Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware Removal


  • Please log in to reply

#16
itc1991

itc1991

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 17-04-2017 01
Ran by Ines (20-04-2017 16:10:13)
Running from C:\Users\Ines\Desktop
Windows 10 Home Version 1607 (X64) (2016-09-15 00:46:08)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-676550262-2765486237-767571021-500 - Administrator - Disabled) => C:\Users\Administrator
DefaultAccount (S-1-5-21-676550262-2765486237-767571021-503 - Limited - Disabled)
Guest (S-1-5-21-676550262-2765486237-767571021-501 - Limited - Disabled)
Ines (S-1-5-21-676550262-2765486237-767571021-1001 - Administrator - Enabled) => C:\Users\Ines
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}
FW: Avast Antivirus (Enabled) {B693136B-F6EE-DD1C-A0EF-229B8B0B29C4}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-676550262-2765486237-767571021-1001\...\uTorrent) (Version: 3.4.9.42606 - BitTorrent Inc.)
Adobe Flash Player 25 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 25.0.0.148 - Adobe Systems Incorporated)
Advanced Calendar 2.0.0.11380 (HKLM\...\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}) (Version: 2.0.0.11380 - MEIXIAN XIE) <==== ATTENTION
Avast Internet Security (HKLM-x32\...\Avast Antivirus) (Version: 17.3.2291 - AVAST Software)
CCleaner (HKLM\...\CCleaner) (Version: 5.28 - Piriform)
ELAN Touchpad driver X64 15.7.9.2_WHQL (HKLM\...\Elantech) (Version: 15.7.9.2 - ELAN Microelectronic Corp.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 57.0.2987.133 - Google Inc.)
Google Update Helper (x32 Version: 1.3.33.3 - Google Inc.) Hidden
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4734.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-676550262-2765486237-767571021-1001\...\OneDriveSetup.exe) (Version: 17.3.6743.1212 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-676550262-2765486237-767571021-500\...\OneDriveSetup.exe) (Version: 17.3.6798.0207 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Popcorn Time CE YIFY (HKLM-x32\...\{F9BC7890-4FE5-4391-8C59-CD0C556EF115}) (Version: 1.0.0 - YIFY.is) <==== ATTENTION
Proteção de Terminal Trusteer (HKLM-x32\...\Rapport_msi) (Version: 3.5.1804.96 - Trusteer)
Rapport (x32 Version: 3.5.1804.96 - Trusteer) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7543 - Realtek Semiconductor Corp.)
SafeZone Stable 3.55.2393.596 (x32 Version: 3.55.2393.596 - Avast Software) Hidden
Samsung USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.61.0 - Samsung Electronics Co., Ltd.)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.33 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.33.105 - Skype Technologies S.A.)
Smart Switch (HKLM-x32\...\InstallShield_{74FA5314-85C8-4E2A-907D-D9ECCCB770A7}) (Version: 4.1.16121.3 - Samsung Electronics Co., Ltd.)
Smart Switch (x32 Version: 4.1.16121.3 - Samsung Electronics Co., Ltd.) Hidden
Tools Assist (HKLM-x32\...\{3CA099AA-D173-49e0-B3EA-145D67934BB5}) (Version: 1.0.0.61 - Jinju Wang)
WinRAR 5.40 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {12EBC6BC-99C4-46E4-BA21-1B8AF413BFD2} - System32\Tasks\{C1CE6231-3874-4432-89CE-D86D19A829FE} => C:\Program Files (x86)\ToolsAssist\toolserv.exe [2015-11-16] ()
Task: {582A1B47-5676-4BC8-851C-53D3C3F75982} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2017-04-03] (AVAST Software)
Task: {85013611-6C73-4191-ACEA-703FCC1890F4} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2015-09-24] (Realtek Semiconductor)
Task: {C3BB9EB5-B115-4AE8-9DB8-BF9D21CFEF60} - System32\Tasks\SafeZone scheduled Autoupdate 1458699171 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2017-03-22] (Avast Software)
Task: {C7C868B1-3829-46FE-BAF1-EF51DA526117} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-04-13] (Adobe Systems Incorporated)
Task: {CFDBA839-1AD3-4C90-8D58-B719C7AECC18} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-01] (Google Inc.)
Task: {D6C974C2-5DDA-4413-B139-E99A55F57011} - System32\Tasks\{CB67D0D5-746F-41CA-820D-EE2154015763} => pcalua.exe -a "C:\Program Files (x86)\Wondershare\MobileGo-b\unins000.exe" -c /WAF
Task: {E04C6F3F-F6F0-4C80-8EFC-17E9E25AB63E} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2017-04-13] (AVAST Software)
Task: {E328D6E8-3E4A-453A-A3EC-E662A399E6A4} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-01] (Google Inc.)
Task: {E4890EDD-34A3-4973-8E4C-2679226DC041} - System32\Tasks\Tools_Update_{CFAC34AB-5DB5-4dea-94EC-1D42E3942873} => C:\Program Files (x86)\tools\update\tools_update.exe [2016-07-04] ()
Task: {E6516078-B278-4618-901E-BD152339EF59} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2017-04-17] (Microsoft Corporation)
Task: {EC01C9B9-4C00-4550-91BC-635B2E778393} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-03-03] (Piriform Ltd)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-07-16 12:42 - 2016-07-16 12:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2017-04-12 00:34 - 2017-03-28 07:22 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2015-09-24 14:15 - 2015-09-24 14:13 - 00008192 _____ () C:\WINDOWS\SysWOW64\srvany.exe
2015-09-24 14:15 - 2015-09-24 14:13 - 00151552 _____ () C:\WINDOWS\KMService.exe
2015-11-16 09:48 - 2015-11-16 09:48 - 00202872 _____ () C:\Program Files (x86)\ToolsAssist\toolserv.exe
2017-04-12 00:34 - 2017-03-28 07:22 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2010-01-09 20:17 - 2010-01-09 20:17 - 04254560 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-01-21 01:40 - 2010-01-21 01:40 - 08794464 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2016-09-16 09:08 - 2016-09-07 05:56 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-03-27 22:12 - 2017-03-04 07:31 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2017-03-27 22:13 - 2017-03-04 07:12 - 09760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-03-27 22:13 - 2017-03-04 07:05 - 01401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-03-27 22:13 - 2017-03-04 07:05 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2017-04-12 00:33 - 2017-03-28 06:08 - 02424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-04-12 00:34 - 2017-03-28 06:11 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2015-11-16 09:47 - 2015-11-16 09:47 - 00374392 _____ () C:\Program Files (x86)\ToolsAssist\1.0.0.61\ErrorReport.exe
2017-04-07 14:39 - 2017-04-07 14:40 - 01695440 _____ () C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.8067.57631.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.dll
2017-04-19 08:40 - 2017-04-19 08:41 - 13095104 _____ () C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.8067.57631.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Core.dll
2017-04-10 19:47 - 2017-04-10 19:47 - 00077312 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.13.133.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2017-04-10 19:47 - 2017-04-10 19:47 - 00189952 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.13.133.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2017-04-10 19:47 - 2017-04-10 19:47 - 42507264 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.13.133.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2017-04-10 19:47 - 2017-04-10 19:47 - 02334184 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.13.133.0_x64__kzf8qxf38zg5c\skypert.dll
