Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure about infection, all I know it has gone wild


  • This topic is locked This topic is locked
6 replies to this topic

#1 CPUSecurity_OCD

CPUSecurity_OCD

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 01 August 2017 - 01:27 PM

Look, I'm not going to name my infections, I will describe the symptoms.

 

So, I was gaming and noticed the performance was going low. I noticed that sometimes my fan would also turn-on even when the CPU was idle (totally afk). So I decided to take a look at task manager and understand what was going on. Usually processes would pop and before I could click it would vanish. I decided to bring Process Explorer into the table.

 

Noticed some new ones and noticed this:

http://i.imgur.com/NSBrjln.jpg

 

As described in the picture, conhost and cmd are working as a tool to respawn these processes and the only way to get rid of them is suspend and finish tree. If I suspend WmiPrvSE.exe for a long period of time, machine restarts and comes back saying I have suffered BSOD, which is not true, since blue screen didn't pop.

 

Anyway when I tried to install: mb3-setup-1878.1878-3.1.2.1733-10139

I got a real hung-up and after 100% installation it froze calling BSOD again, even though no blue screen.

 

Finally SearchIndexer.exe and 3 child-processes equally named and injected made his appearance and started to replicate while scan was running, along with dllhost.exe WUDFHOST.exe and other 4 instances of WmiPrvSE.exe injected into svchost.

 

Clearly, no Kaspersky TS 2017 and Malwarebytes returned any indication. "All is clean" right?

 

Could you please HALP? I really need someone who clearly knows better what I should be doing. I really like to add that I've been crashing several times and getting error reports of BSOD without the classic blue. Just random restarts since I tried to discover what was going on, and downloaded bleepingcomputer software, like FRST, Zoek and Rkill (iexplore.exe). Fan now is going beyond crazy and I noticed a lot of processes variants spawning.

 

With "autoruns" I founded this nasty piece of script:

C:\Windows\System32\gatherNetworkInfo.vbs

 

According to google search, Microsoft say it is a virus:

https://answers.microsoft.com/en-us/windows/forum/windows_7-security/does-anyone-know-what-gathernetworkinfovbs-is-its/63a302a6-cf69-4b9a-a3ef-4b2aff1b2514

 

I think I have a nasty piece of software here. Maybe a botnet or a rootkit. 

 

edit:grammar and layout


Edited by CPUSecurity_OCD, 01 August 2017 - 01:31 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:57 PM

Posted 01 August 2017 - 01:51 PM

Hello, you need to go here and add the FRST log in your next reply.

Preparation Guide
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 CPUSecurity_OCD

CPUSecurity_OCD
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 01 August 2017 - 02:29 PM

Thanks for promptly answering!

 

Complete carnival of apps launching when FRST was ran. Funny the logs are in my language. Anyway, here it goes respectively Addition.txt and FRST.txt:

 

Resultado do exame Adicional Farbar Recovery Scan Tool (x64) Versão: 31-07-2017
Executado por Silas (01-08-2017 16:23:09)
Executando a partir de D:\Downloads\Segurança
Windows 7 Ultimate Service Pack 1 (X64) (2017-06-14 20:53:20)
Modo da Inicialização: Normal
==========================================================
 
 
==================== Contas: =============================
 
Administrador (S-1-5-21-213099168-1847892982-2103706285-500 - Administrator - Disabled)
Convidado (S-1-5-21-213099168-1847892982-2103706285-501 - Limited - Disabled)
Silas (S-1-5-21-213099168-1847892982-2103706285-1000 - Administrator - Enabled) => C:\Users\Silas
 
==================== Central de Segurança ========================
 
(Se uma entrada for incluída na fixlist, será removida.)
 
AV: Kaspersky Total Security (Enabled - Up to date) {86367591-4BE4-AE08-2FD9-7FCB8259CD98}
AS: Kaspersky Total Security (Enabled - Up to date) {3D579475-6DDE-A186-1569-44B9F9DE8725}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Total Security (Enabled) {BE0DF4B4-018B-AF50-0486-D6FE7C8A8AE3}
 
==================== Programas Instalados ======================
 
(Somente os programas adwares com a indicação "Oculto" podem ser adicionados à fixlist para desocultá-los. Os programas adwares devem ser desinstalados manualmente.)
 
