Hola a todos,
Avast me ha detectado un rootkit y no se si es un falso positivo o de verdad tengo, necesitaría vuestra ayuda para solucionarlo. Os adjunto todo lo que he encontrado por el foro que hay que hacer. Le he pasado el aswMBR, MBAR y OTL, y ademas lo he pasado por virustotal.com. Os adjunto los resultados:
Mi versión de Avast es 2014.9.0.2018 y tengo Windows Vista.
VIRUSTOTAL:
aswMBR:
aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-06-17 00:30:42
00:30:42.383 OS Version: Windows 6.0.6002 Service Pack 2
00:30:42.383 Number of processors: 2 586 0xF0D
00:30:42.384 ComputerName: USUARIO1 UserName: Usuario
00:31:54.151 Initialize success
00:31:54.151 VM: initialized successfully
00:31:54.258 VM: outdated driver version !
00:31:57.389 AVAST engine defs: 14061601
00:32:14.998 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
00:32:15.000 Disk 0 Vendor: FUJITSU_ 0000 Size: 238475MB BusType: 3
00:32:15.004 Disk 1 \Device\Harddisk1\DR1 → \Device\0000006a
00:32:15.006 Disk 1 Vendor: RICOH 01 Size: 238475MB BusType: 0
00:32:15.011 Disk 2 \Device\Harddisk2\DR2 → \Device\0000006b
00:32:15.014 Disk 2 Vendor: RICOH 02 Size: 238475MB BusType: 0
00:32:15.300 Disk 0 MBR read successfully
00:32:15.303 Disk 0 MBR scan
00:32:15.307 Disk 0 Windows VISTA default MBR code
00:32:15.329 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 11374 MB offset 2048
00:32:15.347 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 227099 MB offset 23296000
00:32:15.701 Disk 0 scanning sectors +488395120
00:32:15.959 Disk 0 scanning C:\Windows\system32\drivers
00:32:40.560 Service scanning
00:34:08.604 Service SPTISRV C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe INFECTED Win32:Evo-gen [Susp]
00:34:33.898 Modules scanning
00:35:12.754 Disk 0 trace - called modules:
00:35:12.782 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
00:35:12.788 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x89e23ac8]
00:35:12.792 3 CLASSPNP.SYS[8dda28b3] → nt!IofCallDriver → [0x8929a438]
00:35:12.797 5 acpi.sys[8069d6bc] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x8929d028]
00:35:14.646 AVAST engine scan C:\Windows
00:35:24.492 AVAST engine scan C:\Windows\system32
00:40:45.640 AVAST engine scan C:\Windows\system32\drivers
00:41:38.241 AVAST engine scan C:\Users\Usuario
00:49:16.604 Scan stopped
00:52:03.912 Disk 0 MBR has been saved successfully to “C:\Users\Usuario\Desktop\MBR.dat”
00:52:03.918 The log file has been saved successfully to “C:\Users\Usuario\Desktop\aswMBR.txt”
aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-06-17 13:04:50
13:04:50.065 OS Version: Windows 6.0.6002 Service Pack 2
13:04:50.065 Number of processors: 2 586 0xF0D
13:04:50.065 ComputerName: USUARIO1 UserName: Usuario
13:04:50.580 Initialize success
13:04:50.580 VM: initialized successfully
13:04:50.689 VM: outdated driver version !
13:04:54.885 AVAST engine defs: 14061601
13:04:57.163 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
13:04:57.163 Disk 0 Vendor: Size: 238475MB BusType: 0
13:04:57.163 Disk 1 \Device\Harddisk1\DR1 → \Device\0000006a
13:04:57.179 Disk 1 Vendor: RICOH 01 Size: 238475MB BusType: 0
13:04:57.179 Disk 2 \Device\Harddisk2\DR2 → \Device\0000006b
13:04:57.179 Disk 2 Vendor: RICOH 02 Size: 238475MB BusType: 0
13:04:57.491 Disk 0 MBR read successfully
13:04:57.491 Disk 0 MBR scan
13:04:57.506 Disk 0 Windows VISTA default MBR code
13:04:57.522 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 11374 MB offset 2048
13:04:57.553 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 227099 MB offset 23296000
13:04:57.569 Disk 0 scanning sectors +488395120
13:04:57.896 Disk 0 scanning C:\Windows\system32\drivers
13:05:24.837 Service scanning
13:06:06.488 Service SPTISRV C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe INFECTED Win32:Evo-gen [Susp]
13:06:13.836 Modules scanning
13:06:38.172 Disk 0 trace - called modules:
13:06:38.188 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
13:06:38.203 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x89f35620]
13:06:38.203 3 CLASSPNP.SYS[8dda08b3] → nt!IofCallDriver → [0x8927a410]
13:06:38.203 5 acpi.sys[8069b6bc] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x88d0e028]
13:06:39.436 AVAST engine scan C:\Windows
13:06:43.336 AVAST engine scan C:\Windows\system32
13:11:52.641 AVAST engine scan C:\Windows\system32\drivers
13:12:43.450 AVAST engine scan C:\Users\Usuario
13:52:06.893 AVAST engine scan C:\ProgramData
14:07:32.466 Scan finished successfully
14:26:04.317 Disk 0 MBR has been saved successfully to “C:\Users\Usuario\Desktop\MBR.dat”
14:26:04.380 The log file has been saved successfully to “C:\Users\Usuario\Desktop\aswMBR.txt”
MBAR:
Al comenzar el análisis me sale una pantalla en la que me dice: ‘Registry value “AppInit_Dlls” has been found, which may be caused by rootkit activity’. Luego me da la opción de eliminarlo y reiniciar, que es lo que hago. Al terminar me dice que todo está bien.
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org
Database version: v2014.06.17.05
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Usuario :: USUARIO1 [administrator]
17/06/2014 14:58:11
mbar-log-2014-06-17 (14-58-11).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 277043
Time elapsed: 12 minute(s), 43 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
Physical Sectors Detected: 0
(No malicious items detected)
(end)
OTL
Los resultados de OTL no me deja ponerlos porque ocupan demasiado, pero si los necesitáis los voy agregando.
Muchísimas gracias de antemano!!!
Un saludo
