Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly infected PC with weird behavior


  • Please log in to reply
6 replies to this topic

#1 giobortolato

giobortolato

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Catarina, Brazil
  • Local time:10:10 PM

Posted 13 November 2017 - 12:38 PM

Hello, I have a PC running Windows 7 that is showing some weird things.

 

First of all, it opens the Documents folder by itself every few minutes. 

It also opens the "IPv4 Advanced IP Settings Tab" help page automatically. 

The Default Gateway address is deleted for no reason.

There is also an scrpt error that point to a website freetryio12.wha.la.

 

Has anyone seen these problems before?


Edited by hamluis, 13 November 2017 - 01:10 PM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:10 PM

Posted 13 November 2017 - 11:14 PM

Welcome aboard p22002758.gif

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
  • List Restore Points

Click Go and post the result.

p22002970.gif Please download Malwarebytes to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.


p22002970.gifDownload 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"


NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.

p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.
Do NOT use spoilers.
Do NOT edit your reply to post additional logs. Create new reply. I'll not get any email notifications about edits so I won't know you posted something new.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 giobortolato

giobortolato
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Catarina, Brazil
  • Local time:10:10 PM

Posted 17 November 2017 - 10:22 AM

Security Check Log

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7  x64 (UAC is disabled!)  
``````````````Antivirus/Firewall Check:`````````````` 
Avast Antivirus   
 Antivirus out of date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Spybot - Search & Destroy 
 Adobe Reader 9 Adobe Reader out of Date! 
 Google Chrome (62.0.3202.94) 
 Google Chrome (SetupMetrics...) 
````````Process Check: objlist.exe by Laurent````````  
 Spybot Teatimer.exe is disabled! 
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
 AVAST Software Avast x64 aswidsagenta.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: = 
````````````````````End of Log`````````````````````` 
 
 
FSS Log
 

Farbar Service Scanner Version: 27-01-2016
Ran by Cliente (administrator) on 17-11-2017 at 11:20:14
Running from "C:\Users\Cliente\Downloads"
Microsoft Windows 7 Ultimate   (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****
 
MiniToolBox Log
 

MiniToolBox by Farbar  Version: 17-06-2016
Ran by Cliente (administrator) on 17-11-2017 at 11:21:56
Running from "C:\Users\Cliente\Downloads"
Microsoft Windows 7 Ultimate   (X64)
Model: OptiPlex 380 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================
 
Broadcom NetLink ™ Gigabit Ethernet = Conexão local (Connected)
Cisco Systems VPN Adapter for 64-bit Windows = Conexão local 2 (Connected)
 
 
# ----------------------------------
# Configura‡Æo de IPv4
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled taskoffload=disabled
set interface interface="ConexÆo local" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
set interface interface="ConexÆo local 2" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
add address name="ConexÆo local 2" address=172.23.175.108
 
 
popd
# Final da configura‡Æo IPv4
 
 
 
Configura‡Æo de IP do Windows
 
   Nome do host. . . . . . . . . . . . . . . . : Cliente-PC
   Sufixo DNS prim rio . . . . . . . . . . . . : 
   Tipo de n¢. . . . . . . . . . . . . . . . . : h¡brido
   Roteamento de IP ativado. . . . . . . . . . : nÆo
   Proxy WINS ativado. . . . . . . . . . . . . : nÆo
   Lista de pesquisa de sufixo DNS . . . . . . : direcao.com
 
