Infectado con Usfin.net ADfly adware

Eliminar Malwares
41

Hola @Marr0n mil gracias por estar pendientes ya estoy mucho mejor gracias a Dios no se me complico nada…Te comento que casualmente ayer por la mañana realice el ultimo proceso que me solicitaste hacer y efectivamente las ventanas emergentes dejaron de salir e incluso el sistema esta un poco mas fluido. Volvi a pasar el antivirus y ahora todo funciona con normalidad. Creeria que ya no hay que hacer nada mas pues todo funciona perfectamente sin ningun problema.

Agradezco muchisimo a todos los que me apoyaron con este problema. Son los mejores!!!

Mil gracias a todos y si hay algo mas que pueda hacer hazmelo saber.

Muchas bendiciones para todos y nuevamente muchisimas gracias por su ayuda.

2 Me gusta
42

Hola buenas @hectordj69

Ok. Perfecto :+1: me alegro pues.

Bueno no es casualidad, es el Script especial que realice para tu caso. Por eso dejaron de aparecer esas ventanas, no es que sea magia ni casualidad.

Bueno no tiene porque. Quiero decir que se debe de acabar de revisar bien la máquina, aún pueden quedar rastros o cosas en las entrañas del sistema y que estas sean no deseables.

Por favor, mientras estemos en procesos de desinfección no utilices antivirus o programas de desinfección que no te haya indicado Yo. Esto incluso hasta podría ser contraproducente si lo haces.

Dime… ¿Qué antivirus has usado? Aunque haya salido todo limpio y parezca que va bien, no siempre los antivirus lo detectan todo… por esto se debe de mirar con :eyes: reportes como los de FARBAR.

De nada. Pero aún no hemos acabado. No cantemos victoria antes de que termine el combate, aunque pinta :+1:, pero la guerra contra los bichos aún no ha acabado.

De nada. Sí pues debes de traerme lo que te pedí:

Debo de ver ese reporte y entonces te daré las oportunas indicaciones para seguir.

De nada.

Seguimos.

Salu2.

1 me gusta
43

@Marr0n entendido… mañana te tengo todo listo muy amable! :+1:

1 me gusta
44 
Fix result of Farbar Recovery Scan Tool (x64) Version: 22-01-2022
Ran by Spices (25-01-2022 08:07:55) Run:1
Running from C:\Users\Spices\OneDrive\Documents\OneDrive\Desktop
Loaded Profiles: Spices & QBDataServiceUser27
Boot Mode: Normal
==============================================

fixlist content:
*****************
START
SystemRestore: On
CREATERESTOREPOINT:
CLOSEPROCESSES:
Folder: C:\program files\avast software\avast
Folder: C:\WINDOWS\AutoKMS
Folder: C:\Program Files\Common Files\AV\
Folder: C:\Program Files\Common Files\McAfee
Folder: C:\WINDOWS\system32\Tasks\User_Feed_Synchronization-{30F58647-5ECA-4353-8E34-097FB582709F}
File: C:\Users\Spices\Downloads\or80g9pk.exe

