Virus en Explorer y 1 Servicio sin nombre y con sub raiz sin nombre
Hola, intentemos realizar un escaneo a mas profundidad.
Descarga los siguientes programas y dejalos en el escritorio:
- Rkill (descarga haciendo click en el boton "Download now iExplore.exe)
- MalwareBytes Anti-Rootkit | manual .
- Ejecuta como admnistrador Rkill
- Se abrira una consola similar a CMD
- Deja que trabaje de 2 a 5 minutos
- Pega el reporte que esta dentro de Rkill.txt guardado en el escritorio.
No reinicies el PC al terminar, y sigue con MBAM anti-rootkit
- Actualiza MBAM Anti-Rootkit actualizando leyendo su manual, y luego realizando un analisis desde modo seguro.
- Iniciar Windows en ‘Modo seguro a prueba de fallos’.
Luego, ejecuta MalwareBytes, y sigue el paso indicado para este programa paso a paso, en modo normal:
Manual Malwarebytes , para que sepas usarlo y configurarlo.
- Realiza un Análisis Personalizado, haciendo click en la sección “Analizar” y seguidamente haciendo click “Analisis personalizado” en y luego click en “Configurar análisis”, marcando Todas las casillas de la derecha y de la Izquierda actualizando si te lo pide.
- Pulsar en “Eliminar Seleccionados” para enviarlo a la cuarentena y Reinicias el sistema.
- Para acceder posteriormente al informe del análisis : Informes >> Registro de análisis >> Pulsar en >> Exportar >> Copiar al Portapapeles, y lo pegas en tu respuesta
Espero sus reportes y respectivos comentarios si aun sigue detectando. Saludos.
Rkill 2.9.1 by Lawrence Abrams (Grinler)
Copyright 2008-2019
More Information about Rkill can be found at this link:
Program started at: 01/21/2019 03:22:45 AM in x64 mode.
Windows Version: Windows 10 Pro
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* Windows Defender Disabled
[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* No issues found.
Program finished at: 01/21/2019 03:23:11 AM
Execution time: 0 hours(s), 0 minute(s), and 26 seconds(s)
Esperos los reportes de MBAM Anti-Rootkit y el del MalwareBytes y sus respectivos comentarios tras finalizar los pasos sobre el funcionamiento de la computadora.
Malwarebytes Anti-Rootkit BETA
(c) Malwarebytes Corporation 2011-2012
OS version: 10.0.9200 Windows 10 x64
Account is Administrative
Internet Explorer version: 11.253.17763.0
File system is: NTFS
CPU speed: 3.493000 GHz
Memory total: 8521826304, free: 4345561088
Downloaded database version: v2019.01.21.01
Downloaded database version: v2019.01.21.01
Downloaded database version: v2018.01.20.01
Malwarebytes Anti-Rootkit BETA
(c) Malwarebytes Corporation 2011-2012
OS version: 10.0.9200 Windows 10 x64
Account is Administrative
Internet Explorer version: 11.253.17763.0
File system is: NTFS
CPU speed: 3.493000 GHz
Memory total: 8521826304, free: 5579669504
Driver version:
------------ Kernel report ------------
01/21/2019 03:24:50
------------ Loaded modules -----------
\??\C:\Program Files (x86)\Intel\Intel(R) Extreme Tuning Utility\Drivers\IocDriver\64bit\iocbios2.sys
\??\C:\Program Files (x86)\NZXT\CAM\OpenHardwareMonitorLib.sys
----------- End -----------
Scan started
Database versions:
main: v2019.01.21.01
rootkit: v2019.01.21.01
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffff8d046b7c9060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffff8d046b58d8d0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffff8d046b7c9060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffff8d046b753060, DeviceName: \Device\0000002e\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 5ED87A44
GPT Protective MBR Partition information:
Partition 0 type is EFI-GPT (0xee)
Partition is NOT ACTIVE.