Adaptador Ethernet ConexÆo local 2:
 
   Sufixo DNS espec¡fico de conexÆo. . . . . . : direcao.com
   Descri‡Æo . . . . . . . . . . . . . . . . . : Cisco Systems VPN Adapter for 64-bit Windows
   Endere‡o F¡sico . . . . . . . . . . . . . . : 00-05-9A-3C-78-00
   DHCP Habilitado . . . . . . . . . . . . . . : NÆo
   Configura‡Æo Autom tica Habilitada. . . . . : Sim
   Endere‡o IPv6 de link local . . . . . . . . : fe80::251b:19d4:ee17:5265%17(Preferencial) 
   Endere‡o IPv4. . . . . . . .  . . . . . . . : 172.23.175.108(Preferencial) 
   M scara de Sub-rede . . . . . . . . . . . . : 255.255.252.0
   Gateway PadrÆo. . . . . . . . . . . . . . . : 
   IAID de DHCPv6. . . . . . . . . . . . . . . : 369100186
   DUID de Cliente DHCPv6. . . . . . . . . . . : 00-01-00-01-1F-D2-3D-82-84-2B-2B-7C-CB-2E
   Servidores DNS. . . . . . . . . . . . . . . : 172.16.132.87
                                                 172.16.132.88
   NetBIOS em Tcpip. . . . . . . . . . . . . . : Habilitado
 
Adaptador Ethernet ConexÆo local:
 
   Sufixo DNS espec¡fico de conexÆo. . . . . . : 
   Descri‡Æo . . . . . . . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet
   Endere‡o F¡sico . . . . . . . . . . . . . . : 84-2B-2B-7C-CB-2E
   DHCP Habilitado . . . . . . . . . . . . . . : Sim
   Configura‡Æo Autom tica Habilitada. . . . . : Sim
   Endere‡o IPv6 de link local . . . . . . . . : fe80::fcd8:57dd:9e6:eade%11(Preferencial) 
   Endere‡o IPv4. . . . . . . .  . . . . . . . : 192.168.1.3(Preferencial) 
   M scara de Sub-rede . . . . . . . . . . . . : 255.255.255.0
   ConcessÆo Obtida. . . . . . . . . . . . . . : sexta-feira, 17 de novembro de 2017 06:27:01
   ConcessÆo Expira. . . . . . . . . . . . . . : s bado, 18 de novembro de 2017 06:27:00
   Gateway PadrÆo. . . . . . . . . . . . . . . : 192.168.1.1
   Servidor DHCP . . . . . . . . . . . . . . . : 192.168.1.1
   IAID de DHCPv6. . . . . . . . . . . . . . . : 243542827
   DUID de Cliente DHCPv6. . . . . . . . . . . : 00-01-00-01-1F-D2-3D-82-84-2B-2B-7C-CB-2E
   Servidores DNS. . . . . . . . . . . . . . . : 8.8.8.8
                                                 8.8.4.4
   NetBIOS em Tcpip. . . . . . . . . . . . . . : Habilitado
 
Adaptador de t£nel isatap.{D533D9ED-D013-4B0E-A70A-4C6837C1AA60}:
 
   Estado da m¡dia. . . . . . . . . . . . . .  : m¡dia desconectada
   Sufixo DNS espec¡fico de conexÆo. . . . . . : 
   Descri‡Æo . . . . . . . . . . . . . . . . . : Adaptador do Microsoft ISATAP
   Endere‡o F¡sico . . . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Habilitado . . . . . . . . . . . . . . : NÆo
   Configura‡Æo Autom tica Habilitada. . . . . : Sim
 
Adaptador de t£nel isatap.direcao.com:
 
   Estado da m¡dia. . . . . . . . . . . . . .  : m¡dia desconectada
   Sufixo DNS espec¡fico de conexÆo. . . . . . : direcao.com
   Descri‡Æo . . . . . . . . . . . . . . . . . : Adaptador do Microsoft ISATAP #2
   Endere‡o F¡sico . . . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Habilitado . . . . . . . . . . . . . . : NÆo
   Configura‡Æo Autom tica Habilitada. . . . . : Sim
 
Adaptador de t£nel Teredo Tunneling Pseudo-Interface:
 
   Estado da m¡dia. . . . . . . . . . . . . .  : m¡dia desconectada
   Sufixo DNS espec¡fico de conexÆo. . . . . . : 
   Descri‡Æo . . . . . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Endere‡o F¡sico . . . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Habilitado . . . . . . . . . . . . . . : NÆo
   Configura‡Æo Autom tica Habilitada. . . . . : Sim
DNS request timed out.
    timeout was 2 seconds.
Servidor:  UnKnown
Address:  172.16.132.87
 
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
 
Disparando google.com [216.58.202.206] com 32 bytes de dados:
Resposta de 216.58.202.206: bytes=32 tempo=88ms TTL=53
Resposta de 216.58.202.206: bytes=32 tempo=62ms TTL=53
 