2015-06-02 15:51 - 2015-06-02 15:51 - 00545792 _____ () C:\Program Files (x86)\Trusteer\Rapport\bin\js32.dll
2017-04-06 17:11 - 2017-03-29 03:04 - 02187096 _____ () C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\libglesv2.dll
2017-04-06 17:11 - 2017-03-29 03:04 - 00086360 _____ () C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\libegl.dll
2017-04-03 13:04 - 2017-04-03 13:04 - 00170216 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-09-27 04:49 - 2016-09-27 04:49 - 48936448 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2017-04-03 13:04 - 2017-04-03 13:04 - 00176480 _____ () C:\Program Files\AVAST Software\Avast\event_routing_rpc.dll
2017-04-03 13:03 - 2017-04-03 13:03 - 00293936 _____ () C:\Program Files\AVAST Software\Avast\gaming_mode_ui.dll
2017-04-03 13:04 - 2017-04-03 13:04 - 00653520 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-07-30 23:42 - 2015-12-15 08:43 - 00000828 ____A C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-676550262-2765486237-767571021-1001\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\theme1\img3.jpg
HKU\S-1-5-21-676550262-2765486237-767571021-500\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Windows\img0.jpg
DNS Servers: 194.168.4.100 - 194.168.8.100
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: RapportMgmtService => 2
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: ss_conn_service => 2
MSCONFIG\Services: TheCalendarService => 2
MSCONFIG\Services: ThevSnapshotService => 2
MSCONFIG\Services: WsAppService => 2
HKU\S-1-5-21-676550262-2765486237-767571021-1001\...\StartupApproved\Run: => "GoogleChromeAutoLaunch_F27EA6D051630301532E4448EA4CB627"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [UDP Query User{78489B7D-833D-4983-BB86-69B2C8B8AC75}C:\program files (x86)\wondershare\mobilego-b\mobilego.exe] => (Allow) C:\program files (x86)\wondershare\mobilego-b\mobilego.exe
FirewallRules: [TCP Query User{0245BDB9-200E-43D6-8AF9-13EB157F2E63}C:\program files (x86)\wondershare\mobilego-b\mobilego.exe] => (Allow) C:\program files (x86)\wondershare\mobilego-b\mobilego.exe
FirewallRules: [UDP Query User{C1276135-AB7A-4031-BCC5-A2B6BBB73F0F}C:\program files (x86)\wondershare\mobilego-b\mobilegoservice.exe] => (Allow) C:\program files (x86)\wondershare\mobilego-b\mobilegoservice.exe
FirewallRules: [TCP Query User{C9AB8833-55F9-452B-BCFB-8100E5891821}C:\program files (x86)\wondershare\mobilego-b\mobilegoservice.exe] => (Allow) C:\program files (x86)\wondershare\mobilego-b\mobilegoservice.exe
FirewallRules: [UDP Query User{5A146B14-BCB2-4772-AFA4-00A22A186B1E}C:\users\ines\appdata\local\popcorn time ce yify\nw.exe] => (Allow) C:\users\ines\appdata\local\popcorn time ce yify\nw.exe
FirewallRules: [TCP Query User{72C3EC5C-C568-477F-961C-7194E494F94D}C:\users\ines\appdata\local\popcorn time ce yify\nw.exe] => (Allow) C:\users\ines\appdata\local\popcorn time ce yify\nw.exe
FirewallRules: [UDP Query User{9EA966B9-556F-4354-AF55-D3BE605F6E3D}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe] => (Allow) C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe
FirewallRules: [TCP Query User{807F9233-F000-4831-A56E-6D5D2ADCFBCB}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe] => (Allow) C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe
FirewallRules: [{4ACF7381-54FB-4427-B994-79440DFEAC4C}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{76145384-E83B-4C3B-BA6D-6B73132145EC}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{E9E4C848-96F8-438F-92BD-C165283429D5}] => (Allow) C:\Users\Ines\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{EDA216C9-D454-43A3-A0A6-6D37F21DEA50}] => (Allow) C:\Users\Ines\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{59CB3062-2ED7-4F04-A8FC-321A8C0178EC}] => (Allow) C:\Users\Ines\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{4A7C3A2F-A92D-4CD7-ABDA-AC7355A582D4}] => (Allow) C:\Users\Ines\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{5D109965-DBEA-47EE-AAFF-B95F77B3DAC3}] => (Allow) C:\Users\Ines\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{ACAE99DA-503B-4B81-855F-173819B1FA35}] => (Allow) C:\Users\Ines\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{E5CDCA50-71E3-4BBB-B855-B545264477FF}C:\users\ines\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\ines\appdata\local\popcorn time\nw.exe
FirewallRules: [UDP Query User{60633A92-7D04-49CB-BB62-D07F8391F0BA}C:\users\ines\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\ines\appdata\local\popcorn time\nw.exe
FirewallRules: [{A2E11485-2C2F-4252-AC1F-4F506A2C1F31}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{1540D5A5-8212-451D-8630-D8AE9FA3E862}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{23448DF1-0859-479C-A1B7-449CD8DF1C04}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [UDP Query User{8A73BB8A-49C8-419E-BBE2-EE44976CCA75}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [{4AFA8EFA-2D8C-4440-846A-610D26BF76CC}] => (Allow) C:\Program Files (x86)\SpringFiles\SpringFiles.exe
FirewallRules: [{79F73384-AF36-45C7-BA5F-ECF4061CB9A5}] => (Allow) C:\Program Files (x86)\SpringFiles\SpringFiles.exe
FirewallRules: [{C3EAA71B-E581-46C3-8E4D-E6F1F04B9D66}] => (Allow) C:\Program Files (x86)\SpringFiles\downloader.exe
FirewallRules: [{D6DA0916-45FA-4AB4-9F74-9C3FFCBAA675}] => (Allow) C:\Program Files (x86)\SpringFiles\downloader.exe
FirewallRules: [{4014DB3D-16D8-4C1B-9C55-D1C7C23FC570}] => (Allow) C:\Users\Ines\AppData\Local\Chromium\Application\chrome.exe
FirewallRules: [TCP Query User{426F5CE8-B4DA-416C-87F9-80A1CB49C5C0}C:\users\ines\appdata\local\popcorn time ce yify\nw.exe] => (Allow) C:\users\ines\appdata\local\popcorn time ce yify\nw.exe
FirewallRules: [UDP Query User{A99D6071-DA41-4627-923D-CAA07AA46504}C:\users\ines\appdata\local\popcorn time ce yify\nw.exe] => (Allow) C:\users\ines\appdata\local\popcorn time ce yify\nw.exe
FirewallRules: [TCP Query User{1761F61F-6AC3-49DB-8EC7-7B6D19CA9339}C:\program files (x86)\wondershare\mobilego-b\mobilegoservice.exe] => (Block) C:\program files (x86)\wondershare\mobilego-b\mobilegoservice.exe
FirewallRules: [UDP Query User{481F4C6A-2645-4528-A0C7-332B88C626E6}C:\program files (x86)\wondershare\mobilego-b\mobilegoservice.exe] => (Block) C:\program files (x86)\wondershare\mobilego-b\mobilegoservice.exe
FirewallRules: [TCP Query User{E04C7540-AA92-476D-A988-D3829ABFE61C}C:\program files (x86)\wondershare\mobilego-b\mobilego.exe] => (Allow) C:\program files (x86)\wondershare\mobilego-b\mobilego.exe
FirewallRules: [UDP Query User{D09C24F5-0F9E-48FC-8B6C-C77A4AE88083}C:\program files (x86)\wondershare\mobilego-b\mobilego.exe] => (Allow) C:\program files (x86)\wondershare\mobilego-b\mobilego.exe
FirewallRules: [{7DB03B3D-8FAC-4F10-A7B4-6370CC87958C}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\3.55.2393.590\SZBrowser.exe
FirewallRules: [{38840991-5DB3-4AC9-AD36-99B36E8F56A1}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\3.55.2393.596\SZBrowser.exe
FirewallRules: [{EB60C1F1-C5F3-4873-947E-04583B0FA516}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/20/2017 03:16:26 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: O procedimento Open para o serviço "BITS" na DLL "C:\Windows\System32\bitsperf.dll" falhou. Os dados de desempenho para este serviço não estarão disponíveis. Os primeiros quatro bytes (DWORD) da secção Data contêm o código de erro.
 
