Karla Posted May 6 Report Share Posted May 6 Buenas noches, luego de la instalación y análisis de emsisoft Emergency Kit, se detectó en mi computador unos cuantos documentos malignos, los cuales dejo enviar a cuarentena y eliminarlos, sin embargo, uno de ellos me dice que no es posible eliminarlo por mi propia seguridad ya que es indispensable para windows. El nombre de este virus es "Trojan.GenericKDZ.87274 (B)". Instale y ejecute el programa FRST y obtenga los dos bloques de notas (FRST y Adittion). Posterior a este paso no se como continuar para eliminar el virus. Agradecería la ayuda, ¡muchas gracias! Good evening, after the installation and analysis of emsisoft Emergency Kit, a few malignant documents were detected on my computer, which I allow to be quarantined and deleted, however, one of them tells me that it is not possible to delete it for my own safety since it is essential for windows. The name of this virus is "Trojan.GenericKDZ.87274 (B)". Install and run the FRST program and get the two note blocks (FRST and Addition). After this step I don't know how to continue to eliminate the virus. I would appreciate the help, thank you very much! FRST.txt Adición.txt Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted May 6 Report Share Posted May 6 Hello @Karla, Welcome to the Emsisoft Support Forums. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restricción <==== ATENCIÓN HKU\S-1-5-21-2320857334-1221082015-1052767810-1001\...\Run: [Steam] => C:\Users\karla\AppData\Roaming\NVIDIA\dllhost.exe (Ningún archivo) <==== ATENCIÓN HKU\S-1-5-21-2320857334-1221082015-1052767810-1001\...\Run: [Chrome Helper] => C:\Users\karla\AppData\Roaming\cipnfudlehwh\sdpqqxqyllaq.exe tqwisgvdzog (Ningún archivo) HKU\S-1-5-21-2320857334-1221082015-1052767810-1001\...\Run: [Tiokkl] => "C:\Users\karla\AppData\Roaming\Ohccyle\Tiokkl.exe" (Ningún archivo) HKU\S-1-5-21-2320857334-1221082015-1052767810-1001\...\Run: [Pxhfvxcds] => "C:\Users\karla\AppData\Roaming\Ywtpxlhit\Pxhfvxcds.exe" (Ningún archivo) Policies: C:\ProgramData\NTUSER.pol: Restricción <==== ATENCIÓN HKLM\SOFTWARE\Policies\Google: Restricción <==== ATENCIÓN Task: {31158A32-F9CE-4375-BFDA-E7746E58FC48} - System32\Tasks\A650 => C:\Users\karla\AppData\Local\Temp\A650.exe (Ningún archivo) <==== ATENCIÓN Task: {364DE673-7BC8-4D48-8B1F-3B9367B1DB75} - System32\Tasks\xhcjncddiUJKcIU2 => rundll32 "C:\Program Files (x86)\ZOBvtrfsU\HVitJi.dll",#1 Task: {3B6A84BF-2724-4977-BBDE-350BCC236472} - System32\Tasks\AdvancedWindowsManager #2 => C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe -v 111 -t 8080 (Ningún archivo) <==== ATENCIÓN Task: {40A79844-C661-4650-90C9-34BB1ACD8B09} - System32\Tasks\rcDIjQnUgwwbXHdrHfL2 => rundll32 "C:\Program Files (x86)\QuILNQXkoOJxC\kPgQBAY.dll",#1 Task: {4150169F-16E9-4110-9C5E-CF6401F33296} - System32\Tasks\Firefox Default Browser Agent 6D6AB84D058BCB17 => C:\Users\karla\AppData\Roaming\ceeifsh.exe (Ningún archivo) <==== ATENCIÓN Task: {7C24F120-50F3-4D86-8F84-0148AE08866B} - System32\Tasks\qoqfggWacZlVNkXCm2 => rundll32 "C:\Program Files (x86)\VQwJOmwlmqkUQMyiyBR\esEZRGh.dll",#1 Task: {929B3E29-B2FE-4FE5-B469-D38BA9E6280D} - System32\Tasks\AdvancedWindowsManager #1 => C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe -v 110 -t 8080 (Ningún archivo) <==== ATENCIÓN Task: {9AC6916A-51C3-4EF1-9349-D78027475B5C} - System32\Tasks\Firefox Default Browser Agent F520DCC7228D002C => C:\Users\karla\AppData\Roaming\hjeifsh.exe (Ningún archivo) <==== ATENCIÓN Task: {B8E7354A-A5CF-4692-9BCA-B67A1EA4F374} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [22890448 2022-05-01] (Microsoft Corporation -> Microsoft Corporation) "C:\Windows\System32\Tasks\McAfee\McAfee Idle Detection Task" fue desbloqueado. <==== ATENCIÓN Task: {C6B9C3B8-9904-4E12-AA47-FFE70D4AE9C0} - \Zoocceup -> Ningún archivo <==== ATENCIÓN Task: {CCD167A3-0D58-4C0F-909E-6C98DBB01E56} - System32\Tasks\dtGjTZsjULAjQc => rundll32 "C:\Program Files (x86)\XRudDFeqqBIU2\MHlVSictOJmiH.dll",#1 Task: {E1C4D8E7-3DED-4BE7-AC70-8CB571E57DE7} - System32\Tasks\AdvancedWindowsManager #3 => C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe -v 112 -t 8080 (Ningún archivo) <==== ATENCIÓN Task: {E24F9509-E2A1-4D8A-9EC6-342F5945E8DE} - System32\Tasks\AdvancedWindowsManager #5 => C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe -v 114 -t 8080 (Ningún archivo) <==== ATENCIÓN Task: {E956A64F-5BC8-4A96-ADE7-9F3E863E482D} - System32\Tasks\AdvancedWindowsManager #4 => C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe -v 113 -t 8080 (Ningún archivo) <==== ATENCIÓN Task: {FC91ED86-BDE8-46F6-A200-BD4C9C07FAF4} - System32\Tasks\AdvancedWindowsManager #6 => C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe -v 115 -t 8080 (Ningún archivo) <==== ATENCIÓN S2 HPJumpStartBridge; c:\Program Files (x86)\HP\HP JumpStart Bridge\HPJumpStartBridge.exe [0 2022-04-28] () <==== ATENCIÓN [cero bytes Archivo/Carpeta] 2022-05-01 20:25 - 2022-05-01 21:16 - 000238414 _____ C:\Users\karla\OneDrive\Documentos\z8ApkFfkoSP4UqgrRw171EwF.exe.jhgn 2022-05-01 19:53 - 2022-05-01 19:53 - 000003928 _____ C:\WINDOWS\system32\Tasks\AdvancedWindowsManager #6 2022-05-01 19:53 - 2022-05-01 19:53 - 000003928 _____ C:\WINDOWS\system32\Tasks\AdvancedWindowsManager #5 2022-05-01 19:53 - 2022-05-01 19:53 - 000003928 _____ C:\WINDOWS\system32\Tasks\AdvancedWindowsManager #4 2022-05-01 19:53 - 2022-05-01 19:53 - 000003928 _____ C:\WINDOWS\system32\Tasks\AdvancedWindowsManager #3 2022-05-01 19:53 - 2022-05-01 19:53 - 000003928 _____ C:\WINDOWS\system32\Tasks\AdvancedWindowsManager #2 2022-05-01 19:53 - 2022-05-01 19:53 - 000003928 _____ C:\WINDOWS\system32\Tasks\AdvancedWindowsManager #1 2022-05-01 19:51 - 2022-05-01 23:44 - 000000000 ____D C:\Program Files (x86)\YTHVujGyFyUn 2022-05-01 19:51 - 2022-05-01 22:59 - 000000000 ____D C:\Program Files (x86)\ZOBvtrfsU 2022-05-01 19:51 - 2022-05-01 22:59 - 000000000 ____D C:\Program Files (x86)\VQwJOmwlmqkUQMyiyBR 2022-05-01 19:51 - 2022-05-01 22:58 - 000000000 ____D C:\Program Files (x86)\QuILNQXkoOJxC 2022-05-01 19:51 - 2022-05-01 22:50 - 000000000 ____D C:\Program Files (x86)\XRudDFeqqBIU2 2022-05-01 19:51 - 2022-05-01 19:51 - 000003356 _____ C:\WINDOWS\system32\Tasks\dtGjTZsjULAjQc 2022-05-01 19:51 - 2022-05-01 19:51 - 000003034 _____ C:\WINDOWS\system32\Tasks\qoqfggWacZlVNkXCm2 2022-05-01 19:51 - 2022-05-01 19:51 - 000003026 _____ C:\WINDOWS\system32\Tasks\rcDIjQnUgwwbXHdrHfL2 2022-05-01 19:51 - 2022-05-01 19:51 - 000003008 _____ C:\WINDOWS\system32\Tasks\xhcjncddiUJKcIU2 2022-05-01 19:45 - 2022-05-01 20:08 - 000238414 _____ C:\Users\karla\OneDrive\Documentos\sHAzy3ysjpYHsOe3uUwDFp3d.exe.jhgn 2022-05-01 19:45 - 2022-05-01 20:08 - 000238414 _____ C:\Users\karla\OneDrive\Documentos\dBmBCwMVzJO4bwgS2lWCeYsf.exe.jhgn 2022-04-30 14:45 - 2022-04-30 14:45 - 000003830 _____ C:\WINDOWS\system32\Tasks\A650 2022-04-28 23:06 - 2022-04-28 23:06 - 000000000 ____D C:\Users\karla\AppData\Local\Yandex 2022-02-20 19:46 - 2022-02-20 19:46 - 000248375 ___SH () C:\Users\karla\AppData\Roaming\gugrsie C:\Users\karla\AppData\Roaming\ceeifsh.exe C:\Users\karla\AppData\Roaming\hjeifsh.exe C:\Users\karla\AppData\Roaming\NVIDIA\dllhost.exe C:\Users\karla\AppData\Roaming\cipnfudlehwh C:\Users\karla\AppData\Roaming\Ohccyle C:\Users\karla\AppData\Roaming\Ywtpxlhit C:\Program Files (x86)\QuILNQXkoOJxC C:\Program Files (x86)\VQwJOmwlmqkUQMyiyBR C:\Program Files (x86)\XRudDFeqqBIU2 C:\Program Files (x86)\ZOBvtrfsU Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. Link to comment Share on other sites More sharing options...
Karla Posted May 6 Author Report Share Posted May 6 Quote Hola, le adjunto el bloc de notas "Fixlog", el cual se generó luego de seguir sus pasos. Estaré atenta de que pasos seguir para completar la eliminación del documento maligno. Gracias! Hello, I am attaching the "Fixlog" notepad, which was generated after following your steps. I will be aware of what steps to follow to complete the removal of the malicious document. Thank you ! Fixlog.txt Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted May 6 Report Share Posted May 6 Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit and FRST, attach the new Emergency Kit and FRST scan reports to your reply. Be sure to let me know how things are running. Link to comment Share on other sites More sharing options...
Karla Posted May 6 Author Report Share Posted May 6 Ok, adjunto el análisis realizado en el kit de emergencia emsisoft y el informe FRST PD: This was the result shown 05-05-2022 18:50:32 Durante el análisis se ha detectado un Programa malicioso "Trojan.GenericKDZ.87274 (B)" en "C:\ProgramData\Microsoft\Zsxg\jgsiaps.js:$" (SHA1: 74417aefc21ebe2bb18f4814306b6715d2794c72 ) 05-05-2022 18:51:42 Durante el análisis se ha detectado un Programa malicioso "Trojan.Uztuby.4 (B)" en "C:\Users\karla\AppData\Local\Microsoft\Windows\INetCache\IE \5U2L1X1Q\search_hyperfs_310[1].exe -> (RAR Sfx o) -> [Comentario]" FRST.txt Adición.txt escaneo_220506-154612.txt Link to comment Share on other sites More sharing options...
