Posibles Infecciones Log: IFS + HijackThis

Ghostcasper · 20 Marzo, 2021 06:36

[CODE]

Log IFS:

[CODE][B]~~~~~~~~~~~| Inicio: [/B]

*IFS (InfoSpyware First Steps) v 1.3 *www.InfoSpyware.com | www.ForoSpyware.com *Iniciado: 19/03/2021 a las 17h.57m.29s

[B]~~~~~~~~~~~| Información del Sistema:[/B]

OS: Microsoft Windows 10 Pro x64 Idioma: Spanish (Argentina) (Argentina|es-AR) Permisos de Administrador / ON Windows se Inició en Modo Normal Drive: C:\WINDOWS (Install: \Device\HarddiskVolume2)

[B]~~~~~~~~~~~| Arquitectura Fisica:[/B]

CPU: Gigabyte Technology Co., Ltd. CPU Modelo: H81M-H Procesador: Intel® Core™ i5-4460 CPU @ 3.20GHz (x64-BasedPC) Memoria RAM: 15 Gb. En Uso: 29 % Video: Intel® HD Graphics 4600 Chip: Intel® HD Graphics Family Capacidad video:1024 MB (Internal)

[B]~~~~~~~~~~~| Unidades[/B]

C: [FIXED|NTFS|Sistema Operativo] - [212.7 Gb][115.2 Gb][97.5 Gb] E: [FIXED|NTFS|Datos] - [400.8 Gb][326.6 Gb][74.0 Gb] G: [FIXED|NTFS|Juegos] - [230.1 Gb][116.2 Gb][113.9 Gb] C:\ Fragmentación total 5.96% - Correcto E:\ Fragmentación total 0.47% - Correcto G:\ Fragmentación total 0.60% - Correcto

[B]~~~~~~~~~~~| Seguridad del SO[/B]

SafeBoot: Inicio en Modo seguro Correcto Security Center: Correcto (Servicio Activo) Windows Update: Correcto (Servicio Activo) AV: ESET Security Protección Residente [ON] / Actualizado AV: Windows Defender Protección Residente [ON] / Actualizado AV: ESET Security Protección Residente [ON] / Actualizado FW: ESET Firewall Protección Residente [ON] FW: COMODO Firewall Protección Residente [ON] FW: ESET Firewall Protección Residente [ON] FW: Windows Firewall * Protección Residente [OFF]*

[B]~~~~~~~~~~~| Update Check[/B]

Internet Explorer Versión Instalada 11

[B]~~~~~~~~~~~| Process List[/B]

MsMpEng.exe (Windows Defender) cmdagent.exe (Comodo Firewall) cavwp.exe (Comodo) cmdagent.exe (Comodo) cis.exe (Comodo)

[B]~~~~~~~~~~~| Install Check[/B]

Glary Utilities PRO 5.162 [5.162.0.188] CCleaner [5.77] Reset Windows Update Tool [11.0.0.8]

[B]~~~~~~~~~~~| Registry Check[/B]

HKLM\Run(x64): [SecurityHealth] %windir%\system32\SecurityHealthSystray.exe HKLM\Run(x64): [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s HKLM\Run(x64): [COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10}] C:\Program Files\COMODO\COMODO Internet Security\cis.exe --cistrayUI HKLM\Run: [SunJavaUpdateSched] “C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe” HKLM\Run: [GUDelayStartup] “C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe” -delayrun Winlogon(x64): Shell = explorer.exe Winlogon: Shell = explorer.exe Userinit(x64): Userinit = Userinit: Userinit =

[HKCR..open\command] → Navegador Preferido es Internet Explorer StarPage:hxxp://go.microsoft.com/fwlink/p/?LinkId=255141 StarPage:hxxp://go.microsoft.com/fwlink/?LinkId=54896

[B]~~~~~~~~~~~| PUPs Check[/B]

[B]~~~~~~~~~~~| Listado 7 Días (Predeterminado)[/B]

[16/03/2021 12:13] - C:\WINDOWS\SysWOW64\IsolatedWindowsEnvironmentUtils.dll [16/03/2021 12:13] - C:\WINDOWS\SysWOW64\TextShaping.dll [16/03/2021 12:13] - C:\WINDOWS\System32\IsolatedWindowsEnvironmentUtils.dll [16/03/2021 12:13] - C:\WINDOWS\System32\TextShaping.dll [16/03/2021 18:30] - C:\WINDOWS\Panther [16/03/2021 17:30] - C:\WINDOWS\SoftwareDistribution [15/03/2021 16:18] - C:\WINDOWS\SoftwareDistribution.bak [16/03/2021 18:29] - C:\bootTel.dat [19/03/2021 17:57] - C:\FSTool [19/03/2021 17:57] - C:\IFS.log

[B]~~~~~~~~~~~| C:\WINDOWS\Tasks:[/B]

[17/10/2020 06:19] - C:\WINDOWS\Tasks\Intel PTT EK Recertification.job

[B]~~~~~~~~~~~| End Report[/B] *Finalizado 18:01:46 *Se limpiaron los archivos temporales *[1599815] C:\Users\Eric\Desktop\IFS.exe *Herramienta de Análisis e investigación [/CODE]

Log HijackThis:

[CODE]

Logfile of HiJackThis Fork (Beta) by Alex Dragokas v.2.10.0.6

Platform: x64 Windows 10 (Pro), 10.0.19042.868 (ReleaseId: 2009), Service Pack: 0 Time: 19.03.2021 - 18:03 (UTC-03:00) Language: OS: Spanish (0xC0A). Display: Spanish (0xC0A). Non-Unicode: Spanish (0xC0A) Elevated: Yes Ran by: Eric (group: Administrator) on DESKTOP-43641L1, FirstRun: no

Edge: 11.0.19041.844 Internet Explorer: 11.0.19041.1 Default: “C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe” --single-argument %1 (Brave)

Boot mode: Normal

Running processes: Number | Path 1 C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReaderUpdateService.exe 1 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe 2 C:\Program Files\COMODO\COMODO Internet Security\cis.exe 2 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe 1 C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2102.4-0\MsMpEng.exe 1 C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2102.4-0\NisSrv.exe 1 C:\ProgramData\Microsoft\Windows Defender\Scans\MsMpEngCP.exe 1 C:\Users\Eric\Desktop\HiJackThis.exe 1 C:\Windows\explorer.exe 1 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe 1 C:\Windows\System32\ApplicationFrameHost.exe 1 C:\Windows\System32\audiodg.exe 2 C:\Windows\System32\csrss.exe 1 C:\Windows\System32\ctfmon.exe 1 C:\Windows\System32\dasHost.exe 1 C:\Windows\System32\dllhost.exe 1 C:\Windows\System32\dwm.exe 2 C:\Windows\System32\fontdrvhost.exe 1 C:\Windows\System32\igfxCUIService.exe 1 C:\Windows\System32\igfxHK.exe 1 C:\Windows\System32\LsaIso.exe 1 C:\Windows\System32\lsass.exe 1 C:\Windows\System32\oobe\UserOOBEBroker.exe 3 C:\Windows\System32\RuntimeBroker.exe 1 C:\Windows\System32\SecurityHealthService.exe 1 C:\Windows\System32\SecurityHealthSystray.exe 1 C:\Windows\System32\services.exe 1 C:\Windows\System32\SgrmBroker.exe 1 C:\Windows\System32\sihost.exe 1 C:\Windows\System32\smartscreen.exe 1 C:\Windows\System32\smss.exe 1 C:\Windows\System32\spoolsv.exe 83 C:\Windows\System32\svchost.exe 1 C:\Windows\System32\taskhostw.exe 1 C:\Windows\System32\vmcompute.exe 1 C:\Windows\System32\wininit.exe 1 C:\Windows\System32\winlogon.exe 1 C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe 1 C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe 1 C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe 1 C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe 1 vmmem