Estat¡sticas do Ping para 216.58.202.206:
    Pacotes: Enviados = 2, Recebidos = 2, Perdidos = 0 (0% de
             perda),
Aproximar um n£mero redondo de vezes em milissegundos:
    M¡nimo = 62ms, M ximo = 88ms, M‚dia = 75ms
DNS request timed out.
    timeout was 2 seconds.
Servidor:  UnKnown
Address:  172.16.132.87
 
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
 
Disparando yahoo.com [206.190.39.42] com 32 bytes de dados:
Resposta de 206.190.39.42: bytes=32 tempo=299ms TTL=46
Resposta de 206.190.39.42: bytes=32 tempo=290ms TTL=46
 
Estat¡sticas do Ping para 206.190.39.42:
    Pacotes: Enviados = 2, Recebidos = 2, Perdidos = 0 (0% de
             perda),
Aproximar um n£mero redondo de vezes em milissegundos:
    M¡nimo = 290ms, M ximo = 299ms, M‚dia = 294ms
 
Disparando 127.0.0.1 com 32 bytes de dados:
Resposta de 127.0.0.1: bytes=32 tempo<1ms TTL=128
Resposta de 127.0.0.1: bytes=32 tempo<1ms TTL=128
 
Estat¡sticas do Ping para 127.0.0.1:
    Pacotes: Enviados = 2, Recebidos = 2, Perdidos = 0 (0% de
             perda),
Aproximar um n£mero redondo de vezes em milissegundos:
    M¡nimo = 0ms, M ximo = 0ms, M‚dia = 0ms
===========================================================================
Lista de interfaces
 17...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows
 11...84 2b 2b 7c cb 2e ......Broadcom NetLink ™ Gigabit Ethernet
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Adaptador do Microsoft ISATAP
 13...00 00 00 00 00 00 00 e0 Adaptador do Microsoft ISATAP #2
 20...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
 
Tabela de rotas IPv4
===========================================================================
Rotas ativas:
Endere‡o de rede          M scara   Ender. gateway       Interface   Custo
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.3     10
        127.0.0.0        255.0.0.0      No v¡nculo         127.0.0.1    306
        127.0.0.1  255.255.255.255      No v¡nculo         127.0.0.1    306
  127.255.255.255  255.255.255.255      No v¡nculo         127.0.0.1    306
     172.16.132.0    255.255.255.0     172.23.172.1   172.23.175.108    100
     172.16.142.0    255.255.255.0     172.23.172.1   172.23.175.108    100
     172.16.162.0    255.255.255.0     172.23.172.1   172.23.175.108    100
     172.23.172.0    255.255.252.0      No v¡nculo    172.23.175.108    266
   172.23.175.108  255.255.255.255      No v¡nculo    172.23.175.108    266
   172.23.175.255  255.255.255.255      No v¡nculo    172.23.175.108    266
      192.168.1.0    255.255.255.0      No v¡nculo       192.168.1.3    266
      192.168.1.1  255.255.255.255      No v¡nculo       192.168.1.3    100
      192.168.1.3  255.255.255.255      No v¡nculo       192.168.1.3    266
    192.168.1.255  255.255.255.255      No v¡nculo       192.168.1.3    266
    200.174.20.83  255.255.255.255      192.168.1.1      192.168.1.3    100
        224.0.0.0        240.0.0.0      No v¡nculo         127.0.0.1    306
        224.0.0.0        240.0.0.0      No v¡nculo       192.168.1.3    266
        224.0.0.0        240.0.0.0      No v¡nculo    172.23.175.108    266
  255.255.255.255  255.255.255.255      No v¡nculo         127.0.0.1    306
  255.255.255.255  255.255.255.255      No v¡nculo       192.168.1.3    266
  255.255.255.255  255.255.255.255      No v¡nculo    172.23.175.108    266
===========================================================================
Rotas persistentes:
  Nenhuma
 
Tabela de rotas IPv6
===========================================================================
Rotas ativas:
 Se destino de rede de m‚trica      Gateway
  1    306 ::1/128                  No v¡nculo
 11    266 fe80::/64                No v¡nculo
 17    266 fe80::/64                No v¡nculo
 17    266 fe80::251b:19d4:ee17:5265/128
