Hola @Nestor_Bautista
Por lo general una vez que el Ransomware encripta los archivos se auto-elimina.
Lo que no puedo asegurarte que las infecciones que tienes fueron anteriores o posteriores a el.
Sigue estos pasos:
Paso 1: Desinstala con Revo Uninstaller en su Modo Avanzado:
- Avast Secure Browser
Paso 2:
1.- Muy Importante >>> Realizar nuevamente una copia de Seguridad de su Registro.
- Descarga/Ejecuta DelFix desde el escritorio de Windows.
- Clic Derecho, “Ejecutar como Administrador”.
- En la ventana principal, marca solamente la casilla “Create Registry Backup”.
- Clic en Run.
Al terminar se abrirá un reporte llamado DelFix.txt, guárdelo por si fuera necesario y cierre la herramienta…
Luego vaya a::
2.- Inicio >>> Ejecutar >>> Escribe notepad.exe o abra un nuevo archivo Notepad y copie y pegue lo siguiente:
Start
CloseProcesses:
HKU\S-1-5-21-3019253350-1869777649-2031913490-1001\...\MountPoints2: {691879c7-4a6a-11e8-93cf-50b7c328e4ff} - D:\HiSuiteDownLoader.exe
HKU\S-1-5-21-3019253350-1869777649-2031913490-1001\...\MountPoints2: {6ec7b8a6-cc6e-11e7-addb-026405650c72} - E:\HiSuiteDownLoader.exe
HKU\S-1-5-21-3019253350-1869777649-2031913490-1001\...\MountPoints2: {d9df4015-6b3c-11e4-bc3c-ad9e4fc31700} - "E:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-3019253350-1869777649-2031913490-1001\...\MountPoints2: {ef12470d-3a05-11e8-b01f-e8039a524421} - F:\HiSuiteDownLoader.exe
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A8504530-742B-42BC-895D-2BAD6406F698}] -> C:\Program Files (x86)\AVAST Software\Browser\Application\80.0.3765.150\Installer\chrmstp.exe [2020-04-03] (Avast Software s.r.o. -> AVAST Software)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> "C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restricción <==== ATENCIÓN
CHR HKLM\SOFTWARE\Policies\Google: Restricción <==== ATENCIÓN
Task: {102372FF-7D6A-45B9-8518-143DA204C37E} - System32\Tasks\AvastUpdateTaskMachineCore => C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe [199376 2020-04-03] (AVAST Software s.r.o. -> AVAST Software)
Task: {4DC0A41A-19F5-49B0-9EC4-823664F0E544} - System32\Tasks\{A0BBFDA5-94D7-4E4C-A5E5-E996B1246F94} => C:\windows\system32\pcalua.exe -a C:\Users\Silvia\Downloads\Bluetooth_WXP_5.6.0.7000\Setup.exe -d C:\Users\Silvia\Downloads\Bluetooth_WXP_5.6.0.7000
Task: {4E126E8E-475A-43E6-AC06-DF11F090B852} - System32\Tasks\Avast Secure Browser Heartbeat Task (Hourly) => C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe [2023832 2020-03-19] (Avast Software s.r.o. -> AVAST Software)
Task: {9552FE36-563A-4B5F-9619-6B3054254A58} - System32\Tasks\{5E67FCAB-95A2-407B-8540-3DBF0633D43A} => C:\windows\system32\pcalua.exe -a C:\Users\Silvia\Downloads\Bluetooth_WXP_5.6.0.7000\Setup.exe -d C:\Users\Silvia\Downloads\Bluetooth_WXP_5.6.0.7000
Task: {95830D8C-568F-41A3-BACB-9C7DB1DA63F9} - System32\Tasks\AvastUpdateTaskMachineUA => C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe [199376 2020-04-03] (AVAST Software s.r.o. -> AVAST Software)
Task: {E0064E95-87BF-4C81-A400-28B3CD3496F3} - System32\Tasks\Avast Secure Browser Heartbeat Task (Logon) => C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe [2023832 2020-03-19] (Avast Software s.r.o. -> AVAST Software)
Task: C:\windows\Tasks\GridinSoft Anti-Malware.job => C:\Program Files\GridinSoft Anti-Malware\gsam.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restricción <==== ATENCIÓN
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
URLSearchHook: [S-1-5-21-3019253350-1869777649-2031913490-1000] ATENCIÓN => No se encuentra URLSearchHook predeterminado
FF Plugin-x32: @update.avastbrowser.com/Avast Browser;version=3 -> C:\Program Files (x86)\AVAST Software\Browser\Update\1.6.605.0\npAvastBrowserUpdate3.dll [2020-04-03] (AVAST Software s.r.o. -> AVAST Software)