Partition starts at LBA: 1 Numsec = 4294967295
Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
GPT Partition information:
GPT Header Signature 4546492050415254
GPT Header Revision 65536 Size 92 CRC 799975070
GPT Header CurrentLba = 1 BackupLba 234441647
GPT Header FirstUsableLba 34 LastUsableLba 234441614
GPT Header Guid bce575e6-9b33-4ccb-9c5e-5f458e32cdf1
GPT Header Contains 128 partition entries starting at LBA 2
GPT Header Partition entry size = 128
Backup GPT header Signature 4546492050415254
Backup GPT header Revision 65536 Size 92 CRC 799975070
Backup GPT header CurrentLba = 234441647 BackupLba 1
Backup GPT header FirstUsableLba 34 LastUsableLba 234441614
Backup GPT header Guid bce575e6-9b33-4ccb-9c5e-5f458e32cdf1
Backup GPT header Contains 128 partition entries starting at LBA 234441615
Backup GPT header Partition entry size = 128
Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID 3870afa4-dad6-4d92-9d88-a17bab1a4934
FirstLBA 2048 Last LBA 1023999
Attributes 1
Partition Name Basic data partition
Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
Partition ID c7156048-c0cc-497b-9e61-dc64bad43ef0
FirstLBA 1024000 Last LBA 1228799
Attributes 0
Partition Name EFI system partition
GPT Partition 1 is bootable
Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae
Partition ID a399d84-78cd-4ce0-9c7e-dfba54489b20
FirstLBA 1228800 Last LBA 1261567
Attributes 0
Partition Name Microsoft reserved partition
Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Partition ID 1407854e-d55e-4160-b74e-333128de9f36
FirstLBA 1261568 Last LBA 234440703
Attributes 0
Partition Name Basic data partition
Disk Size: 120034123776 bytes
Sector size: 512 bytes
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffff8d046b7ca060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffff8d046b58f8d0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffff8d046b7ca060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffff8d046b79e060, DeviceName: \Device\00000030\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 4BCD82D8
Partition information:
Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 1124352
Partition is bootable
Partition file system is NTFS
Partition 1 type is Extended with LBA (0xf)
Partition is NOT ACTIVE.
Partition starts at LBA: 1126400 Numsec = 312866816
Partition is not bootable
Partition 2 type is Other (0x27)
Partition is NOT ACTIVE.
Partition starts at LBA: 313993216 Numsec = 987136
Partition is not bootable
Partition file system is NTFS
Partition 3 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 314982400 Numsec = 1638539264
Partition is not bootable
Partition file system is NTFS
Disk Size: 1000204886016 bytes
Sector size: 512 bytes
Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffff8d046e21f060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffff8d046e21e5d0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffff8d046e21f060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xffff8d046e21e060, DeviceName: \Device\00000038\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8FACD1A
Partition information:
Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 60602368
Partition is bootable
Partition file system is NTFS
Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition is not bootable
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition is not bootable
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition is not bootable
Disk Size: 31029460992 bytes
Sector size: 512 bytes
File "C:\Windows\assembly\NativeImages_v4.0.30319_32\System\b6fb56a7c01747453c8e9e9d960dc295\" is sparse (flags = 32768)
File "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\2db27b5461c9ba5440d52f2970d090fc\" is sparse (flags = 32768)
File "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\08682e37846dd0da55e28ba38bdc1388\" is sparse (flags = 32768)
File "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\e63fc857cfeff9a4c99b0338b2792f46\" is sparse (flags = 32768)
File "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\2e775f4898c34369a0b346a29740266d\" is sparse (flags = 32768)
File "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\69b7858cc7d8982fa6210f5512a270f0\" is sparse (flags = 32768)
File "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\354012f9e129bf28718eb8d649e26a58\" is sparse (flags = 32768)
File "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\fe29aadf1d2ae8c1d2ffb8436042be7f\" is sparse (flags = 32768)
File "C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\44def9578fd994867b1095091f92456d\" is sparse (flags = 32768)
File "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a07187ee9eaa9143ac350257659cd5ca\" is sparse (flags = 32768)
File "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\8f69b1dc210a815bc5b8d203435c8474\" is sparse (flags = 32768)
File "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\4b29799997c132047330c32e529b4a1e\" is sparse (flags = 32768)
File "C:\Users\BKPL\AppData\Local\D3DSCache\643ef9f3b699fd42\52264C4C-172F-41B9-91B8-7F0C3B1E9021_VEN_1002&DEV_67DF&SUBSYS_22FC&REV_E7.val" is compressed (flags = 1)
File "C:\Users\BKPL\AppData\Local\D3DSCache\d1045fa42060dcaf\52264C4C-172F-41B9-91B8-7F0C3B1E9021_VEN_1002&DEV_67DF&SUBSYS_22FC&REV_E7.val" is compressed (flags = 1)
Infected: C:\Users\BKPL\Desktop\Fenrir Project - Season II Basic UPDATE 1.00.02\Main.exe --> [Backdoor.Agent.Generic]
Scan finished
Creating System Restore point...