Atheros Bluetooth Suite (64) (HKLM\...\{230D1595-57DA-4933-8C4E-375797EBB7E1}) (Version: 7.4.0.165 - Atheros)
Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 9.0 - Atheros)
BitTorrent (HKU\S-1-5-21-213099168-1847892982-2103706285-1000\...\BitTorrent) (Version: 7.10.0.43581 - BitTorrent Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.31 - Piriform)
Counter-Strike (HKLM\...\Steam App 10) (Version:  - Valve)
Debugging Tools for Windows (x64) (HKLM\...\{DBFC6AAE-DCCB-4C23-B01C-3EDDDC03298B}) (Version: 6.12.2.633 - Microsoft Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 59.0.3071.115 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
HashTab 6.0.0.28 (HKLM\...\HashTab) (Version: 6.0.0.28 - Implbits Software)
Herramientas de corrección de Microsoft Office 2016: español (HKLM\...\{90160000-001F-0C0A-1000-0000000FF1CE}) (Version: 16.0.4266.1001 - Microsoft Corporation) Hidden
Injected Anti-cheat (HKLM-x32\...\Injected Anti-cheat) (Version: 16.3.0.0 - Alejandro Cortés)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2875 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Kaspersky Password Manager (HKLM-x32\...\{D4C3D682-E15A-4A48-A7B7-3F021A525F8F}) (Version: 8.0.6.538 - Kaspersky Lab) Hidden
Kaspersky Password Manager (HKLM-x32\...\InstallWIX_{D4C3D682-E15A-4A48-A7B7-3F021A525F8F}) (Version: 8.0.6.538 - Kaspersky Lab)
Kaspersky Total Security (HKLM-x32\...\{5AAE61FF-858E-453E-B8F3-944618149975}) (Version: 18.0.0.405 - Kaspersky Lab) Hidden
Kaspersky Total Security (HKLM-x32\...\InstallWIX_{5AAE61FF-858E-453E-B8F3-944618149975}) (Version: 18.0.0.405 - Kaspersky Lab)
LOOT versão 0.11.0 (HKLM-x32\...\{BF634210-A0D4-443F-A657-0DCE38040374}_is1) (Version: 0.11.0 - LOOT Team)
Malwarebytes versão 3.1.2.1733 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.1.2.1733 - Malwarebytes)
Microsoft .NET Framework 4.6.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01590 - Microsoft Corporation)
Microsoft Office Professional Plus 2016 (HKLM\...\Office16.PROPLUS) (Version: 16.0.4266.1001 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24123 (HKLM-x32\...\{2cbcedbb-f38c-48a3-a3e1-6c6fd821a7f4}) (Version: 14.0.24123.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
MPC-HC 1.7.11 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.11 - MPC-HC Team)
Notepad++ (64-bit x64) (HKLM\...\Notepad++) (Version: 7.3.3 - Notepad++ Team)
Outils de vérification linguistique 2016 de Microsoft Office - Français (HKLM\...\{90160000-001F-040C-1000-0000000FF1CE}) (Version: 16.0.4266.1001 - Microsoft Corporation) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6788 - Realtek Semiconductor Corp.)
Skype™ 7.37 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.37.103 - Skype Technologies S.A.)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Stremio (HKU\S-1-5-21-213099168-1847892982-2103706285-1000\...\Stremio) (Version: 3.6.5 - Smart Code Ltd.)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.14.2 - Synaptics Incorporated)
The Elder Scrolls V Skyrim - Legendary Edition (HKLM-x32\...\The Elder Scrolls V Skyrim - Legendary Edition_is1) (Version:  - )
Update for Skype for Business 2016 (KB3115268) 64-Bit Edition (HKLM\...\{90160000-0011-0000-1000-0000000FF1CE}_Office16.PROPLUS_{5D633E34-0FA8-4C3F-8A16-D1A6C33C7015}) (Version:  - Microsoft)
Update for Skype for Business 2016 (KB3115268) 64-Bit Edition (HKLM\...\{90160000-00C1-0000-1000-0000000FF1CE}_Office16.PROPLUS_{5D633E34-0FA8-4C3F-8A16-D1A6C33C7015}) (Version:  - Microsoft)
Update for Skype for Business 2016 (KB3115268) 64-Bit Edition (HKLM\...\{90160000-012B-0409-1000-0000000FF1CE}_Office16.PROPLUS_{5D633E34-0FA8-4C3F-8A16-D1A6C33C7015}) (Version:  - Microsoft)
VirtualCloneDrive (HKLM-x32\...\VirtualCloneDrive) (Version: 5.5.0.0 - Elaborate Bytes)
WinRAR 5.50 beta 3 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.3 - win.rar GmbH)
Wrye Bash (HKLM-x32\...\Wrye Bash) (Version: 307.2016.1230.2300 - Wrye & Wrye Bash Development Team)
 
==================== Exame Personalizado CLSID (Whitelisted): ==========================
 
(Se uma entrada for incluída na fixlist, será removida do Registro. O arquivo não será movido, a menos que seja colocado separadamente.)
 
