Hola, me presento mi nombre es hernan sigo el foro hace años, creo que es la primera vez que posteo. Soy técnico informático, y tengo un server con Windows Server 2008r2, que luego de haber echo varias limpiezas, sigue infectado y cada 48/72hs se me copian archivos en la carpeta publica que el Antivirus detecta y elimina o pone en cuarentena, pero no logro desinfectar por completo hace varias semanas. Detallo a continuación
He escaneado el sistema con los programas que a continuación voy a detallar. Lo he echo mas de una vez con varios de ellos.
La computadora tenia el Antivirus Fortinet version gratuita, que puso el técnico anterior y yo no quise sacar aunque desconfiaba de el. Ahora que se ha infectado he colocado Inmunet. Hice varios los escaneos y como no termino de limpiar, probé poner en simultaneo Symantec Endpoint Security. La pagina de Inmunet aclara que puede trabajar con otros av en simultaneo.
Ahora luego de dos semanas he desinstalado Symantec, deje Inmunet e instale Microsoft Security Essentials en simultaneo con Inmunet.
Los síntomas persisten, y son los siguientes: Cada 48/72hs se me generan archivos infectados de virus en la carpeta publica que los antivirus detectan y eliminan.
Pero no logro eliminar la infección por completo, cuando creo que lo limpié, pasan 72 y los archivos se vuelven a generar y el AV los frena nuevamente.
Los programas con los que he escaneado son los siguientes:
ESET Online Scanner
Panda Cloud Cleaner
Adwcleaner
Malwarebytes
Microsoft Safety Scanner
HitmanPro
Trendmicro Housecal
Spybot-S&D Start Center
Start Emergency Kit Scanner
SUPERAntiSpyware Professional
SpyHunter 5
Repito los síntomas, cada 48 o 72hs se me copian en la carpeta publica unos archivos llamados
Dll.vbe (win.dropper.spyme)
Dll.exe
Sqlservers.exe (clam.win.coinminner.generic.7151250)
Tambien limpie con CCleaner . Dejo el log de HiJackThis
Agradezco cualquier ayuda, pensaba realizar un escaeno con algun live. Si me pueden aconsejar. En la RED hay otras 4 PC con AVAST FREE que no detectan nada, estan limpias pero igual les hice limpieza. Igualmente el virus se ejecuta por la noche, en horas en que la oficina esta cerrada y estan todas las computadoras de la red apagadas, y solo el server queda encendido. Muchas Gracias.
Logfile of HiJackThis Fork by Alex Dragokas v.2.9.0.18
Platform: x64 Windows Server 2008 R2 (Server Enterprise (full installation)), 6.1.7601.24536, Service Pack: 1
Time: 05.12.2019 - 19:40 (UTC-03:00)
Language: OS: Spanish (0xC0A). Display: Spanish (0xC0A). Non-Unicode: Spanish (0x2C0A)
Elevated: Yes
Ran by: Administrador (group: Administrator) on SERVER , FirstRun: no
Chrome: 78.0.3904.108
Internet Explorer: 11.0.9600.19541
Default: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Chrome)
Boot mode: Normal
Running processes:
Number | Path
1 C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe
3 C:\Program Files (x86)\AnyDesk\AnyDesk.exe
1 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
1 C:\Program Files (x86)\Common Files\microsoft shared\VS7Debug\mdm.exe
1 C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
1 C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
1 C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
1 C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
1 C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
1 C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
1 C:\Program Files\BROCADE\Adapter\driver\util\hbaagent\bin\hcmagent.exe
1 C:\Program Files\CCleaner\CCleaner64.exe
1 C:\Program Files\Emulex\Util\Common\HbaHsMgr.exe
1 C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe
1 C:\Program Files\HitmanPro\hmpsched.exe
1 C:\Program Files\Immunet\7.0.2\cscm.exe
1 C:\Program Files\Immunet\7.0.2\iptray.exe
1 C:\Program Files\Immunet\7.0.2\sfc.exe
1 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
1 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
1 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
1 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
1 C:\Program Files\Microsoft Security Client\MsMpEng.exe
1 C:\Program Files\Microsoft Security Client\msseces.exe
1 C:\Program Files\SUPERAntiSpyware\SASCore64.exe
2 C:\SISTEMA\Apache Control\bin\apache\bin\apache.exe
1 C:\SISTEMA\SUPERMER\BIN\Clientes.exe
1 C:\SISTEMA\SUPERMER\BIN\Menu.exe
1 C:\Users\Administrador\Downloads\HiJackThis.exe
1 C:\Users\Administrador\Downloads\MSERT.exe
1 C:\Windows\System32\IPROSetMonitor.exe
1 C:\Windows\System32\MtxHotPlugService.exe
1 C:\Windows\System32\cmd.exe
2 C:\Windows\System32\conhost.exe
2 C:\Windows\System32\csrss.exe
1 C:\Windows\System32\dwm.exe
1 C:\Windows\System32\inetsrv\inetinfo.exe
1 C:\Windows\System32\lsass.exe
1 C:\Windows\System32\lsm.exe
1 C:\Windows\System32\mqsvc.exe
1 C:\Windows\System32\msdtc.exe
1 C:\Windows\System32\services.exe
1 C:\Windows\System32\smss.exe
1 C:\Windows\System32\spoolsv.exe
14 C:\Windows\System32\svchost.exe
1 C:\Windows\System32\wininit.exe
1 C:\Windows\System32\winlogon.exe
1 C:\Windows\explorer.exe
1 C:\Windows\splwow64.exe
1 \\servercodiser\sistema\SUPERMER\BIN_SINCRO\SincronizadorDeDatos.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main: [Start Page] = https://ar.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1006\Software\Microsoft\Internet Explorer\Main: [Default_Page_URL] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1006\Software\Microsoft\Internet Explorer\Main: [First Home Page] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1006\Software\Microsoft\Internet Explorer\Main: [Start Page] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1008\Software\Microsoft\Internet Explorer\Main: [Default_Page_URL] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1008\Software\Microsoft\Internet Explorer\Main: [First Home Page] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1008\Software\Microsoft\Internet Explorer\Main: [Start Page] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1011\Software\Microsoft\Internet Explorer\Main: [Default_Page_URL] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1011\Software\Microsoft\Internet Explorer\Main: [First Home Page] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1011\Software\Microsoft\Internet Explorer\Main: [Start Page] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1012\Software\Microsoft\Internet Explorer\Main: [Default_Page_URL] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1012\Software\Microsoft\Internet Explorer\Main: [First Home Page] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1012\Software\Microsoft\Internet Explorer\Main: [Start Page] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1014\Software\Microsoft\Internet Explorer\Main: [Default_Page_URL] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1014\Software\Microsoft\Internet Explorer\Main: [First Home Page] = res://iesetup.dll/HardUser.htm
R0 - HKU\S-1-5-21-1290145888-3760638704-4044190752-1014\Software\Microsoft\Internet Explorer\Main: [Start Page] = res://iesetup.dll/HardUser.htm
R4 - SearchScopes: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{619FFEC0-9883-40F8-AC33-AE03E39EC320}: [SuggestionsURL] = https://ar.search.yahoo.com/sugg/ie?command={SearchTerms}&appid=i&output=osxml&appid=chrie - Yahoo Search
R4 - SearchScopes: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{619FFEC0-9883-40F8-AC33-AE03E39EC320}: [URL] = https://ar.search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default - Yahoo Search
O1 - Hosts: Reset contents to default
O1 - Hosts: 127.0.0.1 www.zoomcheck.info
O2-32 - HKLM\..\BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_171\bin\jp2ssv.dll
O2-32 - HKLM\..\BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_171\bin\ssv.dll
O4 - Global User Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk -> C:\Program Files (x86)\AnyDesk\AnyDesk.exe --control
O4 - HKCU\..\Run: [CCleaner Monitoring] = C:\Program Files\CCleaner\CCleaner64.exe /MONITOR
O4 - HKLM\..\Run: [MSC] = c:\Program Files\Microsoft Security Client\msseces.exe -hide -runkey
O4 - HKLM\..\Run: [MtxHotPlugService] = C:\Windows\system32\MtxHotPlugService.exe v
O4 - HKLM\..\Session Manager: [BootExecute] = C:\Windows\system32\sdnclean64.exe
O4 - HKLM\..\Session Manager: [BootExecute] = bootdelete (file missing)
O4 - MSConfig\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^APC UPS Status.lnk [backup] => C:\Program Files (x86)\APC\PowerChute Personal Edition\Display.exe (2019/04/04)
O4 - MSConfig\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk [backup] => C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE -b -l (2019/04/04)
O4 - User Startup: C:\Users\Administrador\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sincronizador.bat - Acceso directo.lnk -> F:\SUPERMER\BIN_SINCRO\Sincronizador.bat
O4-32 - HKLM\..\Run: [Immunet Protect] = C:\Program Files\Immunet\7.0.2\iptray.exe
O4-32 - HKLM\..\Run: [SDTray] = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
O6 - IE Policy: HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel - present
O15 - Trusted Zone: http://1.www.s81c.com
O15 - Trusted Zone: http://2542116.fls.doubleclick.net
O15 - Trusted Zone: http://www-933.ibm.com
O15 - Trusted Zone: http://www.google-analytics.com
O15 - Trusted Zone: http://www.tecnolar.com.ar
O15 - Trusted Zone: https://apis.google.com
O15 - Trusted Zone: https://dl.google.com
O15 - Trusted Zone: https://segment-pixel.invitemedia.com
O15 - Trusted Zone: https://www.google.com.ar
O15 - Trusted Zone: https://www.googleadservices.com
O16-32 - DPF: HKLM\..\{5AE58FCF-6F6A-49B2-B064-02492C66E3F4}\DownloadInformation: MUCatalogWebControl Class [CODEBASE] = http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1383831475954
O17 - DHCP DNS 1: 8.8.8.8 (Well-known DNS: Google)
O17 - DHCP DNS 2: 8.8.4.4 (Well-known DNS: Google)
O17 - HKLM\System\CCS\Services\Tcpip\..\{E70B7452-EAD7-4A1B-91EB-8C91AE036040}: [NameServer] = 8.8.4.4 (Well-known DNS: Google)
O17 - HKLM\System\CCS\Services\Tcpip\..\{E70B7452-EAD7-4A1B-91EB-8C91AE036040}: [NameServer] = 8.8.8.8 (Well-known DNS: Google)
O17 - HKLM\System\ControlSet002\Services\Tcpip\..\{E70B7452-EAD7-4A1B-91EB-8C91AE036040}: [NameServer] = 8.8.4.4 (Well-known DNS: Google)
O17 - HKLM\System\ControlSet002\Services\Tcpip\..\{E70B7452-EAD7-4A1B-91EB-8C91AE036040}: [NameServer] = 8.8.8.8 (Well-known DNS: Google)
O18 - HKLM\Software\Classes\Protocols\Handler\ms-help: [CLSID] = {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll
O18 - HKLM\Software\Classes\Protocols\Handler\ms-itss: [CLSID] = {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files (x86)\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - HKLM\Software\Classes\Protocols\Handler\msdaipp\0x00000001: [CLSID] = {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\OLE DB\msdaipp.dll
O18 - HKLM\Software\Classes\Protocols\Handler\msdaipp\oledb: [CLSID] = {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\OLE DB\msdaipp.dll
O20-32 - HKLM\..\Winlogon\Notify\SDWinLogon: [DllName] = SDWinLogon.dll (file missing)
O22 - Task (.job): (Ready) SUPERAntiSpyware Scheduled Task 38e10d51-91c4-4078-910c-d6dae7dbe491.job - C:\Program Files\SUPERAntiSpyware\SASTask.exe "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" /TASK:38e10d51-91c4-4078-910c-d6dae7dbe491
O22 - Task (.job): (Ready) SUPERAntiSpyware Scheduled Task 636cecce-3a4b-4e3b-92fd-ce85e26f7f43.job - C:\Program Files\SUPERAntiSpyware\SASTask.exe "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" /TASK:636cecce-3a4b-4e3b-92fd-ce85e26f7f43
O23 - Service R2: APC UPS Service - C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe
O23 - Service R2: Adobe Acrobat Update Service - (AdobeARMservice) - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service R2: Agente SQL Server (MSSQLSERVER) - (SQLSERVERAGENT) - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE -i MSSQLSERVER
O23 - Service R2: AnyDesk Service - (AnyDesk) - C:\Program Files (x86)\AnyDesk\AnyDesk.exe --service
O23 - Service R2: Brocade HCM Agent Service - (hcmagent) - C:\Program Files\BROCADE\Adapter\driver\util\hbaagent\bin\hcmagent.exe -d -c "C:\Program Files\BROCADE\Adapter\driver\util\hbaagent\conf\abyss.conf"
O23 - Service R2: Búsqueda de texto de SQL Server (MSSQLSERVER) - (msftesql) - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe -s:MSSQL.1 -f:MSSQLSERVER
O23 - Service R2: Diagnostics Tracking Service - (DiagTrack) - C:\Windows\System32\svchost.exe -k utcsvc; "ServiceDll" = C:\Windows\system32\diagtrack.dll
O23 - Service R2: Emulex SvcMgr - C:\Program Files\Emulex\Util\Common\HbaHsMgr.exe
O23 - Service R2: HitmanPro Scheduler - (HitmanProScheduler) - C:\Program Files\HitmanPro\hmpsched.exe
O23 - Service R2: Immunet 7.0.2 - (ImmunetProtect_7.0.2) - C:\Program Files\Immunet\7.0.2\sfc.exe
O23 - Service R2: Immunet Security Connector Monitoring Service 7.0.2 - (ImmunetSCMS_7.0.2) - C:\Program Files\Immunet\7.0.2\cscm.exe
O23 - Service R2: Intel(R) PROSet Monitoring Service - C:\Windows\system32\IProsetMonitor.exe
O23 - Service R2: SAS Core Service - (!SASCORE) - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service R2: SQL Server (MSSQLSERVER) - (MSSQLSERVER) - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -sMSSQLSERVER
O23 - Service R2: SpyHunter 5 Kernel Monitor - (ShMonitor) - C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe
O23 - Service R2: Spybot-S&D 2 Scanner Service - (SDScannerService) - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service R2: Spybot-S&D 2 Updating Service - (SDUpdateService) - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service R2: TeamViewer 9 - (TeamViewer9) - C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
O23 - Service R2: TecnolarApache - C:\SISTEMA\Apache Control\bin\apache\bin\apache.exe -k runservice
O23 - Service S2: Emulex HBA Management - C:\Program Files\Emulex\Util\Common\RMServer.exe
O23 - Service S2: Google Update Servicio (gupdate) - (gupdate) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /svc
O23 - Service S2: SpyHunter 5 Kernel - (EsgShKernel) - C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
O23 - Service S2: Spybot-S&D 2 Security Center Service - (SDWSCService) - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
O23 - Service S3: Adobe Flash Player Update Service - (AdobeFlashPlayerUpdateSvc) - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service S3: Emulex MILI Management - (Emulex Management Interface Library v2) - C:\Program Files\Emulex\Util\Common\MILI2Service.exe
O23 - Service S3: Google Chrome Elevation Service - (GoogleChromeElevationService) - C:\Program Files (x86)\Google\Chrome\Application\78.0.3904.108\elevation_service.exe
O23 - Service S3: Google Update Servicio (gupdatem) - (gupdatem) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /medsvc
O23 - Service S3: Malwarebytes Service - (MBAMService) - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
O23 - Service S3: Symantec Network Access Control - (SNAC) - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.1015.0100.105\Bin64\snac64.exe
--
End of file