Could not create restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-1-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-1-1-1126400-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-1-2-313993216-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-1-3-314982400-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-2-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-2-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-2-r.mbam...
Removal finished
Malwarebytes Anti-Rootkit BETA
Database version:
main: v2019.01.21.01
rootkit: v2019.01.21.01
Windows 10 x64 NTFS (Safe Mode/Networking)
Internet Explorer 11.253.17763.0
BKPL :: DESKTOP-AJSBVAI [administrator]
21/1/2019 03:24:53
mbar-log-2019-01-21 (03-24-53).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 199265
Time elapsed: 5 minute(s), 51 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\BKPL\Desktop\Fenrir Project - Season II Basic UPDATE 1.00.02\Main.exe (Backdoor.Agent.Generic) -> Delete on reboot. [7194f211fccbb086fbd04b2a9e64b54b]
Physical Sectors Detected: 0
(No malicious items detected)
Reinicia la PC y me comentas como sigue el PC
-Detalles del registro-
Fecha del análisis: 21/1/19
Hora del análisis: 14:11
Archivo de registro: 8d114cae-1d9f-11e9-b5f2-88d7f6789893.json
-Información del software-
Versión de los componentes: 1.0.519
Versión del paquete de actualización: 1.0.8892
Licencia: Prueba
-Información del sistema-
SO: Windows 10 (Build 17763.288)
CPU: x64
Sistema de archivos: NTFS
-Resumen del análisis-
Tipo de análisis: Análisis personalizado
Análisis iniciado por:: Manual
Resultado: Completado
Objetos analizados: 660900
Amenazas detectadas: 2
Amenazas en cuarentena: 2
Tiempo transcurrido: 5 hr, 14 min, 41 seg
-Opciones de análisis-
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Activado
Heurística: Activado
PUP: Detectar
PUM: Detectar
-Detalles del análisis-
Proceso: 0
(No hay elementos maliciosos detectados)
Módulo: 0
(No hay elementos maliciosos detectados)
Clave del registro: 0
(No hay elementos maliciosos detectados)
Valor del registro: 0
(No hay elementos maliciosos detectados)
Datos del registro: 0
(No hay elementos maliciosos detectados)
Secuencia de datos: 0
(No hay elementos maliciosos detectados)
Carpeta: 0
(No hay elementos maliciosos detectados)
Archivo: 2
Adware.UltraSurf, G:\DATOS DE USUARIO\DOWNLOADS\COMPRESSED\U.ZIP, En cuarentena, [8893], [543468],1.0.8892
Generic.Malware/Suspicious, C:\USERS\PUBLIC\DESKTOP\ACTIVATOR\RA1NACT1VAT0R_V10RC8_16072017.RAR, En cuarentena, [0], [392686],1.0.8892
Sector físico: 0
(No hay elementos maliciosos detectados)
WMI: 0
(No hay elementos maliciosos detectados)
hasta momento no tuve ningun problema hice el examen completo malware depues de 6 horas casi, termino y borro 2 virus del disco de datos
pero hasta el momento el sistema anda exelente
El MBAM ANti-Rootkit fue el que logro eliminarlo… Veo que estabas descargando cositas y vinieron con amigos… Avísame si deseas cerrar el tema y dar por solucionado o si te queda dudas.
hasta momento ninguna duda 7u7 pueden cerrar
Vamos a eliminar todas las herramientas que utilizamos para proceder al cierre del tema
- Descarga DelFix y guardalo en el escritorio.
- Ejecutalo como administrador ( Si usas Windows Vista/7 u 8 presiona clic derecho y selecciona “Ejecutar como Administrador.” )
- Marca todas las casillas
- Pulsa en Run
Nota: No es necesario pegar el reporte de este programa.
----------TEMA SOLUCIONADO----------
Para cerrar el tema clickea en el boton en esta respuesta.
Muchas gracias por confiar en nosotros! ForoSpyware