                                    No v¡nculo
 11    266 fe80::fcd8:57dd:9e6:eade/128
                                    No v¡nculo
  1    306 ff00::/8                 No v¡nculo
 11    266 ff00::/8                 No v¡nculo
 17    266 ff00::/8                 No v¡nculo
===========================================================================
Rotas persistentes:
  Nenhuma
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [51712] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70144] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (11/17/2017 12:31:31 AM) (Source: SideBySide) (User: )
Description: Falha na geração de contexto de ativação para "1". Erro no arquivo de manifesto ou de diretiva 2", na linha 3.
O elemento raiz do arquivo de manifesto precisa ser Assembly.
 
Error: (11/17/2017 12:31:30 AM) (Source: SideBySide) (User: )
Description: Falha na geração de contexto de ativação para "1". Erro no arquivo de manifesto ou de diretiva 2", na linha 3.
O elemento raiz do arquivo de manifesto precisa ser Assembly.
 
Error: (11/17/2017 12:31:30 AM) (Source: SideBySide) (User: )
Description: Falha na geração de contexto de ativação para "1". Erro no arquivo de manifesto ou de diretiva 2", na linha 3.
O elemento raiz do arquivo de manifesto precisa ser Assembly.
 
Error: (11/17/2017 12:31:30 AM) (Source: SideBySide) (User: )
Description: Falha na geração de contexto de ativação para "1". Erro no arquivo de manifesto ou de diretiva 2", na linha 3.
O elemento raiz do arquivo de manifesto precisa ser Assembly.
 
Error: (11/17/2017 12:31:29 AM) (Source: SideBySide) (User: )
Description: Falha na geração de contexto de ativação para "1". Erro no arquivo de manifesto ou de diretiva 2", na linha 3.
O elemento raiz do arquivo de manifesto precisa ser Assembly.
 
Error: (11/17/2017 12:31:29 AM) (Source: SideBySide) (User: )
Description: Falha na geração de contexto de ativação para "1". Erro no arquivo de manifesto ou de diretiva 2", na linha 3.
O elemento raiz do arquivo de manifesto precisa ser Assembly.
 
Error: (11/17/2017 12:31:29 AM) (Source: SideBySide) (User: )
Description: Falha na geração de contexto de ativação para "1". Erro no arquivo de manifesto ou de diretiva 2", na linha 3.
O elemento raiz do arquivo de manifesto precisa ser Assembly.
 
Error: (11/17/2017 12:31:29 AM) (Source: SideBySide) (User: )
Description: Falha na geração de contexto de ativação para "1". Erro no arquivo de manifesto ou de diretiva 2", na linha 3.
O elemento raiz do arquivo de manifesto precisa ser Assembly.
 
Error: (11/17/2017 12:31:29 AM) (Source: SideBySide) (User: )
Description: Falha na geração de contexto de ativação para "1". Erro no arquivo de manifesto ou de diretiva 2", na linha 3.
O elemento raiz do arquivo de manifesto precisa ser Assembly.
 
Error: (11/17/2017 12:31:29 AM) (Source: SideBySide) (User: )
Description: Falha na geração de contexto de ativação para "1". Erro no arquivo de manifesto ou de diretiva 2", na linha 3.
O elemento raiz do arquivo de manifesto precisa ser Assembly.
 
 
System errors:
=============
Error: (11/17/2017 06:27:46 AM) (Source: Schannel) (User: AUTORIDADE NT)
Description: O seguinte alerta fatal foi recebido: 40.
 
Error: (11/17/2017 06:27:46 AM) (Source: Schannel) (User: AUTORIDADE NT)
Description: O seguinte alerta fatal foi recebido: 70.
 
Error: (11/17/2017 06:27:45 AM) (Source: Schannel) (User: AUTORIDADE NT)
Description: O seguinte alerta fatal foi recebido: 70.
 
Error: (11/17/2017 06:27:32 AM) (Source: Service Control Manager) (User: )
Description: Não foi possível iniciar o serviço Spybot-S&D 2 Security Center Service devido ao seguinte erro: 
%%577 = O Windows não pode verificar a assinatura digital deste arquivo. Talvez uma alteração recente de hardware ou software tenha instalado um arquivo com uma assinatura incorreta ou danificado, ou talvez o arquivo seja um software mal-intencionado de origem desconhecida.
 
 