ContextMenuHandlers1: [Atheros] -> {B8952421-0E55-400B-94A6-FA858FC0A39F} => C:\Program Files (x86)\Bluetooth Suite\BtvAppExt.dll [2012-10-15] (Atheros Commnucations)
ContextMenuHandlers1: [Kaspersky Anti-Virus 18.0.0] -> {FF48AD48-74C7-4260-B385-FAEB80947450} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\x64\ShellEx.dll [2017-06-14] (AO Kaspersky Lab)
ContextMenuHandlers1: [VirtualCloneDrive] -> {B7056B8E-4F99-44f8-8CBD-282390FE5428} => C:\Program Files (x86)\VRCloneDrive\ElbyVCDShell.dll [2009-12-14] (Elaborate Bytes AG)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-06-11] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-06-11] (Alexander Roshal)
ContextMenuHandlers2: [Kaspersky Anti-Virus 18.0.0] -> {FF48AD48-74C7-4260-B385-FAEB80947450} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\x64\ShellEx.dll [2017-06-14] (AO Kaspersky Lab)
ContextMenuHandlers2: [VirtualCloneDrive] -> {B7056B8E-4F99-44f8-8CBD-282390FE5428} => C:\Program Files (x86)\VRCloneDrive\ElbyVCDShell.dll [2009-12-14] (Elaborate Bytes AG)
ContextMenuHandlers3: [FTShellContext] -> {AFF81F7B-6942-40c4-AADA-7214EF7B6DD1} => C:\Program Files (x86)\Bluetooth Suite\ShellContextExt.dll [2012-10-15] (Atheros Commnucations)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-05-09] (Malwarebytes)
ContextMenuHandlers4: [Kaspersky Anti-Virus 18.0.0] -> {FF48AD48-74C7-4260-B385-FAEB80947450} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\x64\ShellEx.dll [2017-06-14] (AO Kaspersky Lab)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2012-12-20] (Intel Corporation)
ContextMenuHandlers6: [Kaspersky Anti-Virus 18.0.0] -> {FF48AD48-74C7-4260-B385-FAEB80947450} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\x64\ShellEx.dll [2017-06-14] (AO Kaspersky Lab)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-05-09] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-06-11] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-06-11] (Alexander Roshal)
 
==================== Tarefas Agendadas (Whitelisted) =============
 
(Se uma entrada for incluída na fixlist, será removida do Registro. O arquivo não será movido, a menos que seja colocado separadamente.)
 
Task: {22775EC6-68DB-4ED4-A57C-49E898FDF376} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-06-13] (Piriform Ltd)
Task: {3FC598AC-4C7C-4741-9FCE-860D49FDC598} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2015-07-31] (Microsoft Corporation)
 
(Se uma entrada for incluída na fixlist, o arquivo da tarefa (.job) será movido. O arquivo que está sendo executado pela tarefa não será movido.)
 
 
==================== Atalhos & WMI ========================
 
(As entradas podem ser listadas para serem restauradas ou removidas.)
 
 
==================== Módulos Carregados (Whitelisted) ==============
 
2017-08-01 14:38 - 2017-08-01 14:57 - 002260432 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2017-06-27 17:59 - 2017-06-23 00:21 - 003807064 _____ () C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\libglesv2.dll
2017-06-27 17:59 - 2017-06-23 00:21 - 000100184 _____ () C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\libegl.dll
2016-12-22 22:59 - 2016-12-22 22:59 - 000108072 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager 8.0.6\plugin-nm-server.exe
2017-06-14 23:31 - 2017-06-14 23:31 - 000836968 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\kpcengine.2.3.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(Se uma entrada for incluída na fixlist, somente o ADS será removido.)
 
 
==================== Modo de Segurança (Whitelisted) ===================
 
(Se uma entrada for incluída na fixlist, será removida do Registro. O valor "AlternateShell" será restaurado.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Associação (Whitelisted) ===============
 
(Se uma entrada for incluída na fixlist, o ítem no Registro será restaurado para o padrão ou removido.)
 
 
==================== Internet Explorer confiável/restrito ===============
 
(Se uma entrada for incluída na fixlist, será removida do Registro.)
 
 
==================== Hosts Conteúdo: ===============================
 
(Se necessário, a diretiva Hosts: pode ser incluída na fixlist para redefinir o Hosts.)
 
2009-07-13 23:34 - 2017-06-14 23:57 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Outras Áreas ============================
 
(Atualmente não há nenhuma correção automática para esta seção.)
 
HKU\S-1-5-21-213099168-1847892982-2103706285-1000\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Firewall do Windows está habilitado.
 
==================== MSCONFIG/TASK MANAGER ítens desabilitados ==
 
 
==================== Regras do Firewall (Whitelisted) ===============
 
(Se uma entrada for incluída na fixlist, será removida do Registro. O arquivo não será movido, a menos que seja colocado separadamente.)
 