Error: (04/20/2017 02:02:34 AM) (Source: Windows Search Service) (EventID: 3104) (User: )
Description: Falha ao enumerar sessões de utilizador para geração de conjuntos de filtros.
 
Details:
(HRESULT : 0x80040210) (0x80040210)
 
 
System errors:
=============
Error: (04/20/2017 05:09:54 AM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4
 
Error: (04/20/2017 05:09:52 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: As definições de permissão de application-specific não concedem permissão de Local Activation para a aplicação de Servidor COM com CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 e APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 ao SID (S-1-5-18) de utilizador NT AUTHORITY\SYSTEM a partir do endereço LocalHost (Using LRPC) em execução no SID (Unavailable) de contentor aplicacional Unavailable. Esta permissão de segurança pode ser modificada utilizando a ferramenta administrativa de Serviços de Componentes.
 
Error: (04/19/2017 08:33:32 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: As definições de permissão de application-specific não concedem permissão de Local Activation para a aplicação de Servidor COM com CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 e APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 ao SID (S-1-5-19) de utilizador NT AUTHORITY\LOCAL SERVICE a partir do endereço LocalHost (Using LRPC) em execução no SID (Unavailable) de contentor aplicacional Unavailable. Esta permissão de segurança pode ser modificada utilizando a ferramenta administrativa de Serviços de Componentes.
 
Error: (04/19/2017 08:33:32 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: As definições de permissão de application-specific não concedem permissão de Local Activation para a aplicação de Servidor COM com CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 e APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 ao SID (S-1-5-19) de utilizador NT AUTHORITY\LOCAL SERVICE a partir do endereço LocalHost (Using LRPC) em execução no SID (Unavailable) de contentor aplicacional Unavailable. Esta permissão de segurança pode ser modificada utilizando a ferramenta administrativa de Serviços de Componentes.
 
Error: (04/19/2017 08:33:29 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: As definições de permissão de application-specific não concedem permissão de Local Activation para a aplicação de Servidor COM com CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 e APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 ao SID (S-1-5-18) de utilizador NT AUTHORITY\SYSTEM a partir do endereço LocalHost (Using LRPC) em execução no SID (Unavailable) de contentor aplicacional Unavailable. Esta permissão de segurança pode ser modificada utilizando a ferramenta administrativa de Serviços de Componentes.
 
Error: (04/19/2017 08:26:08 AM) (Source: volmgr) (EventID: 46) (User: )
Description: Falha na inicialização da imagem de erro!
 
Error: (04/19/2017 06:17:15 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: As definições de permissão de application-specific não concedem permissão de Local Activation para a aplicação de Servidor COM com CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 e APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 ao SID (S-1-5-18) de utilizador NT AUTHORITY\SYSTEM a partir do endereço LocalHost (Using LRPC) em execução no SID (Unavailable) de contentor aplicacional Unavailable. Esta permissão de segurança pode ser modificada utilizando a ferramenta administrativa de Serviços de Componentes.
 
Error: (04/18/2017 11:56:34 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: As definições de permissão de application-specific não concedem permissão de Local Activation para a aplicação de Servidor COM com CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 e APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 ao SID (S-1-5-19) de utilizador NT AUTHORITY\LOCAL SERVICE a partir do endereço LocalHost (Using LRPC) em execução no SID (Unavailable) de contentor aplicacional Unavailable. Esta permissão de segurança pode ser modificada utilizando a ferramenta administrativa de Serviços de Componentes.
 
Error: (04/18/2017 11:56:34 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: As definições de permissão de application-specific não concedem permissão de Local Activation para a aplicação de Servidor COM com CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 e APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 ao SID (S-1-5-19) de utilizador NT AUTHORITY\LOCAL SERVICE a partir do endereço LocalHost (Using LRPC) em execução no SID (Unavailable) de contentor aplicacional Unavailable. Esta permissão de segurança pode ser modificada utilizando a ferramenta administrativa de Serviços de Componentes.
 
Error: (04/18/2017 11:56:32 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: As definições de permissão de application-specific não concedem permissão de Local Activation para a aplicação de Servidor COM com CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 e APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 ao SID (S-1-5-18) de utilizador NT AUTHORITY\SYSTEM a partir do endereço LocalHost (Using LRPC) em execução no SID (Unavailable) de contentor aplicacional Unavailable. Esta permissão de segurança pode ser modificada utilizando a ferramenta administrativa de Serviços de Componentes.
 