HKLM\...\Run: [HotKeysCmds] => "C:\WINDOWS\system32\hkcmd.exe" (No File)
HKU\S-1-5-21-1001776605-1151265979-3107129937-1001\...\Run: [prueba] => C:\Windows\System32\cmd.exe /c start hxxp://fumacrom.com/2OEsQ & start chrome.exe hxxp://fumacrom.com/2OEsQ & exit
BootExecute: autocheck autochk * sdnclean64.exe
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {0C42F339-DE3B-4B39-9229-AD7686DAE33C} - System32\Tasks\McAfee Remediation (Prepare) => C:\Program Files\Common Files\AV\McAfee VirusScan\upgrade.exe /prepare (No File)
Task: {3C9BEDBE-D3A6-446B-AAED-540A66B14AD2} - System32\Tasks\McAfeeLogon => C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe /platui /runkey (No File)
Task: {A559BF25-2AD5-4E2C-A24F-6C68836C60B9} - System32\Tasks\TAREAAA => C:\Windows\System32\cmd.exe /c start http://fumacrom.com/2OEsQ & start chrome.exe http://fumacrom.com/2OEsQ & exit <==== ATTENTION
Edge Notifications: HKU\S-1-5-21-1001776605-1151265979-3107129937-1001 -> hxxps://www.cvvshop.lv; hxxps://mail.google.com
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
AlternateDataStreams: C:\Users\Spices\Documents\para norma.jpeg:3or4kl4x13tuuug3Byamue2s4b [105]
AlternateDataStreams: C:\Users\Spices\Documents\para norma.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
AlternateDataStreams: C:\Users\Spices\Documents\tapiascan.jpeg:3or4kl4x13tuuug3Byamue2s4b [105]
AlternateDataStreams: C:\Users\Spices\Documents\tapiascan.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\98963565.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\98963565.sys => ""="Driver"
HKU\S-1-5-21-1001776605-1151265979-3107129937-1001\...\StartupApproved\Run: => "prueba"
FirewallRules: [{CFF24E33-06E2-417A-ADE7-E746B0359CBB}] => (Allow) LPort=5357
FirewallRules: [TCP Query User{324995A9-4E1D-4924-9EED-3526411D4278}C:\program files\avast software\avast\avastui.exe] => (Block) C:\program files\avast software\avast\avastui.exe => No File
FirewallRules: [UDP Query User{01061E88-0E48-41BF-BFF0-4645F1032548}C:\program files\avast software\avast\avastui.exe] => (Block) C:\program files\avast software\avast\avastui.exe => No File
C:\program files\avast software\avast
C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
C:\Program Files\Common Files\AV\McAfee VirusScan\upgrade.exe
2021-12-16 08:40 - 2021-12-16 08:40 - 000000000 ____D C:\WINDOWS\AutoKMS
2021-12-15 05:22 - 2021-12-15 05:22 - 000000000 ___HD C:\$WinREAgent

CMD: ipconfig /flushdns
CMD: ipconfig /renew
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
RemoveProxy:
EmptyTemp:
Hosts:
END
*****************

SystemRestore: On => completed
Restore point was successfully created.
Processes closed successfully.

========================= Folder: C:\program files\avast software\avast ========================

not found.

====== End of Folder: ======


========================= Folder: C:\WINDOWS\AutoKMS ========================

2018-06-28 20:30 - 2018-12-08 21:31 - 000067299 ____A [8DAE5FE6CA783985B85E9B2D402AA411] () C:\WINDOWS\AutoKMS\AutoKMS.log
2021-12-13 08:51 - 2021-12-16 08:39 - 000000000 ____D [00000000000000000000000000000000] () C:\WINDOWS\AutoKMS\AutoKMS
2018-06-27 20:21 - 2021-12-13 08:28 - 000000000 ____D [00000000000000000000000000000000] () C:\WINDOWS\AutoKMS\AutoKMS\AutoKMS

====== End of Folder: ======


========================= Folder: C:\Program Files\Common Files\AV\ ========================

not found.

====== End of Folder: ======


========================= Folder: C:\Program Files\Common Files\McAfee ========================

not found.

====== End of Folder: ======


========================= Folder: C:\WINDOWS\system32\Tasks\User_Feed_Synchronization-{30F58647-5ECA-4353-8E34-097FB582709F} ========================

C:\WINDOWS\system32\Tasks\User_Feed_Synchronization-{30F58647-5ECA-4353-8E34-097FB582709F} = File

====== End of Folder: ======


========================= File: C:\Users\Spices\Downloads\or80g9pk.exe ========================