Error: (11/17/2017 06:26:58 AM) (Source: EventLog) (User: )
Description: O desligamento anterior do sistema em 06:25:40 às ‎17/‎11/‎2017 não era esperado.
 
Error: (11/16/2017 04:44:20 PM) (Source: BROWSER) (User: )
Description: O serviço localizador não pôde recuperar a lista de backup muitas vezes no transporte \Device\NetBT_Tcpip_{D533D9ED-D013-4B0E-A70A-4C6837C1AA60}.
O localizador reserva está finalizando.
 
Error: (11/16/2017 02:25:03 PM) (Source: Service Control Manager) (User: )
Description: Não foi possível iniciar o serviço Spybot-S&D 2 Security Center Service devido ao seguinte erro: 
%%577 = O Windows não pode verificar a assinatura digital deste arquivo. Talvez uma alteração recente de hardware ou software tenha instalado um arquivo com uma assinatura incorreta ou danificado, ou talvez o arquivo seja um software mal-intencionado de origem desconhecida.
 
 
Error: (11/16/2017 02:24:33 PM) (Source: Schannel) (User: AUTORIDADE NT)
Description: O seguinte alerta fatal foi recebido: 40.
 
Error: (11/16/2017 02:24:32 PM) (Source: Schannel) (User: AUTORIDADE NT)
Description: O seguinte alerta fatal foi recebido: 70.
 
Error: (11/16/2017 02:24:32 PM) (Source: Schannel) (User: AUTORIDADE NT)
Description: O seguinte alerta fatal foi recebido: 70.
 
 
Microsoft Office Sessions:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2017-11-17 07:28:51.011
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-11-17 07:28:50.996
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-11-17 06:27:32.846
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-11-17 00:31:31.501
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-11-17 00:31:31.501
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-11-17 00:31:31.485
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-11-17 00:31:31.454
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-11-16 14:25:03.853
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-11-16 11:18:03.007
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-11-16 11:18:02.992
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.
 
 
=========================== Installed Programs ============================
 
7-Zip 16.04 (HKLM-x32\...\{23170F69-40C1-2701-1604-000001000000}) (Version: 16.04.00.0 - Igor Pavlov)
7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version:  - )
Adobe Reader 9.3 - Português (HKLM-x32\...\{AC76BA86-7AD7-1046-7B44-A93000000001}) (Version: 9.3.0 - Adobe Systems Incorporated)
Arquivo do WinRAR (HKLM-x32\...\WinRAR archiver) (Version:  - )
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 17.5.2303 - AVAST Software)
Bematool 4 Pro (HKLM-x32\...\{374DE68B-9948-451B-ADE8-521472E97DA8}) (Version: 4.0.5 - Newtech)
Broadcom NetXtreme-I Netlink Driver and Management Installer (HKLM\...\{64973F6A-8754-43D1-BDD0-FC6F0546347B}) (Version: 14.4.6.2 - Broadcom Corporation)
Cartão Convênio [Client] (HKLM-x32\...\Cartão Convênio [Client]_is1) (Version: 1.7.8.128 - Convcard Cartões)
Cisco Systems VPN Client 5.0.07.0440 (HKLM\...\{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}) (Version: 5.0.7 - Cisco Systems, Inc.)
CISSPoder 16 (HKLM-x32\...\CISSPoder_is1) (Version: 16.0.4.302 - CISS Software e Serviços)
CutePDF Writer 2.8 (HKLM\...\CutePDF Writer Installation) (Version:  - )
Direção Client D-TEF versão 8.1.52.1706 (HKLM-x32\...\Direção Client D-TEF_is1) (Version: 8.1.52.1706 - )
D-TEF 8 Runtime (HKLM-x32\...\D-TEF 8 Runtime_is1) (Version: 8.1.52.17 - )
Gateway TCP (HKLM-x32\...\Gateway TCP_is1) (Version:  - )
GNU Ghostscript 7.06 (HKLM-x32\...\GNU Ghostscript 7.06) (Version:  - )
GNU Ghostscript Fonts (HKLM-x32\...\GNU Ghostscript Fonts) (Version:  - )