 
==================== Memory info =========================== 
 
Processor: Quad-Core Processor (up to 1.4GHz) 
Percentage of memory in use: 67%
Total physical RAM: 3526.92 MB
Available physical RAM: 1141.07 MB
Total Virtual: 4166.92 MB
Available Virtual: 1045.5 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:118.7 GB) (Free:54.35 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 119.2 GB) (Disk ID: 5B77F2A0)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=118.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450 MB) - (Type=27)
 
==================== End of Addition.txt ============================

  • 0

Advertisements


#17
itc1991

itc1991

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Process CPU Private Bytes Working Set PID Description Company Name Verified Signer
System Idle Process 93.83 0 K 4 K 0
procexp64.exe 3.17 23 132 K 54 016 K 5912 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
dwm.exe 0.92 53 184 K 47 884 K 900
Interrupts 0.73 0 K 0 K n/a Hardware Interrupts and DPCs
System 0.44 124 K 136 K 4
csrss.exe 0.32 3 552 K 5 576 K 628
RapportService.exe 0.20 61 972 K 35 936 K 1840
chrome.exe 0.07 169 364 K 139 644 K 6116 Google Chrome Google Inc. (Verified) Google Inc
explorer.exe 0.06 48 096 K 95 392 K 724 Explorador do Windows Microsoft Corporation (Verified) Microsoft Windows
RapportMgmtService.exe 0.06 65 328 K 27 476 K 1588 RapportMgmtService IBM Corp. (Verified) IBM
svchost.exe 0.04 7 620 K 16 976 K 1520 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
osk.exe 0.03 6 304 K 21 752 K 7356
AvastSvc.exe 0.03 157 828 K 40 920 K 2148 Avast Service AVAST Software (Verified) AVAST Software s.r.o.
conhost.exe 0.03 1 328 K 4 888 K 2820
aswidsagenta.exe 0.02 22 644 K 36 276 K 3288 Avast Behavior Shield AVAST Software s.r.o. (Verified) AVAST Software s.r.o.
CCleaner64.exe 0.02 9 936 K 1 260 K 6540
chrome.exe 0.01 130 244 K 331 540 K 6504 Google Chrome Google Inc. (Verified) Google Inc
AvastUI.exe 0.01 16 260 K 24 020 K 9108 Avast Antivirus AVAST Software (Verified) AVAST Software s.r.o.
chrome.exe < 0.01 123 916 K 139 412 K 8036 Google Chrome Google Inc. (Verified) Google Inc
csrss.exe < 0.01 1 624 K 3 804 K 84
svchost.exe < 0.01 10 136 K 35 632 K 4456 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
afwServ.exe < 0.01 12 312 K 23 504 K 2444 Avast firewall service AVAST Software (Verified) AVAST Software s.r.o.
svchost.exe < 0.01 33 436 K 50 780 K 1044 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
WmiPrvSE.exe 6 688 K 12 572 K 5656
winlogon.exe 1 940 K 9 312 K 708
wininit.exe 988 K 4 184 K 612
toolserv.exe 1 524 K 116 K 4960
taskhostw.exe 6 980 K 16 340 K 2284 Processo Anfitrião para Tarefas do Windows Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 13 700 K 29 936 K 1116 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 14 188 K 21 860 K 1136 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 5 628 K 10 176 K 948 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 9 692 K 22 392 K 876 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 5 896 K 16 684 K 2788 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 17 940 K 30 532 K 1252 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 5 260 K 13 672 K 2084 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 3 400 K 10 992 K 1564 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 8 728 K 23 876 K 2628 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 13 512 K 24 380 K 1128 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2 460 K 9 484 K 2004 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 3 988 K 10 368 K 2984 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1 624 K 6 104 K 3576 Processo Anfitrião dos Serviços do Windows Microsoft Corporation (Verified) Microsoft Windows Publisher
srvany.exe 688 K 3 448 K 2660
spoolsv.exe 5 404 K 11 056 K 2268 Spooler SubSystem App Microsoft Corporation (Verified) Microsoft Windows
smss.exe 376 K 1 044 K 444
smartscreen.exe 8 632 K 14 924 K 7148 SmartScreen Microsoft Corporation (Verified) Microsoft Windows
SkypeHost.exe Suspended 33 124 K 25 736 K 856 Microsoft Skype Microsoft Corporation (Nenhuma assinatura estava presente no sujeito) Microsoft Corporation
sihost.exe 6 728 K 22 168 K 2280 Shell Infrastructure Host Microsoft Corporation (Verified) Microsoft Windows
ShellExperienceHost.exe Suspended 52 268 K 51 608 K 4568 Windows Shell Experience Host Microsoft Corporation (Verified) Microsoft Windows
SettingSyncHost.exe 15 740 K 17 224 K 5916 Host Process for Setting Synchronization Microsoft Corporation (Verified) Microsoft Windows
services.exe 3 236 K 7 584 K 752
SearchUI.exe Suspended 56 416 K 54 272 K 4940 Search and Cortana application Microsoft Corporation (Verified) Microsoft Windows
SearchIndexer.exe 22 320 K 20 392 K 1868 Indexador do Microsoft Windows Search Microsoft Corporation (Verified) Microsoft Windows
RuntimeBroker.exe 19 620 K 37 476 K 4636 Runtime Broker Microsoft Corporation (Verified) Microsoft Windows
RAVCpl64.exe 4 820 K 11 560 K 6120 Gestor de audio de alta definicao Realtek Realtek Semiconductor (Verified) Realtek Semiconductor Corp
procexp.exe 3 480 K 10 720 K 7036 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
onenoteim.exe Suspended 60 448 K 60 304 K 6528 OneNote Microsoft Corporation (Verified) Microsoft Corporation
notepad.exe 2 440 K 12 588 K 1420
Memory Compression 496 K 158 176 K 2884
lsass.exe 6 112 K 14 064 K 768 Local Security Authority Process Microsoft Corporation (Verified) Microsoft Windows Publisher
KMService.exe 696 K 3 336 K 2772
InputPersonalization.exe 3 564 K 15 784 K 8920 Servidor de Personalização de Entrada Microsoft Corporation (Verified) Microsoft Windows
fontdrvhost.exe 732 K 2 372 K 6384
ETDTouch.exe 2 264 K 5 716 K 1660
ETDService.exe 948 K 4 536 K 2636 Elan Service ELAN Microelectronics Corp. (Verified) ELAN Microelectronics Corporation
ETDCtrlHelper.exe 2 740 K 7 560 K 4288
ETDCtrl.exe 9 012 K 16 036 K 1480 ETD Control Center ELAN Microelectronics Corp. (Verified) ELAN Microelectronics Corporation
ErrorReport.exe 2 332 K 2 200 K 5520
ErrorReport.exe 2 556 K 1 144 K 5856
ErrorReport.exe 2 532 K 1 892 K 5412
ErrorReport.exe 2 324 K 3 684 K 6084
dasHost.exe 6 508 K 12 972 K 1464
conhost.exe 5 148 K 660 K 6052
conhost.exe 5 132 K 584 K 8648
conhost.exe 5 132 K 576 K 8228
conhost.exe 5 132 K 820 K 9168
chrome.exe 61 968 K 59 868 K 7176 Google Chrome Google Inc. (Verified) Google Inc
chrome.exe 147 604 K 58 972 K 7372 Google Chrome Google Inc. (Verified) Google Inc
chrome.exe 38 140 K 28 208 K 7400 Google Chrome Google Inc. (Verified) Google Inc
chrome.exe 210 452 K 179 960 K 7432 Google Chrome Google Inc. (Verified) Google Inc
chrome.exe 5 312 K 8 924 K 6712 Google Chrome Google Inc. (Verified) Google Inc
chrome.exe 5 300 K 9 272 K 4540 Google Chrome Google Inc. (Verified) Google Inc
audiodg.exe 8 668 K 10 880 K 3156
atiesrxx.exe 1 172 K 4 768 K 1824 AMD External Events Service Module AMD (Verified) Microsoft Windows Hardware Compatibility Publisher
atieclxx.exe 2 240 K 8 760 K 1876
AtBroker.exe 1 416 K 4 296 K 4760 Windows Assistive Technology Manager Microsoft Corporation (Verified) Microsoft Windows
AtBroker.exe 2 064 K 10 084 K 3176 Windows Assistive Technology Manager Microsoft Corporation (Verified) Microsoft Windows
AtBroker.exe 1 628 K 5 660 K 480 Windows Assistive Technology Manager Microsoft Corporation (Verified) Microsoft Windows
AtBroker.exe 2 108 K 12 252 K 1636 Windows Assistive Technology Manager Microsoft Corporation (Verified) Microsoft Windows
AtBroker.exe 1 376 K 5 352 K 228 Windows Assistive Technology Manager Microsoft Corporation (Verified) Microsoft Windows
ApplicationFrameHost.exe 6 748 K 19 108 K 6736 Application Frame Host Microsoft Corporation (Verified) Microsoft Windows