O4 - HKCU…\StartupApproved\Run: [GUDelayStartup] = C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe -delayrun (2019/11/05) O4 - HKCU\Control Panel\Desktop: [SCRNSAVE.EXE] = C:\Windows\DreamAquarium.scr O4 - HKLM…\Run: [COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10}] = C:\Program Files\COMODO\COMODO Internet Security\cis.exe --cistrayUI O4 - HKLM…\Session Manager: [BootExecute] = C:\WINDOWS\system32\autochk.exe * (Microsoft) O4 - HKLM…\StartupApproved\Run: [RtHDVCpl] = C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s (2019/11/04) O4 - HKLM…\StartupApproved\Run32: [SunJavaUpdateSched] = C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (2020/11/21) O7 - KnownFolder: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, AppData = C:\Users\Eric\AppData\Roaming O7 - TroubleShooting: (EV) HKLM…\Environment: [PSModulePath] = %ProgramFiles%\WindowsPowerShell\Modules;%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer\AppvPkgConverter;C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer\AppvSequencer O15 - Trusted Zone: http://download.microsoft.com O15 - Trusted Zone: http://ntservicepack.microsoft.com O15 - Trusted Zone: http://windowsupdate.microsoft.com O15 - Trusted Zone: http://wustat.windows.com O15 - Trusted Zone: https://download.windowsupdate.com O15 - Trusted Zone: https://update.microsoft.com O15 - Trusted Zone: https://windowsupdate.com O15 - Trusted Zone: https://ws.microsoft.com O17 - DHCP DNS 1: 192.168.1.15 O21 - HKLM…\ShellIconOverlayIdentifiers\ MEGA (Pending): (no name) - {056D528D-CE28-4194-9BA3-BA2E9197FF8C} - (no file) O21 - HKLM…\ShellIconOverlayIdentifiers\ MEGA (Synced): (no name) - {05B38830-F4E9-4329-978B-1DD28605D202} - (no file) O21 - HKLM…\ShellIconOverlayIdentifiers\ MEGA (Syncing): (no name) - {0596C850-7BDD-4C9D-AFDF-873BE6890637} - (no file) O21 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive1: (no name) - {BBACC218-34EA-4666-9D7A-C78F2274A524} - (no file) O21 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive2: (no name) - {5AB7172C-9C11-405C-8DD5-AF20F3606282} - (no file) O21 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive3: (no name) - {A78ED123-AB77-406B-9962-2A5D9D2F7F30} - (no file) O21 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive4: (no name) - {F241C880-6982-4CE5-8CF7-7085BA96DA5A} - (no file) O21 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive5: (no name) - {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} - (no file) O21 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive6: (no name) - {9AA2F32D-362A-42D9-9328-24A483E2CCC3} - (no file) O21 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive7: (no name) - {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} - (no file) O21-32 - HKLM…\ShellIconOverlayIdentifiers\ MEGA (Pending): (no name) - {056D528D-CE28-4194-9BA3-BA2E9197FF8C} - (no file) O21-32 - HKLM…\ShellIconOverlayIdentifiers\ MEGA (Synced): (no name) - {05B38830-F4E9-4329-978B-1DD28605D202} - (no file) O21-32 - HKLM…\ShellIconOverlayIdentifiers\ MEGA (Syncing): (no name) - {0596C850-7BDD-4C9D-AFDF-873BE6890637} - (no file) O21-32 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive1: (no name) - {BBACC218-34EA-4666-9D7A-C78F2274A524} - (no file) O21-32 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive2: (no name) - {5AB7172C-9C11-405C-8DD5-AF20F3606282} - (no file) O21-32 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive3: (no name) - {A78ED123-AB77-406B-9962-2A5D9D2F7F30} - (no file) O21-32 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive4: (no name) - {F241C880-6982-4CE5-8CF7-7085BA96DA5A} - (no file) O21-32 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive5: (no name) - {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} - (no file) O21-32 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive6: (no name) - {9AA2F32D-362A-42D9-9328-24A483E2CCC3} - (no file) O21-32 - HKLM…\ShellIconOverlayIdentifiers\ OneDrive7: (no name) - {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} - (no file) O22 - Task (.job): (disabled) (Not scheduled) Intel PTT EK Recertification.job - C:\Program Files\Intel\Intel® Management Engine Components\iCLS\IntelPTTEKRecertification.exe O22 - Task: (damaged) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MEGA (empty) O22 - Task: (disabled) (telemetry) \Microsoft\Office\OfficeTelemetryAgentFallBack2016 - C:\Program Files\Microsoft Office\Office16\msoia.exe scan upload mininterval:2880 (Microsoft) O22 - Task: (disabled) (telemetry) \Microsoft\Office\OfficeTelemetryAgentLogOn2016 - C:\Program Files\Microsoft Office\Office16\msoia.exe scan upload (Microsoft) O22 - Task: (disabled) (update) \Microsoft\Windows\UpdateOrchestrator\Reboot_AC - C:\WINDOWS\system32\MusNotification.exe /RunOnAC Reboot (Microsoft) O22 - Task: (disabled) (update) \Microsoft\Windows\UpdateOrchestrator\Reboot_Battery - C:\WINDOWS\system32\MusNotification.exe /RunOnBattery RebootDialog (Microsoft) O22 - Task: (disabled) \Microsoft\Windows\Management\Provisioning\Retry - C:\WINDOWS\system32\ProvTool.exe /turn 5 /source ProvRetryTask (Microsoft) O22 - Task: (disabled) \Microsoft\Windows\Management\Provisioning\RunOnReboot - C:\WINDOWS\system32\ProvTool.exe /turn 5 /source ContinueSessionTask (Microsoft) O22 - Task: (disabled) \Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work - C:\WINDOWS\system32\usoclient.exe StartMaintenanceWork (Microsoft) O22 - Task: (disabled) \Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work - C:\WINDOWS\system32\usoclient.exe StartWork (Microsoft) O22 - Task: (disabled) \S-1-5-21-4144086401-3977297519-595239145-1001\DataSenseLiveTileTask - C:\WINDOWS\System32\DataUsageLiveTileTask.exe O22 - Task: (telemetry) \COMODO\COMODO Telemetry {18AD3DFA-30C0-4B5F-84F7-F1870B1A4921} - C:\Program Files\COMODO\COMODO Internet Security\cis.exe --telemetry O22 - Task: (telemetry) \Microsoft\Office\Office 15 Subscription Heartbeat - C:\Program Files\Common Files\Microsoft Shared\Office16\OLicenseHeartbeat.exe (Microsoft) O22 - Task: (telemetry) \Microsoft\Windows\Application Experience\PcaPatchDbTask - C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\PcaSvc.dll,PcaPatchSdbTask (Microsoft) O22 - Task: (update) \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker - C:\WINDOWS\system32\MusNotification.exe (Microsoft) O22 - Task: \COMODO\COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10} - C:\Program Files\COMODO\COMODO Internet Security\cis.exe --cistrayUI O22 - Task: \COMODO\COMODO CMC {06A09C0F-DD9C-4191-A670-71115CD78627} - C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe --launchSchedule {06A09C0F-DD9C-4191-A670-71115CD78627} O22 - Task: \COMODO\COMODO Maintenance {947247B5-026A-4437-9371-770782BE839D} - C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe --launchSchedule {947247B5-026A-4437-9371-770782BE839D} O22 - Task: \COMODO\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} - C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe --launchSchedule {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} O22 - Task: \COMODO\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85} - C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe --launchSchedule {A6D52E4F-569B-4756-B3D8-DF217313DA85} O22 - Task: \Microsoft\Windows\Windows Defender\Windows Defender Update - C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2102.4-0\MpCmdRun.exe