GnuWin32: OpenSSL-0.9.8h-1 (HKLM-x32\...\OpenSSL-0.9.8h-1_is1) (Version: 0.9.8h-1 - GnuWin32)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 62.0.3202.94 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{18455581-E099-4BA8-BC6B-F34B2F06600C}) (Version: 1.0.0 - Google Inc.) Hidden
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
GPL Ghostscript (HKLM\...\GPL Ghostscript 9.07) (Version: 9.07 - Artifex Software Inc.)
HP LaserJet Pro M402-M403 n-dn (HKLM-x32\...\{e2164336-c5d8-4ac9-a53b-125779c4c21b}) (Version: 16.0.15295.589 - Hewlett-Packard)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDXP (HKLM-x32\...\{2D0909B2-FA33-4C36-8845-BF930A5A945E}) (Version: 3.0.26.15 - HP) Hidden
HPLJPRoM402M403ndn (HKLM-x32\...\{58532038-B97D-4C9B-9B96-C70D5EA763F4}) (Version: 0.05.0000 - Hewlett-Packard) Hidden
HPLJUTCore (HKLM-x32\...\{B445502B-2F83-4873-90F1-06059F71A46A}) (Version: 014.000.0001 - HP) Hidden
HPLJUTM402_403_n_dn (HKLM-x32\...\{9F80C0C9-5F41-4185-BE3D-423DF82F9C4E}) (Version: 016.000.0001 - HP) Hidden
hppLaserJetService (HKLM-x32\...\{0C4C3664-157A-4D69-B474-31EBF2EE1AE3}) (Version: 009.033.00926 - Hewlett-Packard) Hidden
hppM402M403ndnLaserJetService (HKLM-x32\...\{A16F79BE-1852-49BD-8689-660ED05E8D42}) (Version: 001.034.00688 - Hewlett-Packard) Hidden
hpStatusAlerts (HKLM-x32\...\{32DE03E8-D0B3-4D13-A885-D3EDFC959EEC}) (Version: 180.040.00267 - HP Development Company, L.P.) Hidden
hpStatusAlertsM402_M403_n_dn (HKLM-x32\...\{7F53E575-C37E-417C-9B72-1A2A097706EA}) (Version: 160.046.0135 - Hewlett-Packard) Hidden
IBM Data Server Runtime Client - DB2COPY1 (HKLM\...\{A9AE5899-1528-4050-A363-F99E9D12D870}) (Version: 10.5.0.420 - Nome de sua empresa:)
Instalador Remoto Linx TEF (HKLM-x32\...\TEF) (Version: 2.0.0.0 - Linx Direção)
K-Lite Codec Pack 11.4.0 Basic (HKLM-x32\...\KLiteCodecPack_is1) (Version: 11.4.0 - )
LJDXPHelperUI (HKLM-x32\...\{DEB23FB1-04FF-44AC-98B5-EEB243D65A28}) (Version: 140.069.007 - HP) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Nero Burning ROM-Nero Express (HKLM-x32\...\Nero Burning ROM-Nero Express) (Version:  - )
Pacote de Idiomas do Microsoft .NET Framework 4 Client Profile - Português (Brasil) (HKLM\...\Microsoft .NET Framework 4 Client Profile PTB Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
psqlODBC (HKLM-x32\...\{838E187D-8B7A-473D-B93C-C8E970B15D2B}) (Version: 09.01.0100 - PostgreSQL Global Development Group)
Reconexão Cisco VPN (HKLM-x32\...\Reconexão Cisco VPN) (Version: 1.0.0.7 - Linx Sistemas e Consultoria)
SafeZone Stable 3.55.2393.609 (HKLM-x32\...\SafeZone 3.55.2393.609) (Version: 3.55.2393.609 - Avast Software) Hidden
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.6.46 - Safer-Networking Ltd.)
TeamViewer 11 (HKLM-x32\...\TeamViewer) (Version: 11.0.51091 Beta - TeamViewer)
USB Disk Security (HKLM-x32\...\USB Disk Security_is1) (Version:  - Zbshareware Lab)
WinSQL (HKLM-x32\...\{FDC6FB50-CC2E-4A29-8A4C-58C546644415}) (Version: 9.0 - Synametrics Technologies)
 
========================= Devices: ================================
 
Name: Modem PCI
Description: Modem PCI
Class Guid: 
Manufacturer: 
Service: 
Device ID: PCI\VEN_134D&DEV_2189&SUBSYS_1002134D&REV_04\4&1DF304F3&0&10F0
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 56%
Total physical RAM: 2011.65 MB
Available physical RAM: 873.16 MB
Total Virtual: 4023.3 MB
Available Virtual: 2556.93 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:148.91 GB) (Free:122.67 GB) NTFS
 
========================= Users: ========================================
 
Contas de usu rio para \\CLIENTE-PC
 
Administrador            Cliente                  Convidado                
Comando conclu¡do com ˆxito.
 
========================= Restore Points ==================================
 
13-11-2017 17:16:55 ComboFix created restore point
 