C:\Users\Spices\Downloads\or80g9pk.exe
File is digitally signed
MD5: 8FBF67DDE38B4FA72882355181631AE8
Creation and modification date: 2021-12-21 08:09 - 2021-12-21 08:10
Size: 263216616
Attributes: ----A
Company Name: Doctor Web Ltd. -> 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
VirusTotal: https://www.virustotal.com/gui/file/6454055561ca6568ddf352ba02d95cfcbc8182d7746e21d0dfba5c588ffe2e54/detection/f-6454055561ca6568ddf352ba02d95cfcbc8182d7746e21d0dfba5c588ffe2e54-1640101110

====== End of File: ======

"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\HotKeysCmds" => removed successfully
"HKU\S-1-5-21-1001776605-1151265979-3107129937-1001\Software\Microsoft\Windows\CurrentVersion\Run\\prueba" => removed successfully
HKLM\System\CurrentControlSet\Control\Session Manager\\"BootExecute"="autocheck autochk *" => value restored successfully
HKLM\SOFTWARE\Policies\Google => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0C42F339-DE3B-4B39-9229-AD7686DAE33C}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0C42F339-DE3B-4B39-9229-AD7686DAE33C}" => removed successfully
C:\WINDOWS\System32\Tasks\McAfee Remediation (Prepare) => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfee Remediation (Prepare)" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3C9BEDBE-D3A6-446B-AAED-540A66B14AD2}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C9BEDBE-D3A6-446B-AAED-540A66B14AD2}" => removed successfully
C:\WINDOWS\System32\Tasks\McAfeeLogon => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfeeLogon" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A559BF25-2AD5-4E2C-A24F-6C68836C60B9}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A559BF25-2AD5-4E2C-A24F-6C68836C60B9}" => removed successfully
C:\WINDOWS\System32\Tasks\TAREAAA => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TAREAAA" => removed successfully
"Edge Notifications:" => removed successfully
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\Config\AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => removed successfully
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\Config\BookReader_B171F20233094AC88D05A8EF7B9763E8 => removed successfully
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\Config\LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => removed successfully
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\Config\PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => removed successfully
C:\Users\Spices\Documents\para norma.jpeg => ":3or4kl4x13tuuug3Byamue2s4b" ADS could not remove.
C:\Users\Spices\Documents\para norma.jpeg => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully
C:\Users\Spices\Documents\tapiascan.jpeg => ":3or4kl4x13tuuug3Byamue2s4b" ADS could not remove.
C:\Users\Spices\Documents\tapiascan.jpeg => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\98963565.sys => removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\98963565.sys => removed successfully
"HKU\S-1-5-21-1001776605-1151265979-3107129937-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\prueba" => removed successfully
"HKU\S-1-5-21-1001776605-1151265979-3107129937-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\prueba" => not found
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CFF24E33-06E2-417A-ADE7-E746B0359CBB}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{324995A9-4E1D-4924-9EED-3526411D4278}C:\program files\avast software\avast\avastui.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{01061E88-0E48-41BF-BFF0-4645F1032548}C:\program files\avast software\avast\avastui.exe" => removed successfully
"C:\program files\avast software\avast" => not found
"C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe" => not found
"C:\Program Files\Common Files\AV\McAfee VirusScan\upgrade.exe" => not found
C:\WINDOWS\AutoKMS => moved successfully
C:\$WinREAgent => moved successfully

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= ipconfig /renew =========


Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2603:8000:f100:1c00:656e:232a:5b33:c631
   Temporary IPv6 Address. . . . . . : 2603:8000:f100:1c00:8908:5a29:5eec:66de
   Link-local IPv6 Address . . . . . : fe80::656e:232a:5b33:c631%8
   IPv4 Address. . . . . . . . . . . : 192.168.0.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::3a4c:90ff:fe9c:2a47%8
                                       192.168.0.1

========= End of CMD: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.

0 out of 0 jobs canceled.

========= End of CMD: =========


========= netsh winsock reset =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh advfirewall reset =========

Ok.