FF Plugin-x32: @update.avastbrowser.com/Avast Browser;version=9 -> C:\Program Files (x86)\AVAST Software\Browser\Update\1.6.605.0\npAvastBrowserUpdate3.dll [2020-04-03] (AVAST Software s.r.o. -> AVAST Software)
CHR HKU\S-1-5-21-3019253350-1869777649-2031913490-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd]
"mdxhosqg" => servicio fue desbloqueado. <==== ATENCIÓN
S2 mdxhosqg; C:\windows\SysWOW64\mdxhosqg\tfesdnvp.exe [X]
2020-04-02 15:15 - 2020-04-03 10:32 - 000000000 ____D C:\windows\SysWOW64\mdxhosqg
S3 AvastSecureBrowserElevationService; C:\Program Files (x86)\AVAST Software\Browser\Application\80.0.3765.150\elevation_service.exe [1124080 2020-03-19] (Avast Software s.r.o. -> AVAST Software)
S4 HuaweiHiSuiteService64.exe; "C:\Program Files (x86)\HiSuite\HandSetService\HuaweiHiSuiteService64.exe" -/service [X]
U0 Partizan; system32\drivers\Partizan.sys [X]
S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [X]
2020-04-03 22:35 - 2020-04-03 22:35 - 000003150 _____ C:\windows\system32\Tasks\Avast Secure Browser Heartbeat Task (Logon)
2020-04-03 22:35 - 2020-04-03 22:35 - 000002513 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast Secure Browser.lnk
2020-04-03 22:35 - 2020-04-03 22:35 - 000002470 _____ C:\Users\Public\Desktop\Avast Secure Browser.lnk
2020-04-03 22:35 - 2020-04-03 22:35 - 000002470 _____ C:\ProgramData\Desktop\Avast Secure Browser.lnk
2020-04-03 22:32 - 2020-04-03 22:35 - 000000000 ____D C:\Program Files (x86)\GUM81BA.tmp
2020-04-03 10:30 - 2020-04-03 10:30 - 000000000 ____D C:\Users\Silvia\AppData\Local\Avg
2020-04-03 10:25 - 2020-04-03 20:06 - 000000000 ____D C:\ProgramData\AVG
2020-04-02 22:32 - 2020-04-03 01:47 - 000000298 _____ C:\windows\Tasks\GridinSoft Anti-Malware.job
2020-04-02 22:31 - 2020-04-03 20:11 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GridinSoft Anti-Malware
2020-04-02 22:31 - 2020-04-02 22:31 - 000000000 ____D C:\ProgramData\GridinSoft
2020-04-02 22:30 - 2020-04-03 20:12 - 000000000 ____D C:\Program Files\GridinSoft Anti-Malware
2020-04-02 22:26 - 2020-04-02 22:26 - 000873360 _____ (GridinSoft LLC) C:\Users\Silvia\Downloads\GridinsoftAntimalwareSetup.exe
2020-04-02 21:03 - 2020-04-02 21:03 - 000000000 ____D C:\ProgramData\{04C9DB65-CA85-A95B-5E3D-DADD0C3A3A39}
2020-04-02 20:14 - 2020-04-02 20:14 - 006455520 _____ (EnigmaSoft Limited) C:\Users\Silvia\Downloads\SpyHunter-Installer (2).exe
2020-04-02 19:54 - 2020-04-02 20:12 - 000000000 ____D C:\Users\Silvia\AppData\Local\f36b8218-8d34-4b45-9f14-9b413919ef74
2020-04-02 18:42 - 2020-04-02 19:53 - 000000000 ____D C:\Users\Silvia\AppData\Local\a4d0756c-bef0-4082-b499-a997d57b5d10
2020-04-02 15:15 - 2020-04-03 10:32 - 000000000 ____D C:\windows\SysWOW64\mdxhosqg
2020-04-02 15:09 - 2020-04-02 15:28 - 003253190 _____ C:\Users\Silvia\Downloads\aTube_Catcher_4116030618.exe.mado
2020-03-23 11:56 - 2020-04-02 15:32 - 011299046 _____ C:\Users\Silvia\Downloads\ZoomInstaller.exe.mado
2020-03-12 16:47 - 2020-03-12 16:47 - 000000000 ____D C:\Users\Silvia\AppData\Local\{20D8F1E0-6E7C-4B83-860E-04F3068195F4}
2020-04-02 20:21 - 2015-12-20 00:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dr Prot Antivirus
2020-04-02 15:43 - 2019-01-30 23:52 - 001292506 ____H C:\Users\Invitado\AppData\Local\IconCache.db.mado
2020-04-02 15:32 - 2019-10-14 22:02 - 004542486 _____ C:\Users\Silvia\Downloads\RadiAnt-5.0.2-Setup.exe.mado
2020-04-02 15:32 - 2019-06-15 12:35 - 049890230 _____ C:\Users\Silvia\Downloads\Setup.exe.mado
2020-04-02 15:32 - 2019-01-21 15:53 - 005473934 _____ C:\Users\Silvia\Downloads\recuva-1-53-1087.exe.mado
2020-04-02 15:32 - 2015-05-21 00:07 - 005576968 _____ C:\Users\Silvia\Downloads\npp.5.9.Installer.exe.mado
2020-04-02 15:28 - 2019-06-27 20:55 - 000228878 _____ C:\Users\Silvia\Downloads\avast_free_antivirus_setup_online.exe.mado
2020-04-02 15:28 - 2018-10-29 19:04 - 039501055 _____ C:\Users\Silvia\Downloads\Craniofacial Pain - H. Piekartz (Elsevier, 2007) WW.pdf.crdownload.mado
2020-04-02 15:28 - 2017-09-06 23:24 - 002285926 _____ C:\Users\Silvia\Documents\winrar-x64-540es.exe.mado
2020-04-02 15:28 - 2017-07-04 18:56 - 001202518 _____ C:\Users\Silvia\Downloads\flashplayer26pp_xa_install.exe.mado
2020-04-02 15:28 - 2016-12-19 19:38 - 000016688 ____H C:\Users\Silvia\Documents\~WRL3396.tmp.mado
2020-04-02 15:28 - 2016-12-11 20:21 - 000118722 _____ C:\Users\Silvia\Downloads\5CAA.tmp.mado
2020-04-02 15:28 - 2016-09-12 00:44 - 000016731 ____H C:\Users\Silvia\Documents\~WRL0005.tmp.mado
2020-04-02 15:28 - 2016-04-01 21:06 - 000013795 ____H C:\Users\Silvia\Documents\~WRL2437.tmp.mado
2016-12-17 12:36 - 2016-12-17 12:36 - 007680000 _____ () C:\Program Files (x86)\GUTAC02.tmp
ShellIconOverlayIdentifiers: [BaiduAntivirusIconLock] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CC} => -> Ningún archivo
ContextMenuHandlers1: [Baidu_Scan] -> [CC]{0A93904A-BB1E-4a0c-9753-B57B9AE272CB} => -> Ningún archivo
ContextMenuHandlers2: [Baidu_Scan] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CB} => C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavShx64.dll -> Ningún archivo
ContextMenuHandlers6: [Baidu_Scan] -> {0A93904A-BB1E-4a0c-9753-B57B9AE272CB} => C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavShx64.dll -> Ningún archivo
WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\"::
WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99]
WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate]
MSCONFIG\startupreg: RRJVYSR4O6WXHT2 => "C:\Program Files\8UYDOGEHY9\8UYDOGEHY.exe"
FirewallRules: [TCP Query User{27FAAE41-41BE-43DA-8A01-C4625E40BB72}D:\easysetupassistant\easysetupassistant.exe] => (Allow) D:\easysetupassistant\easysetupassistant.exe Ningún archivo
FirewallRules: [UDP Query User{D6838BA3-06E4-4C8B-A86E-03F585CA5384}D:\easysetupassistant\easysetupassistant.exe] => (Allow) D:\easysetupassistant\easysetupassistant.exe Ningún archivo
FirewallRules: [TCP Query User{15A63724-382D-423C-8D68-7FA2E2E3AA20}D:\easysetupassistant\tssh2.exe] => (Allow) D:\easysetupassistant\tssh2.exe Ningún archivo
FirewallRules: [UDP Query User{EE185765-F42E-4E0F-9E16-56E8B9B35AE2}D:\easysetupassistant\tssh2.exe] => (Allow) D:\easysetupassis
FirewallRules: [TCP Query User{A88924A8-2402-4F44-9552-AC26D3175FEB}C:\program files (x86)\pc remote receiver1\pcremotereceiver.exe] => (Allow) C:\program files (x86)\pc remote receiver1\pcremotereceiver.exe Ningún archivo
FirewallRules: [UDP Query User{B6D85801-02EF-4C81-8051-15A80ACC2F5F}C:\program files (x86)\pc remote receiver1\pcremotereceiver.exe] => (Allow) C:\program files (x86)\pc remote receiver1\pcremotereceiver.exe Ningún archivo
FirewallRules: [TCP Query User{94DC313A-7C59-45BE-A9CD-A631F3463980}C:\program files (x86)\pc remote receiver1\monectmediacenter.exe] => (Allow) C:\program files (x86)\pc remote receiver1\monectmediacenter.exe Ningún archivo
FirewallRules: [UDP Query User{E33C42BC-2870-4DE8-A919-682384ECF4E9}C:\program files (x86)\pc remote receiver1\monectmediacenter.exe] => (Allow) C:\program files (x86)\pc remote receiver1\monectmediacenter.exe Ningún archivo
FirewallRules: [{1A628C10-52C5-4F4D-BA3D-1DE5AD9BBB2B}] => (Allow) C:\Users\Silvia\AppData\Roaming\Zoom\bin\airhost.exe Ningún archivo
C:\Program Files\GridinSoft Anti-Malware
CMD: ipconfig /flushdns
CMD: ipconfig /renew
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
RemoveProxy:
EmptyTemp:
Hosts:
END
- Lo guarda bajo el nombre de fixlist.txt en el escritorio <<< Esto es muy importante.
Nota: Es necesario que el ejecutable Frst.exe/Frst64.exe y fixlist.txt se encuentren en la misma ubicación (escritorio) o si no la herramienta no trabajará.
3.- Inicie su ordenador en >>> Modo Seguro
- Ejecute Frst.exe o Frst64.exe. según el caso.
- Presione el botón Fix y aguarde a que termine.
- La Herramienta guardará el reporte en su escritorio (Fixlog.txt).
- Reinicia y lo pega en su próxima respuesta.
Nos comentas…
Salu2