**** End of log ****
 
 
 


#4 giobortolato

giobortolato
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Catarina, Brazil
  • Local time:10:10 PM

Posted 17 November 2017 - 10:24 AM

MBAR Log 

 

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.11.17.06
  rootkit: v2017.10.14.01
 
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Cliente :: CLIENTE-PC [administrator]
 
17/11/2017 11:59:17
mbar-log-2017-11-17 (11-59-17).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 261798
Time elapsed: 13 minute(s), 43 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\Program Files (x86)\CissDownloadNfe\CissDownloadNf-e.exe (Adware.OtherSearch) -> Delete on reboot. [6337cb3888224fe7c226e7bb4fb1ad53]
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
MBAR System Log
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.10.3.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7600 Windows 7 x64
 
Account is Administrative
 
Internet Explorer version: 8.0.7600.16385
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.926000 GHz
Memory total: 2109366272, free: 364494848
 
Downloaded database version: v2017.11.17.06
Initializing...
======================
Driver version: 4.3.0.15
------------ Kernel report ------------
     11/17/2017 11:59:10
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\DRIVERS\ACPI.sys
\SystemRoot\system32\DRIVERS\WMILIB.SYS
\SystemRoot\system32\DRIVERS\msisadrv.sys
\SystemRoot\system32\DRIVERS\pci.sys
\SystemRoot\system32\DRIVERS\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\DRIVERS\intelide.sys
\SystemRoot\system32\DRIVERS\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\atapi.sys
\SystemRoot\system32\DRIVERS\ataport.SYS
\SystemRoot\system32\DRIVERS\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\aswRvrt.sys
\SystemRoot\system32\drivers\aswVmm.sys
\SystemRoot\system32\DRIVERS\vmstorfl.sys
\SystemRoot\system32\DRIVERS\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\aswbuniva.sys
\SystemRoot\system32\drivers\aswbloga.sys
\SystemRoot\system32\drivers\aswbidsha.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\aswSP.sys
\SystemRoot\system32\drivers\aswSnx.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\drivers\aswKbd.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\aswRdr2.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\drivers\aswbidsdrivera.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\k57nd60a.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\dne64x.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\gertec_enum.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\gertec_usbcdc.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\aswMonFlt.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Windows\system32\Drivers\CVPNDRVA.sys
\SystemRoot\system32\DRIVERS\CVirtA64.sys
\SystemRoot\System32\Drivers\mbamswissarmy.sys
\SystemRoot\system32\DRIVERS\mwac.sys
\SystemRoot\System32\Drivers\MbamChameleon.sys
\??\C:\Windows\system32\drivers\mbae64.sys
\SystemRoot\system32\DRIVERS\farflt.sys
\SystemRoot\system32\DRIVERS\mbam.sys
\??\C:\Windows\system32\drivers\44740251.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
Done!
 
Scan started
Database versions:
  main:    v2017.11.17.06
  rootkit: v2017.10.14.01
 
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8002729060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8002729b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8002729060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80021e1060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 48000000
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition is bootable
    Partition file system is NTFS
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 312289280
    Partition is not bootable
    Partition file system is NTFS