FirewallRules: [{4C3FE31D-688C-4744-9126-18E920C6C406}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{5486CCAD-26EC-4D37-BCC4-79570814BEA9}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{04300984-7721-4F46-A66A-D4347DE8D8EF}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{CC610B65-8C74-4BA7-9002-18BEDECE4AF0}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{37B2456C-E482-4A98-86C3-C55579967360}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{296A6175-1181-4CF6-AF74-E512D1CBF637}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Half-Life\hl.exe
FirewallRules: [{C60CFC6B-00D0-402B-B4DF-82C86169B4F8}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Half-Life\hl.exe
FirewallRules: [{8745E9F0-4B47-4F77-BC3D-F95D28A84C83}] => (Allow) C:\Users\Silas\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{949A9B54-80B0-44D1-815E-12856CB5464A}] => (Allow) C:\Users\Silas\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{64993501-6148-462E-914C-959A0976C8D8}] => (Allow) C:\Users\Silas\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{173044BA-8CC8-404C-9370-7ED591156802}] => (Allow) C:\Users\Silas\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{F5DA4566-8845-44EE-B9B9-4409784B56C5}] => (Allow) C:\Users\Silas\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{61D042AC-10C2-4873-BC34-B9D407151388}] => (Allow) C:\Users\Silas\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{F692D898-1EDC-47FD-A32A-1C132ADB54D0}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Pontos de Restauração =========================
 
31-07-2017 22:33:55 Installed TOSHIBA PC Diagnostic Tool
31-07-2017 22:59:17 Installed Debugging Tools for Windows (x64)
01-08-2017 00:27:08 JRT Pre-Junkware Removal
01-08-2017 02:37:08 Removed Java SE Development Kit 8 Update 131 (64-bit)
 
==================== Dispositivos Apresentando Falhas No Gerenciador =============
 
Name: HID-compliant consumer control device
Description: HID-compliant consumer control device
Class Guid: {745a17a0-74d3-11d0-b6fe-00a0c90f57da}
Manufacturer: Microsoft
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Erros no Log de eventos: =========================
 
Erros em Aplicativos:
==================
Error: (08/01/2017 02:45:41 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/01/2017 01:15:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/01/2017 02:36:24 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/01/2017 02:35:04 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/01/2017 02:34:42 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/01/2017 02:28:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/01/2017 02:25:35 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/01/2017 02:07:13 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/01/2017 01:53:56 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/01/2017 01:52:17 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
 
Erros de Sistema:
=============
Error: (08/01/2017 02:46:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Não foi possível iniciar o serviço Serviço de Compartilhamento de Rede do Windows Media Player devido ao seguinte erro: 
Acesso negado.
 
Error: (08/01/2017 02:46:54 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Não foi possível iniciar o serviço Serviço do Google Update (gupdate) devido ao seguinte erro: 
Acesso negado.
 
Error: (08/01/2017 02:44:00 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: O computador foi reinicializado após uma verificação de erro. Essa verificação foi: 0x00000101 (0x0000000000000031, 0x0000000000000000, 0xfffff88003765180, 0x0000000000000002). Um despejo de memória foi salvo em: C:\Windows\MEMORY.DMP. Id de Relatório: 080117-15771-01.
 
Error: (08/01/2017 02:43:56 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: O desligamento anterior do sistema em 14:42:06 às ‎01/‎08/‎2017 não era esperado.
 
Error: (08/01/2017 01:19:53 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: O serviço Windows Search foi finalizado inesperadamente. Isto aconteceu 1 vez(es). A seguinte ação corretiva será tomada em 30000 milissegundos: Reiniciar o serviço.
 
Error: (08/01/2017 01:15:45 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Não foi possível iniciar o serviço Serviço de Compartilhamento de Rede do Windows Media Player devido ao seguinte erro: 
Acesso negado.
 
Error: (08/01/2017 01:15:45 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Não foi possível iniciar o serviço Serviço do Google Update (gupdate) devido ao seguinte erro: 
Acesso negado.
 
Error: (08/01/2017 02:42:40 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: O serviço Windows Installer foi finalizado inesperadamente. Isto aconteceu 2 vez(es). A seguinte ação corretiva será tomada em 300000 milissegundos: Reiniciar o serviço.
 
Error: (08/01/2017 02:38:34 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: O serviço Proteção de Software foi finalizado inesperadamente. Isto aconteceu 2 vez(es). A seguinte ação corretiva será tomada em 300000 milissegundos: Reiniciar o serviço.
 
Error: (08/01/2017 02:38:31 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: O serviço Windows Installer foi finalizado inesperadamente. Isto aconteceu 1 vez(es). A seguinte ação corretiva será tomada em 120000 milissegundos: Reiniciar o serviço.
 
 
==================== Informações da Memória =========================== 
 
Processador: Intel® Core™ i3-3110M CPU @ 2.40GHz
Percentagem de memória em uso: 26%
RAM física total: 6017.83 MB
RAM física disponível: 4421.78 MB
Virtual Total: 12033.85 MB
Virtual disponível: 10293.91 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:65.14 GB) (Free:31.49 GB) NTFS
Drive d: () (Fixed) (Total:400.33 GB) (Free:341.28 GB) NTFS
Drive g: (BACKUP) (Removable) (Total:3.74 GB) (Free:3.74 GB) FAT32
 
==================== MBR & Tabela de Partições ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 894DF9CF)
Partition 1: (Not Active) - (Size=65.1 GB) - (Type=07 NTFS)
Partition 2: (Active) - (Size=300 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=400.3 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 3.7 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== Fim de Addition.txt ============================
 
Resultado do exame da Farbar Recovery Scan Tool (FRST) (x64) Versão: 31-07-2017
Executado por Silas (administrador) em PC-FUNDO (01-08-2017 16:22:48)
Executando a partir de D:\Downloads\Segurança
Perfis Carregados: Silas (Perfis Disponíveis: Silas)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Idioma: Português (Brasil)
Internet Explorer Versão 8 (Navegador padrão: Chrome)
Modo da Inicialização: Normal
 
==================== Processos (Whitelisted) =================
 
(Se uma entrada for incluída na fixlist, o processo será fechado. O arquivo não será movido.)
 
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\avp.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\avpui.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
() C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager 8.0.6\plugin-nm-server.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Sysinternals - www.sysinternals.com) C:\Users\Silas\Desktop\procexp64.exe
 
==================== Registro (Whitelisted) ====================
 
(Se uma entrada for incluída na fixlist, o ítem no Registro será restaurado para o padrão ou removido. O arquivo não será movido.)
 
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restrição <==== ATENÇÃO
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
GroupPolicy: Restrição <==== ATENÇÃO
GroupPolicyScripts: Restrição <==== ATENÇÃO
 
==================== Internet (Whitelisted) ====================
 
(Se um ítem for incluído na fixlist, sendo um ítem do Registro, será removido ou restaurado para o padrão.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{0C643D8B-AD59-458F-9345-7F942696764B}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
Handler: mso-minsb.16 - {3459B272-CC19-4448-86C9-DDC3B4B2FAD3} - C:\Program Files\Microsoft Office\Office16\MSOSB.DLL [2016-06-14] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {3459B272-CC19-4448-86C9-DDC3B4B2FAD3} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL [2016-06-14] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\Office16\MSOSB.DLL [2016-06-14] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL [2016-06-14] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [light_plugin_448EC0843447455C9DA355B3C2811D6A@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\FFExt\light_plugin_firefox\addon.xpi
FF Extension: (Kaspersky Protection) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\FFExt\light_plugin_firefox\addon.xpi [2017-06-14]
FF HKLM-x32\...\Firefox\Extensions: [light_plugin_448EC0843447455C9DA355B3C2811D6A@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\FFExt\light_plugin_firefox\addon.xpi
FF Plugin: @microsoft.com/GENUINE -> disabled [Nenhum Arquivo]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office16\NPSPWRAP.DLL [2015-07-31] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [Nenhum Arquivo]
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office16\NPSPWRAP.DLL [2015-07-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-06-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-06-14] (Google Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://google.com.br/"
CHR Session Restore: Default -> está habilitado.
CHR Profile: C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default [2017-08-01]
CHR Extension: (Learn French - Très Bien) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeifanonhefcaphaeeknpklkfnjjmpec [2017-06-14]
CHR Extension: (Google Drive) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-06-14]
CHR Extension: (YouTube) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-06-14]
CHR Extension: (Facebook) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\boeajhmfdjldchidhphikilcgdacljfm [2017-06-14]
CHR Extension: (uBlock Origin) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2017-07-30]
CHR Extension: (Adblock for Youtube™) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmedhionkhpnakcndndgjdbohmhepckk [2017-06-28]
CHR Extension: (Session Buddy) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\edacconmaakjimmfgnblocblbcdcpbko [2017-07-09]
CHR Extension: (Box) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejnkaeblpdcamcioiiabclakabcbjmbl [2017-06-14]
CHR Extension: (Planetarium) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\gheikhdfflhlbemfmhcfpeblehemeklp [2017-06-14]
CHR Extension: (The Weather Channel for Chrome) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\iflpcokdamgefbghpdipcibmhlkdopop [2017-06-14]
CHR Extension: (EasyHome Homestyler) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdmmkfaghgcicheaimnpffeeekheafkb [2017-06-14]
CHR Extension: (Google Maps) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2017-06-14]
CHR Extension: (Kaspersky Protection) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\mchjnmdbdlkdbfliogedbnpnanfjnolk [2017-06-14]
CHR Extension: (Kaspersky Password Manager) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkaoblbjfmcalcjjaifickaoccjmhlal [2017-06-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-06-14]
CHR Extension: (Outlook.com) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\pfpeapihoiogbcmdmnibeplnikfnhoge [2017-06-14]
CHR Extension: (Gmail) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-06-14]
CHR Extension: (Chrome Media Router) - C:\Users\Silas\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-13]
CHR Profile: C:\Users\Silas\AppData\Local\Google\Chrome\User Data\System Profile [2017-06-28]
CHR HKLM\...\Chrome\Extension: [mchjnmdbdlkdbfliogedbnpnanfjnolk] - hxxps://chrome.google.com/webstore/detail/mchjnmdbdlkdbfliogedbnpnanfjnolk
CHR HKU\S-1-5-21-213099168-1847892982-2103706285-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mkaoblbjfmcalcjjaifickaoccjmhlal] - hxxps://chrome.google.com/webstore/detail/mkaoblbjfmcalcjjaifickaoccjmhlal
CHR HKLM-x32\...\Chrome\Extension: [mchjnmdbdlkdbfliogedbnpnanfjnolk] - hxxps://chrome.google.com/webstore/detail/mchjnmdbdlkdbfliogedbnpnanfjnolk
 