SignatureUpdate -ScheduleJob O22 - Task: BraveSoftwareUpdateTaskMachineCore - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe /c O22 - Task: BraveSoftwareUpdateTaskMachineUA - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe /ua /installsource scheduler O22 - Task: CCleaner Update - C:\Program Files\CCleaner\CCUpdate.exe O22 - Task: CCleanerSkipUAC - C:\Program Files\CCleaner\CCleaner.exe $(Arg0) O22 - Task: Intel PTT EK Recertification - C:\Program Files\Intel\Intel® Management Engine Components\iCLS\IntelPTTEKRecertification.exe O22 - Task: OneDrive Standalone Update Task-S-1-5-21-3965273046-3430910187-3870962638-500 - C:\Users\Eric\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe (file missing) O22 - Task: OneDrive Standalone Update Task-S-1-5-21-4144086401-3977297519-595239145-500 - C:\Users\Eric\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe (file missing) O23 - Service R2: COMODO Internet Security Helper Service - (CmdAgent) - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe O23 - Service R2: COMODO Internet Security Protected Helper Service - (CmdAgentProt) - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe /ProtectedSvc O23 - Service R2: Foxit Reader Update Service - (FoxitReaderUpdateService) - C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReaderUpdateService.exe O23 - Service R2: Intel® HD Graphics Control Panel Service - (igfxCUIService2.0.0.0) - C:\WINDOWS\system32\igfxCUIService.exe O23 - Service S2: Brave Update Servicio (brave) - (brave) - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe /svc O23 - Service S2: Intel® TPM Provisioning Service - C:\Program Files\Intel\Intel® Management Engine Components\iCLS\TPMProvisioningService.exe O23 - Service S3: AnyDesk Service - (AnyDesk) - C:\Program Files (x86)\AnyDesk\AnyDesk.exe --service O23 - Service S3: Brave Update Servicio (bravem) - (bravem) - C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe /medsvc O23 - Service S3: COMODO Virtual Service Manager - (cmdvirth) - C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe O23 - Service S3: Intel® Capability Licensing Service TCP IP Interface - C:\Program Files\Intel\Intel® Management Engine Components\iCLS\SocketHeciServer.exe O23 - Service S3: Intel® Content Protection HECI Service - (cphs) - C:\WINDOWS\SysWow64\IntelCpHeciSvc.exe O23 - Service S3: Malwarebytes Service - (MBAMService) - E:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe O23 - Service S3: Office 64 Source Engine - (ose64) - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE O23 - Service S3: SAMSUNG Mobile Connectivity Service - (ss_conn_service) - E:\Program Files\USB Drivers\27_ssconn\conn\ss_conn_service.exe O23 - Service S3: VirtualBox system service - (VBoxSDS) - C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe

– End of file - Time spent: 15,2 sec. - 26582 bytes, CRC32: FFFFFFFF. Sign: 桘竃

[\CODE] ____________________________________

[CODE]

Hola Grupo, estuve mucho tiempo ausente, han cambiado muchas cosas, entre ellas el Foro y su forma de publicar… Tengo dudas sobre el estado del Pc (adjunto Log´s.txt) de las herramientas IFS y HijackThis … Espero me puedan orientar mas o menos…

Recién noto que aparecen componentes de ESET, los cuales eliminé hace unos días, con la utilidad BC Uninstaller y ESET Uninstall ,debo realizar una eliminación de dichas entradas, con qué método?..

PD: Si dicho tema no corresponde en la categoría asignada, les agradecería que un Administrador

/ Moderador lo mueva… Disculpen si no está bien configurado el formato en dicha publicación …

He publicado un tema anterior con el mismo contenido, estaba mal editado, procedí a eliminarlo

Saludos

[\CODE]