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable
 
Disk Size: 160000000000 bytes
Sector size: 512 bytes
 
Done!
Infected: C:\Program Files (x86)\CissDownloadNfe\CissDownloadNf-e.exe --> [Adware.OtherSearch]
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-206848-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 
RKill Log
 
Rkill 2.9.1 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 11/17/2017 11:30:31 AM in x64 mode.
Windows Version: Windows 7 Ultimate 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Users\Cliente\AppData\Local\Alowp\Askype0.exe (PID: 2440) [UP-HEUR]
 
1 proccess terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 11/17/2017 11:31:19 AM
Execution time: 0 hours(s), 0 minute(s), and 48 seconds(s)
 
 


#5 giobortolato

giobortolato
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Catarina, Brazil
  • Local time:10:10 PM

Posted 17 November 2017 - 10:29 AM

Malwarebytes
www.malwarebytes.com
 
-Detalhes de registro-
Data da análise: 17/11/17
Hora da análise: 11:43
Arquivo de registro: bd8464a5-cba5-11e7-8016-00059a3c7800.json
Administrador: Sim
 
-Informação do software-
Versão: 3.3.1.2183
Versão de componentes: 1.0.236
Versão do pacote de definições: 1.0.3282
Licença: Versão de Avaliação
 
-Informação do sistema-
Sistema operacional: Windows 7
CPU: x64
Sistema de arquivos: NTFS
Usuário: Cliente-PC\Cliente
 
-Resumo da análise-
Tipo de análise: Análise de Ameaças
Resultado: Concluído
Objetos verificados: 322454
Ameaças detectadas: 2
Ameaças em quarentena: 2
Tempo decorrido: 24 min, 26 seg
 
-Opções da análise-
Memória: Habilitado
Inicialização: Habilitado
Sistema de arquivos: Habilitado
Arquivos compactados: Habilitado
Rootkits: Desabilitado
Heurística: Habilitado
PUP: Detectar
PUM: Detectar
 
-Detalhes da análise-
Processo: 0
(Nenhum item malicioso detectado)
 
Módulo: 0
(Nenhum item malicioso detectado)
 
Chave de registro: 0
(Nenhum item malicioso detectado)
 
Valor de registro: 1
Trojan.BlockAV, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{EC6699BA-4689-4B0F-B5B7-9A47918F7D31}, Quarentena, [1151], [325171],1.0.3282
 
Dados de registro: 0
(Nenhum item malicioso detectado)
 
Fluxo de dados: 0
(Nenhum item malicioso detectado)
 
Pasta: 0
(Nenhum item malicioso detectado)
 
Arquivo: 1
Adware.OtherSearch, C:\PROGRAM FILES (X86)\CISSDOWNLOADNFE\CISSDOWNLOADNF-E.EXE, Quarentena, [446], [365866],1.0.3282
 
Setor físico: 0
(Nenhum item malicioso detectado)
 
 
(end)


#6 giobortolato

giobortolato
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Catarina, Brazil
  • Local time:10:10 PM

Posted 17 November 2017 - 10:32 AM

Sorry about the portuguese parts of the logs, the OS is in portuguese. 


Edited by giobortolato, 17 November 2017 - 10:32 AM.


#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:10 PM

Posted 17 November 2017 - 09:20 PM

That's not a problem.

 

Why is your Windows not up to date? For instance SP1 is missing.

 

p22002970.gif Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

p22002970.gif Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database if one is required.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button.
  • A window will open which lists the logs of your scans.
  • Click on the Scan tab.
  • Double-click the most recent scan which will be at the top of the list....the log will appear.
  • Review the results...see note below
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
  • To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
  • Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
  • A copy of all logfiles are saved to C:\AdwCleaner.


-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.


p22002970.gif Download Sophos Free Virus Removal Tool and save it to your desktop.
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users