  • 0

#18
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,010 posts
  • MVP

Run FRST.  In the search box put:

 

errorreport.exe;dashost.exe;conhost.exe 
 
click on Search Files.  You will get a log.  Please post it.

  • 0

#19
itc1991

itc1991

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
RogueKiller V12.10.5.0 (x64) [Apr 18 2017] (Free) por Adlice Software
 
Sistema Operativo : Windows 10 (10.0.14393) 64 bits version
Iniciou : Modo normal
Utilizador : Ines [Administrador]
Começado de : C:\Users\Ines\Downloads\RogueKillerX64.exe
Modo : Examinar -- Data : 04/20/2017 16:37:36 (Duration : 01:49:57)
 
¤¤¤ Processos : 1 ¤¤¤
[PUP.Gen0|VT.PUP.Optional.Cherimoya] (SVC) bsdriver -- \??\C:\WINDOWS\system32\drivers\bsdriver.sys[7] -> Encontrado
 
¤¤¤ Registo : 16 ¤¤¤
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\CalendarTool -> Encontrado
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\Conduit -> Encontrado
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\TrustedStart -> Encontrado
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\Conduit -> Encontrado
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\TrustedStart -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD} -> Encontrado
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bsdriver -> Encontrado
[PUP.Gen0|PUP.Gen1|VT.W32.HfsAdware.EDFE] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TheCalendarService (C:\Program Files (x86)\CalendarTool\2.0.0.11380\CalendarServ.exe) -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{9EA966B9-556F-4354-AF55-D3BE605F6E3D}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe|Name=popcorn time.exe|Desc=popcorn time.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{807F9233-F000-4831-A56E-6D5D2ADCFBCB}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe|Name=popcorn time.exe|Desc=popcorn time.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{E5CDCA50-71E3-4BBB-B855-B545264477FF}C:\users\ines\appdata\local\popcorn time\nw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\nw.exe|Name=nw.exe|Desc=nw.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{60633A92-7D04-49CB-BB62-D07F8391F0BA}C:\users\ines\appdata\local\popcorn time\nw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\nw.exe|Name=nw.exe|Desc=nw.exe|Defer=User| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4AFA8EFA-2D8C-4440-846A-610D26BF76CC} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SpringFiles\SpringFiles.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {79F73384-AF36-45C7-BA5F-ECF4061CB9A5} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SpringFiles\SpringFiles.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C3EAA71B-E581-46C3-8E4D-E6F1F04B9D66} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SpringFiles\downloader.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D6DA0916-45FA-4AB4-9F74-9C3FFCBAA675} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SpringFiles\downloader.exe|Name=SpringFiles| [x] -> Encontrado
 
¤¤¤ Tarefas : 0 ¤¤¤
 
¤¤¤ Arquivos : 11 ¤¤¤
[PUP.Gen0][Ficheiro] C:\Windows\System32\drivers\bsdriver.sys -> Encontrado
[Adw.NetFilter][Ficheiro] C:\Windows\System32\drivers\cherimoya.sys -> Encontrado
[PUP.Gen1][Pasta] C:\Users\Ines\AppData\Roaming\CalendarTool -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41162\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Encontrado
[PUP.Gen1][Pasta] C:\Program Files (x86)\CalendarTool -> Encontrado
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Arquivos de hosts : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Carregado) ¤¤¤
 
¤¤¤ Navegadores : 2 ¤¤¤
[PUM.SearchEngine][Firefox:Config] 3xb7gf3q.default : user_pref("browser.search.selectedEngine", "Google (avast)"); -> Encontrado
[PUM.SearchEngine][Firefox:Config] 3xb7gf3q.default : user_pref("browser.search.defaultenginename", "Google (avast)"); -> Encontrado
 
¤¤¤ Verificação da MBR : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG MZMTD128HAFV-000 +++++
--- User ---
[MBR] 0f87a2a5f23067145a9780861f5f5589
[BSP] 57b55f5e9cc62e08d659c1a985d4434b : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 121552 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 249145344 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

  • 0

#20
itc1991

itc1991

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
RogueKiller V12.10.5.0 (x64) [Apr 18 2017] (Free) por Adlice Software
 
Sistema Operativo : Windows 10 (10.0.14393) 64 bits version
Iniciou : Modo normal
Utilizador : Ines [Administrador]
Começado de : C:\Users\Ines\Downloads\RogueKillerX64.exe
Modo : Examinar -- Data : 04/20/2017 16:37:36 (Duration : 01:49:57)
 
¤¤¤ Processos : 1 ¤¤¤
[PUP.Gen0|VT.PUP.Optional.Cherimoya] (SVC) bsdriver -- \??\C:\WINDOWS\system32\drivers\bsdriver.sys[7] -> Encontrado
 
¤¤¤ Registo : 16 ¤¤¤
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\CalendarTool -> Encontrado
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\Conduit -> Encontrado
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\TrustedStart -> Encontrado
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\Conduit -> Encontrado
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\TrustedStart -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD} -> Encontrado
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bsdriver -> Encontrado
[PUP.Gen0|PUP.Gen1|VT.W32.HfsAdware.EDFE] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TheCalendarService (C:\Program Files (x86)\CalendarTool\2.0.0.11380\CalendarServ.exe) -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{9EA966B9-556F-4354-AF55-D3BE605F6E3D}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe|Name=popcorn time.exe|Desc=popcorn time.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{807F9233-F000-4831-A56E-6D5D2ADCFBCB}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe|Name=popcorn time.exe|Desc=popcorn time.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{E5CDCA50-71E3-4BBB-B855-B545264477FF}C:\users\ines\appdata\local\popcorn time\nw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\nw.exe|Name=nw.exe|Desc=nw.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{60633A92-7D04-49CB-BB62-D07F8391F0BA}C:\users\ines\appdata\local\popcorn time\nw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\nw.exe|Name=nw.exe|Desc=nw.exe|Defer=User| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4AFA8EFA-2D8C-4440-846A-610D26BF76CC} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SpringFiles\SpringFiles.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {79F73384-AF36-45C7-BA5F-ECF4061CB9A5} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SpringFiles\SpringFiles.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C3EAA71B-E581-46C3-8E4D-E6F1F04B9D66} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SpringFiles\downloader.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D6DA0916-45FA-4AB4-9F74-9C3FFCBAA675} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SpringFiles\downloader.exe|Name=SpringFiles| [x] -> Encontrado
 
¤¤¤ Tarefas : 0 ¤¤¤
 
¤¤¤ Arquivos : 11 ¤¤¤
[PUP.Gen0][Ficheiro] C:\Windows\System32\drivers\bsdriver.sys -> Encontrado
[Adw.NetFilter][Ficheiro] C:\Windows\System32\drivers\cherimoya.sys -> Encontrado
[PUP.Gen1][Pasta] C:\Users\Ines\AppData\Roaming\CalendarTool -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41162\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Encontrado
[PUP.Gen1][Pasta] C:\Program Files (x86)\CalendarTool -> Encontrado
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Arquivos de hosts : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Carregado) ¤¤¤
 
¤¤¤ Navegadores : 2 ¤¤¤
[PUM.SearchEngine][Firefox:Config] 3xb7gf3q.default : user_pref("browser.search.selectedEngine", "Google (avast)"); -> Encontrado
[PUM.SearchEngine][Firefox:Config] 3xb7gf3q.default : user_pref("browser.search.defaultenginename", "Google (avast)"); -> Encontrado
 
¤¤¤ Verificação da MBR : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG MZMTD128HAFV-000 +++++
--- User ---
[MBR] 0f87a2a5f23067145a9780861f5f5589
[BSP] 57b55f5e9cc62e08d659c1a985d4434b : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 121552 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 249145344 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

  • 0

#21
itc1991

itc1991

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
RogueKiller V12.10.5.0 (x64) [Apr 18 2017] (Free) por Adlice Software
 
Sistema Operativo : Windows 10 (10.0.14393) 64 bits version
Iniciou : Modo normal
Utilizador : Ines [Administrador]
Começado de : C:\Users\Ines\Downloads\RogueKillerX64.exe
Modo : Examinar -- Data : 04/20/2017 16:37:36 (Duration : 01:49:57)
 
¤¤¤ Processos : 1 ¤¤¤
[PUP.Gen0|VT.PUP.Optional.Cherimoya] (SVC) bsdriver -- \??\C:\WINDOWS\system32\drivers\bsdriver.sys[7] -> Encontrado
 
¤¤¤ Registo : 16 ¤¤¤
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\CalendarTool -> Encontrado
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\Conduit -> Encontrado
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\TrustedStart -> Encontrado
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\Conduit -> Encontrado
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\TrustedStart -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD} -> Encontrado
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bsdriver -> Encontrado
[PUP.Gen0|PUP.Gen1|VT.W32.HfsAdware.EDFE] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TheCalendarService (C:\Program Files (x86)\CalendarTool\2.0.0.11380\CalendarServ.exe) -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{9EA966B9-556F-4354-AF55-D3BE605F6E3D}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe|Name=popcorn time.exe|Desc=popcorn time.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{807F9233-F000-4831-A56E-6D5D2ADCFBCB}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe|Name=popcorn time.exe|Desc=popcorn time.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{E5CDCA50-71E3-4BBB-B855-B545264477FF}C:\users\ines\appdata\local\popcorn time\nw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\nw.exe|Name=nw.exe|Desc=nw.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{60633A92-7D04-49CB-BB62-D07F8391F0BA}C:\users\ines\appdata\local\popcorn time\nw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\nw.exe|Name=nw.exe|Desc=nw.exe|Defer=User| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4AFA8EFA-2D8C-4440-846A-610D26BF76CC} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SpringFiles\SpringFiles.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {79F73384-AF36-45C7-BA5F-ECF4061CB9A5} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SpringFiles\SpringFiles.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C3EAA71B-E581-46C3-8E4D-E6F1F04B9D66} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SpringFiles\downloader.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D6DA0916-45FA-4AB4-9F74-9C3FFCBAA675} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SpringFiles\downloader.exe|Name=SpringFiles| [x] -> Encontrado
 
¤¤¤ Tarefas : 0 ¤¤¤
 
¤¤¤ Arquivos : 11 ¤¤¤
[PUP.Gen0][Ficheiro] C:\Windows\System32\drivers\bsdriver.sys -> Encontrado
[Adw.NetFilter][Ficheiro] C:\Windows\System32\drivers\cherimoya.sys -> Encontrado
[PUP.Gen1][Pasta] C:\Users\Ines\AppData\Roaming\CalendarTool -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41162\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Encontrado
[PUP.Gen1][Pasta] C:\Program Files (x86)\CalendarTool -> Encontrado
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Arquivos de hosts : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Carregado) ¤¤¤
 
¤¤¤ Navegadores : 2 ¤¤¤
[PUM.SearchEngine][Firefox:Config] 3xb7gf3q.default : user_pref("browser.search.selectedEngine", "Google (avast)"); -> Encontrado
[PUM.SearchEngine][Firefox:Config] 3xb7gf3q.default : user_pref("browser.search.defaultenginename", "Google (avast)"); -> Encontrado
 
¤¤¤ Verificação da MBR : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG MZMTD128HAFV-000 +++++
--- User ---
[MBR] 0f87a2a5f23067145a9780861f5f5589
[BSP] 57b55f5e9cc62e08d659c1a985d4434b : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 121552 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 249145344 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

  • 0

#22
itc1991

itc1991

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
RogueKiller V12.10.5.0 (x64) [Apr 18 2017] (Free) por Adlice Software
 
Sistema Operativo : Windows 10 (10.0.14393) 64 bits version
Iniciou : Modo normal
Utilizador : Ines [Administrador]
Começado de : C:\Users\Ines\Downloads\RogueKillerX64.exe
Modo : Examinar -- Data : 04/20/2017 16:37:36 (Duration : 01:49:57)
 
¤¤¤ Processos : 1 ¤¤¤
[PUP.Gen0|VT.PUP.Optional.Cherimoya] (SVC) bsdriver -- \??\C:\WINDOWS\system32\drivers\bsdriver.sys[7] -> Encontrado
 
¤¤¤ Registo : 16 ¤¤¤
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\CalendarTool -> Encontrado
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\Conduit -> Encontrado
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\TrustedStart -> Encontrado
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\Conduit -> Encontrado
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\TrustedStart -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD} -> Encontrado
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bsdriver -> Encontrado
[PUP.Gen0|PUP.Gen1|VT.W32.HfsAdware.EDFE] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TheCalendarService (C:\Program Files (x86)\CalendarTool\2.0.0.11380\CalendarServ.exe) -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{9EA966B9-556F-4354-AF55-D3BE605F6E3D}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe|Name=popcorn time.exe|Desc=popcorn time.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{807F9233-F000-4831-A56E-6D5D2ADCFBCB}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe|Name=popcorn time.exe|Desc=popcorn time.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{E5CDCA50-71E3-4BBB-B855-B545264477FF}C:\users\ines\appdata\local\popcorn time\nw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\nw.exe|Name=nw.exe|Desc=nw.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{60633A92-7D04-49CB-BB62-D07F8391F0BA}C:\users\ines\appdata\local\popcorn time\nw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\nw.exe|Name=nw.exe|Desc=nw.exe|Defer=User| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4AFA8EFA-2D8C-4440-846A-610D26BF76CC} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SpringFiles\SpringFiles.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {79F73384-AF36-45C7-BA5F-ECF4061CB9A5} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SpringFiles\SpringFiles.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C3EAA71B-E581-46C3-8E4D-E6F1F04B9D66} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SpringFiles\downloader.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D6DA0916-45FA-4AB4-9F74-9C3FFCBAA675} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SpringFiles\downloader.exe|Name=SpringFiles| [x] -> Encontrado
 
¤¤¤ Tarefas : 0 ¤¤¤
 
¤¤¤ Arquivos : 11 ¤¤¤
[PUP.Gen0][Ficheiro] C:\Windows\System32\drivers\bsdriver.sys -> Encontrado
[Adw.NetFilter][Ficheiro] C:\Windows\System32\drivers\cherimoya.sys -> Encontrado
[PUP.Gen1][Pasta] C:\Users\Ines\AppData\Roaming\CalendarTool -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41162\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Encontrado
[PUP.Gen1][Pasta] C:\Program Files (x86)\CalendarTool -> Encontrado
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Arquivos de hosts : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Carregado) ¤¤¤
 
¤¤¤ Navegadores : 2 ¤¤¤
[PUM.SearchEngine][Firefox:Config] 3xb7gf3q.default : user_pref("browser.search.selectedEngine", "Google (avast)"); -> Encontrado
[PUM.SearchEngine][Firefox:Config] 3xb7gf3q.default : user_pref("browser.search.defaultenginename", "Google (avast)"); -> Encontrado
 
¤¤¤ Verificação da MBR : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG MZMTD128HAFV-000 +++++
--- User ---
[MBR] 0f87a2a5f23067145a9780861f5f5589
[BSP] 57b55f5e9cc62e08d659c1a985d4434b : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 121552 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 249145344 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

  • 0

#23
itc1991

itc1991

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
RogueKiller V12.10.5.0 (x64) [Apr 18 2017] (Free) por Adlice Software
 
Sistema Operativo : Windows 10 (10.0.14393) 64 bits version
Iniciou : Modo normal
Utilizador : Ines [Administrador]
Começado de : C:\Users\Ines\Downloads\RogueKillerX64.exe
Modo : Examinar -- Data : 04/20/2017 16:37:36 (Duration : 01:49:57)
 
¤¤¤ Processos : 1 ¤¤¤
[PUP.Gen0|VT.PUP.Optional.Cherimoya] (SVC) bsdriver -- \??\C:\WINDOWS\system32\drivers\bsdriver.sys[7] -> Encontrado
 
¤¤¤ Registo : 16 ¤¤¤
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\CalendarTool -> Encontrado
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\Conduit -> Encontrado
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\TrustedStart -> Encontrado
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\Conduit -> Encontrado
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-676550262-2765486237-767571021-1001\Software\TrustedStart -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD} -> Encontrado
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bsdriver -> Encontrado
[PUP.Gen0|PUP.Gen1|VT.W32.HfsAdware.EDFE] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TheCalendarService (C:\Program Files (x86)\CalendarTool\2.0.0.11380\CalendarServ.exe) -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{9EA966B9-556F-4354-AF55-D3BE605F6E3D}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe|Name=popcorn time.exe|Desc=popcorn time.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{807F9233-F000-4831-A56E-6D5D2ADCFBCB}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe|Name=popcorn time.exe|Desc=popcorn time.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{E5CDCA50-71E3-4BBB-B855-B545264477FF}C:\users\ines\appdata\local\popcorn time\nw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\nw.exe|Name=nw.exe|Desc=nw.exe|Defer=User| [x] -> Encontrado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{60633A92-7D04-49CB-BB62-D07F8391F0BA}C:\users\ines\appdata\local\popcorn time\nw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\nw.exe|Name=nw.exe|Desc=nw.exe|Defer=User| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {4AFA8EFA-2D8C-4440-846A-610D26BF76CC} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SpringFiles\SpringFiles.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {79F73384-AF36-45C7-BA5F-ECF4061CB9A5} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SpringFiles\SpringFiles.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C3EAA71B-E581-46C3-8E4D-E6F1F04B9D66} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SpringFiles\downloader.exe|Name=SpringFiles| [x] -> Encontrado
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D6DA0916-45FA-4AB4-9F74-9C3FFCBAA675} : v2.24|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SpringFiles\downloader.exe|Name=SpringFiles| [x] -> Encontrado
 
¤¤¤ Tarefas : 0 ¤¤¤
 
¤¤¤ Arquivos : 11 ¤¤¤
[PUP.Gen0][Ficheiro] C:\Windows\System32\drivers\bsdriver.sys -> Encontrado
[Adw.NetFilter][Ficheiro] C:\Windows\System32\drivers\cherimoya.sys -> Encontrado
[PUP.Gen1][Pasta] C:\Users\Ines\AppData\Roaming\CalendarTool -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41162\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Encontrado
[Tr.Gen0][Ficheiro] C:\Users\Ines\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Encontrado
[PUP.Gen1][Pasta] C:\Program Files (x86)\CalendarTool -> Encontrado
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Arquivos de hosts : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Carregado) ¤¤¤
 
¤¤¤ Navegadores : 2 ¤¤¤
[PUM.SearchEngine][Firefox:Config] 3xb7gf3q.default : user_pref("browser.search.selectedEngine", "Google (avast)"); -> Encontrado
[PUM.SearchEngine][Firefox:Config] 3xb7gf3q.default : user_pref("browser.search.defaultenginename", "Google (avast)"); -> Encontrado
 
¤¤¤ Verificação da MBR : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG MZMTD128HAFV-000 +++++
--- User ---
[MBR] 0f87a2a5f23067145a9780861f5f5589
[BSP] 57b55f5e9cc62e08d659c1a985d4434b : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 121552 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 249145344 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

  • 0

#24
itc1991

itc1991

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts

sorry about all the rogue killer logs ... they are all all the same one.


  • 0

#25
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,010 posts
  • MVP

Sometimes the forum forgets to tell you that it posted.  No problem.

 

In Rogue Killer you can uncheck the popcorn time stuff - I don't think it's that bad - but see if it can get rid of the rest.


  • 0

Advertisements


#26
itc1991

itc1991

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
RogueKiller V12.10.5.0 (x64) [Apr 18 2017] (Free) por Adlice Software
 
Sistema Operativo : Windows 10 (10.0.14393) 64 bits version
Iniciou : Modo normal
Utilizador : Ines [Administrador]
Começado de : C:\Users\Ines\Downloads\RogueKillerX64.exe
Modo : Apagar -- Data : 04/21/2017 13:50:38 (Duration : 01:43:07)
 
¤¤¤ Processos : 1 ¤¤¤
[PUP.Gen0|VT.PUP.Optional.Cherimoya] (SVC) bsdriver -- \??\C:\WINDOWS\system32\drivers\bsdriver.sys[7] -> ERROR [41c]
 
¤¤¤ Registo : 3 ¤¤¤
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bsdriver -> ERROR [5]
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{9EA966B9-556F-4354-AF55-D3BE605F6E3D}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe|Name=popcorn time.exe|Desc=popcorn time.exe|Defer=User| [x] -> Não selecionado
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{807F9233-F000-4831-A56E-6D5D2ADCFBCB}C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\ines\appdata\local\popcorn time\node-webkit\popcorn time.exe|Name=popcorn time.exe|Desc=popcorn time.exe|Defer=User| [x] -> Não selecionado
 
¤¤¤ Tarefas : 0 ¤¤¤
 
¤¤¤ Arquivos : 1 ¤¤¤
[PUP.Gen0][Ficheiro] C:\Windows\System32\drivers\bsdriver.sys -> ERROR [5]
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Arquivos de hosts : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Carregado) ¤¤¤
 
¤¤¤ Navegadores : 0 ¤¤¤
 
¤¤¤ Verificação da MBR : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG MZMTD128HAFV-000 +++++
--- User ---
[MBR] 0f87a2a5f23067145a9780861f5f5589
[BSP] 57b55f5e9cc62e08d659c1a985d4434b : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 121552 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 249145344 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

  • 0

#27
itc1991

itc1991

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts

Rogue killer cant get rid of bsdrive!


  • 0

#28
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,010 posts
  • MVP

Too bad.  

 

Run FRST.  In the search box put:

 

errorreport.exe;dashost.exe;conhost.exe;bsdrive
 
click on Search Files.  You will get a log.  Please post it.

  • 0

#29
itc1991

itc1991

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Farbar Recovery Scan Tool (x64) Version: 20-04-2017
Ran by Ines (21-04-2017 21:29:01)
Running from C:\Users\Ines\Desktop
Boot Mode: Normal
 
================== Search Files: "errorreport.exe;dashost.exe;conhost.exe;bsdrive" =============
 
C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.14393.82_none_fccf362315e27472\dasHost.exe
[2016-09-15 10:14][2016-09-15 10:14] 0094720 ____A (Microsoft Corporation) 6F12B244B6BAC8EEEB506C0BEE04F8CB [File is digitally signed]
 
C:\Windows\WinSxS\amd64_microsoft-windows-o..ssociationframework_31bf3856ad364e35_10.0.14393.0_none_d7bb4c4ff1abf620\dasHost.exe
[2016-07-16 12:42][2016-09-17 21:36] 0000199 ____A () 99B6AFD28F4F246497FE1E30367EC036 [File not signed]
 
C:\Windows\WinSxS\amd64_microsoft-windows-consolehost-launcher_31bf3856ad364e35_10.0.14393.0_none_a89d675a97f639c1\conhost.exe
[2016-07-16 12:42][2016-07-16 12:42] 0047104 ____A (Microsoft Corporation) D752C96401E2540A443C599154FC6FA9 [File is digitally signed]
 
C:\Windows\System32\conhost.exe
[2016-07-16 12:42][2016-07-16 12:42] 0047104 ____A (Microsoft Corporation) D752C96401E2540A443C599154FC6FA9 [File is digitally signed]
 
C:\Windows\System32\dasHost.exe
[2016-09-15 10:14][2016-09-15 10:14] 0094720 ____A (Microsoft Corporation) 6F12B244B6BAC8EEEB506C0BEE04F8CB [File is digitally signed]
 
C:\Program Files (x86)\ToolsAssist\1.0.0.61\ErrorReport.exe
[2015-11-16 09:47][2015-11-16 09:47] 0374392 ____A () B1084611EEFF2A07AF9FA8501FFAAA63 [File is digitally signed]
 
C:\Program Files (x86)\Samsung\Smart Switch PC\ErrorReport.exe
[2016-11-28 16:30][2016-11-28 16:30] 0483504 ____A (Samsung) C918873C1E411F20651827E082AC1BC5 [File is digitally signed]
 
====== End of Search ======

  • 0

#30
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,010 posts
  • MVP

Appears the files are legit except for bsdrive which should been bsdriver.sys  Can you repeat the search but this time Search Registry?

 

Will it go into Safe Mode with Networking?  http://www.digitalci...mode-windows-10

 

If the bsdrive isn't running in Safe Mode it may be possible to disable it or rename it.

 

Open an Elevated Command Prompt:

 

 
 
sc  stop  bsdriver

If it stops or says it is not running try:

sc  delete  bsdriver
Does it get an error?
rename \WINDOWS\system32\drivers\bsdriver.sys  bsdriver.vir

Does the above command work?


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP