula.
Adjunto log hijackthis a ver si detectáis que me falta hacer o qué sigue dando por saco. Gracias de antemano.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:07 AM, on 12/12/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
J:\Common Framework\FrameworkService.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\SAPDB\SDB\DB\pgm\kernel.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\dllhost.exe
c:\sapdb\programs\pgm\serv.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Symantec Backup Exec System Recovery 8.5] "C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "J:\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2791544445-382555844-2843838285-1021\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SAPServiceAFD')
O4 - HKUS\S-1-5-21-2791544445-382555844-2843838285-1022\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'afdadm')
O4 - HKUS\S-1-5-21-2791544445-382555844-2843838285-1025\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SAPServiceSOL')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone: http://*.tucows.ua.es
O15 - ESC Trusted Zone:
O15 - ESC Trusted IP range:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E90D0D0-41C6-4C8E-A448-6558BF7A991F}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{A04296AC-1940-4F57-ABB9-E837153CB2E7}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0C123EB-B7BA-4B22-B10D-D57D993E2842}: NameServer = 80.58.61.250,80.58.61.254
O23 - Service: Backup Exec System Recovery - Symantec Corporation - C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - J:\Common Framework\FrameworkService.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAPDB: SDB (SAP DBTech-SDB) - SAP AG - C:\SAPDB\SDB\DB\pgm\kernel.exe
O23 - Service: SAPDB: _CSAPDBS (SAP DBTech-_CSAPDBS) - SAP AG - C:\SAPDB\SDB\DB\pgm\kernel.exe
O23 - Service: SAPAFD_00 - SAP AG - D:\usr\sap\AFD\DVEBMGS00\exe\sapstartsrv.exe
O23 - Service: SAPAFD_01 - SAP AG - D:\usr\sap\AFD\SCS01\exe\sapstartsrv.exe
O23 - Service: SAPCCMSR.00 (sapccmsr.00) - SAP AG - D:\usr\sap\AFD\DVEBMGS00\exe\sapccmsr.exe
O23 - Service: SAPCCMSR.02 (sapccmsr.02) - SAP AG - D:\usr\sap\SOL\DVEBMGS02\exe\sapccmsr.exe
O23 - Service: SAPOsCol - SAP AG - D:\usr\sap\AFD\SCS01\exe\saposcol.exe
O23 - Service: saprouter - SAP AG - c:\saprouter\saprouter.exe
O23 - Service: SAPSOL_02 - SAP AG - D:\usr\sap\SOL\DVEBMGS02\exe\sapstartsrv.exe
O23 - Service: SAPSOL_03 - SAP AG - D:\usr\sap\SOL\SCS03\exe\sapstartsrv.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe
O23 - Service: XServer - SAP AG - c:\sapdb\programs\pgm\serv.exe
--
End of file - 8797 bytes
msc hotline sat Virus Research Engineer