========= End of CMD: =========


========= netsh advfirewall set allprofiles state ON =========

Ok.


========= End of CMD: =========


========= netsh int ipv4 reset =========

Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= netsh int ipv6 reset =========

Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= RemoveProxy: =========

"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
"HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
"HKU\S-1-5-21-1001776605-1151265979-3107129937-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\S-1-5-21-1001776605-1151265979-3107129937-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully


========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 43909715 B
Java, Flash, Steam htmlcache => 1124 B
Windows/system/drivers => 10379540 B
Edge => 54652354 B
Chrome => 22940591 B
Firefox => 69728063 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 100437954 B
NetworkService => 110087288 B
Spices => 464994341 B
TEMP.DESKTOP-RLQ6923.005 => 464994341 B
QBDataServiceUser27 => 464994341 B

RecycleBin => 29223429 B
EmptyTemp: => 1.7 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 08:09:14 ====
1 me gusta
45

Hola buenas.

Primero de todo disculpa que haya tardado en responder @hectordj69. Pues últimamente voy con muy poco tiempo para el foro y es normal. Pero seguiremos el caso hasta el final.

Ha ido :+1:

De todas formas quiero logs frescos de FRST para ver actualmente como está toda la máquina. Me traes ambos FRST y Addition.txt, para ello:

:one: Desactivas tu antivirus :arrow_forward: Como deshabilitar temporalmente un antivirus y cualquier programa de seguridad que tengas activado.

LO DESCARGAS EN TU ESCRITORIO MUY IMPORTANTE (y no en otro sitio).

Descargas Farbar Recovery Scan Tool MUY IMPORTANTE >> seleccionas la versión adecuada para la arquitectura correspondiente de tu Ordenador (32 o 64bits). :arrow_forward: ¿Cómo saber si mi Windows es de 32 o 64 bits.?

:warning: Una vez descargado FRST, desconectas tu equipo de completamente de Internet (apagas el router) >> Super Importante. Acto seguido, cierras también cualquier otro programa que tengas abierto.

:two: Farbar Recovery Scan Tool

  1. Ejecutas el FRST.exe (Si utilizas Windows Vista/7/8 o 10, presionas click derecho y seleccionas Ejecutar como Administrador).

  2. Aparecerá una ventana con un mensaje de Disclaimer/Responsabilidad, presionas sobre Si o Yes.

  3. En la ventana principal del programa presionas sobre Analizar/Scan y esperas a que finalice el análisis.

  4. Aparecerán dos logs/reportes que serán: Frst.txt y Addition.txt, estos quedarán guardados en el escritorio.

:three: Activas de nuevo tu antivirus y cualquier programa de seguridad que tengas activado. También conectas nuevamente tu equipo a Internet.

:four: PRÓXIMA RESPUESTA

Pegas los reportes de FRST y Addition.txt. Debes de poner ambos reportes todos enteros con absolutamente todo su contenido. Deberás de realizar varios mensajes si recibes un mensaje de error/advertencia indicando que es muy largo dicho reporte que formará el mensaje (más de 50.000 carácteres aprox.).

NOTA IMPORTANTE

Por Favor, mientras estemos desinfectando tu maquina o terminando de hacerlo:

  • No realices pasos/acciones que NOSOTROS no te hayamos indicado.
  • No descargues NADA de Internet y/o conectes dispositivos externos a tu equipo.
  • No instales NADA (programas/software/complementos/extensiones del navegador…).
  • No ejecutes otros programas de seguridad (Antivirus, Antimalware, ANTINADA…).
  • No realices por tu cuenta otros procedimientos.
  • Usa tu equipo EXCLUSIVAMENTE para desinfectarlo siguiendo nuestras indicaciones.

:warning: Muy Importante :warning: Coloca los diferentes reportes que te he pedido como se muestra en la siguiente imagen:

report
report703×272 3.73 KB

Salu2.