==================== Serviços (Whitelisted) ====================
 
(Se uma entrada for incluída na fixlist, será removida do Registro. O arquivo não será movido, a menos que seja colocado separadamente.)
 
S2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [219776 2012-10-15] (Atheros Commnucations) [Arquivo não assinado]
R2 AVP18.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\avp.exe [354672 2017-01-24] (AO Kaspersky Lab)
S3 klvssbridge64_18.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\x64\vssbridge64.exe [426416 2017-06-22] (AO Kaspersky Lab)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2017-06-14] (Microsoft Corporation)
S2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [327296 2012-10-15] (Atheros) [Arquivo não assinado]
 
===================== Drivers (Whitelisted) ======================
 
(Se uma entrada for incluída na fixlist, será removida do Registro. O arquivo não será movido, a menos que seja colocado separadamente.)
 
R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [247008 2016-12-26] (AO Kaspersky Lab)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77376 2017-08-01] ()
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [55232 2017-07-31] ()
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [554408 2016-10-01] (AO Kaspersky Lab)
R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [70880 2016-12-22] (AO Kaspersky Lab)
R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [86240 2016-12-27] (AO Kaspersky Lab)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [78216 2016-05-31] (AO Kaspersky Lab)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [205272 2017-06-22] (AO Kaspersky Lab)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [317424 2017-06-14] (AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [1068496 2017-06-22] (AO Kaspersky Lab)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [57936 2016-10-11] (AO Kaspersky Lab)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [57568 2016-12-23] (AO Kaspersky Lab)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [58592 2016-12-07] (AO Kaspersky Lab)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [50672 2017-04-18] (AO Kaspersky Lab)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [81904 2017-04-18] (AO Kaspersky Lab)
R1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [137200 2017-04-18] (AO Kaspersky Lab)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [199360 2017-06-22] (AO Kaspersky Lab)
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [188352 2017-08-01] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [101784 2017-08-01] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [45472 2017-08-01] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [253856 2017-08-01] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [84256 2017-08-01] (Malwarebytes)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2017-08-01] ()
 
==================== NetSvcs (Whitelisted) ===================
 
(Se uma entrada for incluída na fixlist, será removida do Registro. O arquivo não será movido, a menos que seja colocado separadamente.)
 
 
==================== Um Mês Criados arquivos e pastas ========
 
(Se uma entrada for incluída na fixlist, o arquivo/pasta será movido.)
 
2017-08-01 15:57 - 2017-08-01 15:57 - 000000000 ____D C:\Users\Silas\AppData\Local\Microsoft_Corporation
2017-08-01 14:43 - 2017-08-01 14:44 - 000297960 _____ C:\Windows\Minidump\080117-15771-01.dmp
2017-08-01 14:39 - 2017-08-01 14:58 - 000188352 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-08-01 14:39 - 2017-08-01 14:58 - 000101784 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-08-01 14:39 - 2017-08-01 14:58 - 000084256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-08-01 14:39 - 2017-08-01 14:58 - 000045472 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-08-01 14:38 - 2017-08-01 14:58 - 000253856 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-08-01 14:38 - 2017-08-01 14:57 - 000077376 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-08-01 14:38 - 2017-08-01 14:38 - 000001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-08-01 14:38 - 2017-08-01 14:38 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-08-01 14:38 - 2017-08-01 14:38 - 000000000 ____D C:\Program Files\Malwarebytes
2017-08-01 14:03 - 2017-08-01 14:03 - 000000000 _____ C:\Users\Silas\defogger_reenable
2017-08-01 02:09 - 2017-08-01 02:09 - 000002048 _____ C:\Users\Silas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FileHippo App Manager.lnk
2017-08-01 02:05 - 2017-08-01 02:05 - 000297960 _____ C:\Windows\Minidump\080117-16146-01.dmp
2017-08-01 01:50 - 2017-08-01 01:50 - 000293832 _____ C:\Windows\Minidump\080117-22448-01.dmp
2017-08-01 01:00 - 2017-08-01 01:00 - 000000000 ____D C:\zoek_backup
2017-08-01 00:54 - 2017-08-01 00:57 - 000043524 _____ C:\TDSSKiller.3.1.0.15_01.08.2017_00.54.58_log.txt
2017-08-01 00:43 - 2017-08-01 00:43 - 000001915 _____ C:\Users\Silas\Desktop\JRT.txt
2017-07-31 23:15 - 2017-08-01 02:11 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-07-31 23:15 - 2017-08-01 02:11 - 000000000 ____D C:\Users\Todos os Usuários\RogueKiller
2017-07-31 23:15 - 2017-08-01 02:11 - 000000000 ____D C:\ProgramData\RogueKiller
2017-07-31 23:10 - 2017-08-01 02:36 - 000000000 ____D C:\Program Files\RogueKiller
2017-07-31 22:59 - 2017-07-31 22:59 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debugging Tools for Windows (x64)
2017-07-31 22:59 - 2017-07-31 22:59 - 000000000 ____D C:\Program Files\Debugging Tools for Windows (x64)
2017-07-31 22:39 - 2017-08-01 02:00 - 000000000 ____D C:\AdwCleaner
2017-07-31 22:33 - 2017-07-31 22:33 - 000000000 ____D C:\Users\Silas\AppData\Roaming\WinBatch
2017-07-31 21:43 - 2017-07-31 22:19 - 000000000 ____D C:\Users\Todos os Usuários\Malwarebytes' Anti-Malware (portable)
2017-07-31 21:43 - 2017-07-31 22:19 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-07-31 21:40 - 2017-08-01 14:38 - 000000000 ____D C:\Users\Todos os Usuários\Malwarebytes
2017-07-31 21:40 - 2017-08-01 14:38 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-07-31 21:29 - 2017-07-31 22:19 - 000000000 ____D C:\Users\Silas\Desktop\mbar
2017-07-31 21:29 - 2017-07-31 21:29 - 000055232 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2017-07-31 21:23 - 2017-07-31 21:23 - 000000000 ____D C:\Users\Silas\Documents\Docs
2017-07-31 21:18 - 2017-07-31 21:18 - 000001260 _____ C:\Users\Silas\Documents\Default_W7_Ultimate_64_SP1_Start_v100.zip
2017-07-31 20:27 - 2017-07-31 20:31 - 000000000 ____D C:\Users\Todos os Usuários\HitmanPro
2017-07-31 20:27 - 2017-07-31 20:31 - 000000000 ____D C:\ProgramData\HitmanPro
2017-07-31 20:27 - 2017-07-31 20:27 - 000000000 ____D C:\Program Files\HitmanPro
2017-07-31 20:12 - 2017-05-01 07:25 - 001458856 _____ (Sysinternals - www.sysinternals.com) C:\Users\Silas\Desktop\procexp64.exe
2017-07-31 19:34 - 2017-07-31 19:34 - 000010254 _____ C:\Users\Silas\Documents\KTS_2018.lic
2017-07-31 19:31 - 2017-08-01 02:26 - 001161778 _____ C:\Windows\ntbtlog.txt
2017-07-31 02:43 - 2017-07-31 21:27 - 000002146 _____ C:\Users\Silas\Desktop\Rkill.txt
2017-07-30 17:37 - 2017-08-01 16:22 - 000000000 ____D C:\FRST
2017-07-29 17:26 - 2017-07-29 17:28 - 000000000 ____D C:\Program Files\Recuva
2017-07-27 14:08 - 2017-07-27 14:08 - 000066560 _____ C:\Users\Silas\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-22 21:05 - 2017-07-24 12:13 - 000000000 ____D C:\Users\Silas\Downloads\The.Elder.Scrolls.V.Skyrim.Legendary.Edition.MULTi8-PROPHET
2017-07-22 19:19 - 2017-07-27 12:59 - 000000000 ____D C:\Users\Silas\AppData\Roaming\uTorrent
2017-07-13 01:45 - 2017-07-13 01:45 - 000002790 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2017-07-09 04:37 - 2017-08-01 14:43 - 495041157 _____ C:\Windows\MEMORY.DMP
2017-07-09 04:37 - 2017-08-01 14:43 - 000000000 ____D C:\Windows\Minidump
2017-07-09 04:37 - 2017-07-09 04:37 - 000297960 _____ C:\Windows\Minidump\070917-19063-01.dmp
2017-07-09 03:31 - 2017-07-09 03:31 - 000000000 ____D C:\Users\Silas\AppData\Local\ESET
2017-07-07 22:35 - 2017-07-07 22:35 - 000000000 ____D C:\Users\Silas\AppData\Local\Nexus
2017-07-06 12:54 - 2017-07-07 20:15 - 000000000 ____D C:\Users\Silas\AppData\Local\Discord
2017-07-06 12:54 - 2017-07-06 13:26 - 000000000 ____D C:\Users\Silas\AppData\Roaming\discord
2017-07-06 12:54 - 2017-07-06 12:54 - 000000000 ____D C:\Users\Silas\AppData\Local\SquirrelTemp
2017-07-06 12:43 - 2017-07-06 12:44 - 000308408 _____ C:\Windows\system32\FNTCACHE.DAT
 
==================== Um Mês Modificados arquivos e pastas ========
 
(Se uma entrada for incluída na fixlist, o arquivo/pasta será movido.)
 
2017-08-01 14:53 - 2009-07-14 01:45 - 000026768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-08-01 14:53 - 2009-07-14 01:45 - 000026768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-08-01 14:50 - 2011-04-12 10:40 - 000705264 _____ C:\Windows\system32\prfh0416.dat
2017-08-01 14:50 - 2011-04-12 10:40 - 000147108 _____ C:\Windows\system32\prfc0416.dat
2017-08-01 14:50 - 2009-07-14 02:13 - 001633530 _____ C:\Windows\system32\PerfStringBackup.INI
2017-08-01 14:50 - 2009-07-14 00:20 - 000000000 ____D C:\Windows\inf
2017-08-01 14:44 - 2017-06-14 21:09 - 000000000 ____D C:\Users\Todos os Usuários\Kaspersky Lab
2017-08-01 14:44 - 2017-06-14 21:09 - 000000000 ____D C:\ProgramData\Kaspersky Lab
2017-08-01 14:44 - 2009-07-14 02:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-08-01 14:03 - 2017-06-14 17:53 - 000000000 ____D C:\Users\Silas
2017-08-01 01:45 - 2009-07-14 02:08 - 000024088 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-07-31 21:37 - 2017-06-23 20:45 - 000000000 ____D C:\Users\Silas\AppData\Local\CrashDumps
2017-07-31 19:26 - 2017-06-30 12:44 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TESV - Skyrim LE
2017-07-31 19:26 - 2017-06-15 18:40 - 000000000 ____D C:\Users\Silas\AppData\Roaming\BitTorrent
2017-07-31 19:26 - 2017-06-15 02:46 - 000000000 ____D C:\Users\Silas\AppData\Roaming\Skype
2017-07-31 19:26 - 2017-06-14 23:05 - 000000000 ____D C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform
2017-07-31 19:26 - 2009-07-14 00:20 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2017-07-31 19:26 - 2009-07-14 00:20 - 000000000 ____D C:\Windows\registration
2017-07-31 19:25 - 2017-06-15 01:17 - 000000000 ____D C:\Program Files (x86)\Steam
2017-07-28 21:40 - 2017-06-29 02:41 - 000000000 ____D C:\Users\Silas\AppData\Local\LOOT
2017-07-25 19:25 - 2017-06-15 01:14 - 000000000 ____D C:\Users\Silas\AppData\Local\MegaDownloader
2017-07-02 23:02 - 2017-06-28 23:05 - 000000000 ____D C:\Users\Silas\Documents\My Games
 
Alguns arquivos em TEMP:
====================
2017-07-31 23:15 - 2017-06-14 13:02 - 001732864 _____ (Microsoft Corporation) C:\Users\Silas\AppData\Local\Temp\dllnt_dump.dll
 
==================== Bamital & volsnap ======================
 
(Não há correção automática para arquivos que não passaram na verificação.)
 
C:\Windows\system32\winlogon.exe => O arquivo é assinado digitalmente
C:\Windows\system32\wininit.exe => O arquivo é assinado digitalmente
C:\Windows\SysWOW64\wininit.exe => O arquivo é assinado digitalmente
C:\Windows\explorer.exe => O arquivo é assinado digitalmente
C:\Windows\SysWOW64\explorer.exe => O arquivo é assinado digitalmente
C:\Windows\system32\svchost.exe => O arquivo é assinado digitalmente
C:\Windows\SysWOW64\svchost.exe => O arquivo é assinado digitalmente
C:\Windows\system32\services.exe => O arquivo é assinado digitalmente
C:\Windows\system32\User32.dll => O arquivo é assinado digitalmente
C:\Windows\SysWOW64\User32.dll => O arquivo é assinado digitalmente
C:\Windows\system32\userinit.exe => O arquivo é assinado digitalmente
C:\Windows\SysWOW64\userinit.exe => O arquivo é assinado digitalmente
C:\Windows\system32\rpcss.dll => O arquivo é assinado digitalmente
C:\Windows\system32\dnsapi.dll => O arquivo é assinado digitalmente
C:\Windows\SysWOW64\dnsapi.dll => O arquivo é assinado digitalmente
C:\Windows\system32\Drivers\volsnap.sys => O arquivo é assinado digitalmente
 
LastRegBack: 2017-08-01 13:43
 
==================== Fim de FRST.txt ============================


#4 CPUSecurity_OCD

CPUSecurity_OCD
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 03 August 2017 - 07:49 PM

Shameless bump. I still need help with this.



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:57 PM

Posted 04 August 2017 - 10:18 AM

You need to do step 7 from the GUIDE and repost.. If I move this you will not see the replies.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 06 August 2017 - 01:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/653169 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#7 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 11 August 2017 - 01:35 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users