Karla Posted May 10 Author Report Share Posted May 10 I would appreciate your help to know how to continue and be able to eliminate the malignant file, which does not allow quarantine because it is "indispensable for windows". I will be pending to your answer Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted May 10 Report Share Posted May 10 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. CHR Extension: (YoutubeDownloader) - C:\Users\karla\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo [2022-05-01] [UpdateUrl:hxxps://clients54.google.com/service/update2/crx] <==== ATENCIÓN CHR Extension: (YoutubeDownloader) - C:\Users\karla\AppData\Local\Google\Chrome\User Data\Guest Profile\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo [2022-05-01] [UpdateUrl:hxxps://clients32.google.com/service/update2/crx] <==== ATENCIÓN CHR Extension: (YoutubeDownloader) - C:\Users\karla\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo [2022-05-01] [UpdateUrl:hxxps://clients65.google.com/service/update2/crx] <==== ATENCIÓN CHR Extension: (YoutubeDownloader) - C:\Users\karla\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo [2022-05-01] [UpdateUrl:hxxps://clients48.google.com/service/update2/crx] <==== ATENCIÓN CHR Extension: (YoutubeDownloader) - C:\Users\karla\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo [2022-05-01] [UpdateUrl:hxxps://clients52.google.com/service/update2/crx] <==== ATENCIÓN 2022-05-01 20:37 - 2022-05-01 20:37 - 000000000 ____H C:\Users\karla\BITF25C.tmp.jhgn 2022-05-01 19:47 - 2022-05-01 19:47 - 000000000 ___HD C:\WINDOWS\msdownld.tmp 2022-04-27 20:37 - 2022-04-27 20:37 - 000000000 ____H C:\Users\karla\BITF490.tmp.jhgn HKU\S-1-5-21-2320857334-1221082015-1052767810-1001\...\StartupApproved\Run: => "Steam" HKU\S-1-5-21-2320857334-1221082015-1052767810-1001\...\StartupApproved\Run: => "Chrome Helper" HKU\S-1-5-21-2320857334-1221082015-1052767810-1001\...\StartupApproved\Run: => "SysHelper" HKU\S-1-5-21-2320857334-1221082015-1052767810-1001\...\StartupApproved\Run: => "Pxhfvxcds" HKU\S-1-5-21-2320857334-1221082015-1052767810-1001\...\StartupApproved\Run: => "Tiokkl" C:\$Recycle.Bin\S-1-5-21-2320857334-1221082015-1052767810-1001\$RTJCUO5.exe C:\ProgramData\Microsoft\Zsxg\jgsiaps.js:$ C:\Users\karla\AppData\Local\Microsoft\Windows\INetCache\IE \5U2L1X1Q\search_hyperfs_310[1].exe Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. Link to comment Share on other sites More sharing options...
Karla Posted May 10 Author Report Share Posted May 10 Does the code you send me need to be created in a new notepad or added to one of the already generated ones? ("ADDITION or FRST") Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted May 10 Report Share Posted May 10 A new notepad. Link to comment Share on other sites More sharing options...
Karla Posted May 10 Author Report Share Posted May 10 I attach the notepad "fixlog.txt" generated. How should I proceed next? Fixlog.txt Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted May 11 Report Share Posted May 11 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. C:\ProgramData\Microsoft\Zsxg Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted Monday at 04:13 PM Report Share Posted Monday at 04:13 PM Thread Closed Reason: Lack of Response Private Message me to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled "START HERE if you don't we are just going to send you back to this thread" https://support.emsisoft.com/topic/31345-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/ Link to comment Share on other sites More sharing options...
Recommended Posts