hola necesito ayuda con este virus hxxp://getmuzicas.info/?

Non-English Boards Espanol
1

buenas tardes al leer su respuesta realice lo que me dijeron aquí adjunto los registros que arrojaron los analices [font=courier][/font]

2

Hello,

Can you follow English instructions?

1. Start PowerShell (go to Modern UI aka Metro) and on Search type ‘powershell’ and load the command (blue) prompt. Right click > . . as Administrator.
http://www.mcshield.net/personal/magna86/Shell/Power1.jpg

The blue windows (blue command prompt) shall appear. Type the following and then press the Enter to run the command:

Get-BitsTransfer -AllUsers | Remove-BitsTransfer

http://www.mcshield.net/personal/magna86/Shell/power2.jpg

.

2. Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

.

3. Does avast! warning still occurs?

3

buenas tardes al leer la respuesta enviada realice los pasos y el problema de virus todavía persiste

4

Hi,

Someone shall do the kind translate if nessesery.

Are you aware for the presence of keylogger in your system?

The following FixList shall target the bad ‘things’ but not the keylogger itself untill you give me the freen light for that.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start File: C:\ProgramData\DatacardService\HWDeviceService64.exe File: C:\Program Files (x86)\iSafe\iSafeSvc.exe Reboot: C:\Users\Eliecer\AppData\Local\Temp CMD: bitsadmin /reset /allusers Hosts: HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-3004103921-1991663305-3280852458-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1 HKU\S-1-5-21-3004103921-1991663305-3280852458-1001\...\MountPoints2: {3a3b4b1a-cb3d-11e2-be71-089e017b95ce} - "E:\Startme.exe" HKU\S-1-5-21-3004103921-1991663305-3280852458-1001\...\MountPoints2: {56437c76-bd24-11e3-be8a-806e6f6e6963} - "E:\AutoRun.exe" HKU\S-1-5-21-3004103921-1991663305-3280852458-1001\...\MountPoints2: {56437d6a-bd24-11e3-be8a-089e017b95ce} - "E:\AutoRun.exe" HKU\S-1-5-21-3004103921-1991663305-3280852458-1001\...\MountPoints2: {56438187-bd24-11e3-be8a-089e017b95ce} - "E:\AutoRun.exe" HKU\S-1-5-21-3004103921-1991663305-3280852458-1001\...\MountPoints2: {980020bb-bd7c-11e3-be8c-089e017b95ce} - "E:\AutoRun.exe" SearchScopes: HKCU - {6510F333-17B8-4B4B-8837-7C66F574C9D5} URL = Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM-x32 - No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION Task: {95C8A45E-B6C9-4910-9491-FDFA86E4B20F} - System32\Tasks\Rocket Updater => C:\Users\Eliecer\AppData\Roaming\ROCKET~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION Task: C:\windows\Tasks\Rocket Updater.job => C:\Users\Eliecer\AppData\Roaming\ROCKET~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION AlternateDataStreams: C:\ProgramData\TEMP:D1B5B4F1 End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

5

buenas tardes aqui les envio la respuesta

6

Hi,

Do not change the contents of FixList. By changing it you create unusable script. Repeat above step and execute FixList one more time.

=> Are you aware for the presence of keylogger in your system?

7

Hola gussmns1

Magna86 te pide que no cambies el contexto del codigo que pone. Parece que algo cambio en la lista y es inutilizable.

Tienes que copiar todo lo que esta en el cuadro azul y lo pegues en Bloc de notas y lo guardes como fixlist.txt en el escritorio. Es muy importante que FRST/FRST64 y fixlist.txt esten en el mismo lugar. En este caso en el escritorio. Pincha una sola vez donde dice " Fix " y espera. FRST creara un reporte con el nombre de Fixlog.txt . Anexalo en tu proxima respuesta.

En el primer topico de magna86 te advierte que si estas consiente que tienes un keylogger. El script ( codigo que te dio no lo elimina puesto que hay buenos keylogger y malos y quiere saber si tu lo instalastes antes de removerlo.

AVISO: Los scripts que el especialista da para removers en FIXLIST es exclusivamente para este usuario y sistema. Haciendo lo mismo en otra PC podria inabilitar programas o el mismo sistema.

8

Thank you iroc9555 for step in. You are saviour. :smiley:

9

You are welcome. No problem. I’ve been busy lately so I hope I can give some help here. I undestand this infection is being a headache and that the vector is hard to find.

One question though. What did he change in your script ? Did he miss a line or add one ?

10
You are welcome. No problem. I've been busy lately so I hope I can give some help here. I undestand this infection is being a headache and that the vector is hard to find.

Yes, it was but now we know the source. :slight_smile:

One question though. What did he change in your script ? Did he miss a line or add one ?

He has translated the script itself and FRST does not know the language difference.

11

buenos días les pido disculpas por el error anterior aquí les envió la respuesta correcta

12

@iroc9555

Can you please tell the user to re-try to repeat the PowerShell steps described here.
https://forum.avast.com/index.php?topic=152319.msg1106645#msg1106645

Also, I need to know is he aware of installed keylogger on his masine. Help & thanks … :smiley:

13

@Gussmns1

Magna86 quiere que ejecutes el procedimiento de PowerShell que el te indico aqui:
https://forum.avast.com/index.php?topic=152319.msg1106645#msg1106645

En tu escritorio Metro haz una busqueda de " powershell ". Cuando aparesca hazle click derecho y " Ejecutalo como administrador " http://www.mcshield.net/personal/magna86/Shell/Power1.jpg

Aparecera la ventana de Simbolo de sistema de Powershell. Escribe el singuiente comando exactamente:

Get-BitsTransfer -AllUsers | Remove-BitsTransfer

se vera asi: http://www.mcshield.net/personal/magna86/Shell/power2.jpg

Magna tyambien quiere saber que quieres hacer con el/los keyloggers que tienes instalado.

@Magna86

I already warned him about the keylogger, but I warned him again in case he did not see my post.

14

Thank you. :wink: