MartinR Posted August 24, 2017 ID:1156733 Share Posted August 24, 2017 Hi! i have the task to protect my mothers in law notebook. Last week she claimed her notebook was infected so i have to watch it, but when i tried to open Malwarebytes it wont open. I thought if i reinstall it it will work, but it doesn't. So i downloaded Avast, just to try, but it doesn't even install. I've tried the safe mode, in this case malwarebytes works but in the scans are clean, so i don't know what to do. if it was my notebook i would reinstall windows 7 and problem solved, but she have a lot of files she doesn't know if are backed up so is not an option. Anything you need just say it and sorry for my bad english Martín Link to post Share on other sites More sharing options...
Aura Posted August 24, 2017 ID:1156737 Share Posted August 24, 2017 Hi MartinR My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state. As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry! If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off; Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely goneThis being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread This being said, it's time to clean-up some malware, so let's get started, shall we? Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan. https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/ If you manage to run a scan, delete everything it finds, and then copy/paste the content of the "mbar-log-TODAY'S-DATE.txt" log that is located in the MBAR folder here after. Link to post Share on other sites More sharing options...
MartinR Posted August 24, 2017 Author ID:1156743 Share Posted August 24, 2017 Hí Aura Here is the log of MBAR Malwarebytes Anti-Rootkit BETA 1.9.4.1001 www.malwarebytes.org Database version: main: v2017.08.24.07 rootkit: v2017.08.02.01 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 11.0.9600.17633 Rosana :: ROSANA-PC [administrator] 24/08/2017 08:06:36 p.m. mbar-log-2017-08-24 (20-06-36).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 286203 Time elapsed: 15 minute(s), 10 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) Let me know anything Martín Link to post Share on other sites More sharing options...
Aura Posted August 24, 2017 ID:1156744 Share Posted August 24, 2017 Weird. Let's see how your system looks with FRST. Farbar Recovery Scan Tool (FRST) - Scan mode Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply. Download the right version of FRST for your system: FRST 64-bit Move the executable (FRST.exe or FRST64.exe) on your Desktop Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds Make sure the Addition.txt box is checked Click on the Scan button On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files Copy and paste the content of both FRST.txt and Addition.txt in your next reply Link to post Share on other sites More sharing options...
MartinR Posted August 24, 2017 Author ID:1156746 Share Posted August 24, 2017 (edited) talking of weird, FRST doesn't work, even in adm mode, but when i open it again two windows open for a second and play the sound of task done but there is no .txt on desktop EDIT i've managed to take a screenshot of the two windows. i attach it Edited August 24, 2017 by MartinR Link to post Share on other sites More sharing options...
Aura Posted August 24, 2017 ID:1156748 Share Posted August 24, 2017 Really? Can you create a new local user Admin on the computer, log in it and see if you can run FRST? https://www.bleepingcomputer.com/tutorials/create-new-user-account-in-windows-vista-7/ Link to post Share on other sites More sharing options...
MartinR Posted August 24, 2017 Author ID:1156751 Share Posted August 24, 2017 it worked FRST: Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-08-2017 Ran by no tocar (administrator) on ROSANA-PC (24-08-2017 20:52:30) Running from C:\Users\no tocar\Downloads Loaded Profiles: UpdatusUser & no tocar (Available Profiles: UpdatusUser & Rosana & no tocar) Platform: Windows 7 Home Basic Service Pack 1 (X64) Language: Español (España, internacional) Internet Explorer Version 11 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe (Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe (Intel(R) Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe () C:\Windows\SysWOW64\srvany.exe () C:\Windows\KMService.exe (Telefónica) C:\Program Files (x86)\Movistar\Escritorio Movistar Latam\ImpWiFiSvc.exe (Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Microsoft Corporation) C:\Windows\System32\rundll32.exe (Intel Corporation) C:\Windows\System32\hkcmd.exe (Intel Corporation) C:\Windows\System32\igfxtray.exe (Intel Corporation) C:\Windows\System32\igfxpers.exe (Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\btplayerctrl.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (SEC) C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12558440 2011-07-12] (Realtek Semiconductor) HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [112512 2010-03-13] (Microsoft Corporation) HKLM-x32\...\Run: [CLMLServer] => "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe" HKLM-x32\...\Run: [RemoteControl10] => "C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe" Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk [2017-07-04] ShortcutTarget: Windows Explorer.lnk -> C:\Users\no tocar\AppData\Roaming\fneuwm\amdhost.exe (No File) Startup: C:\Users\Rosana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atajo.lnk [2017-08-24] ShortcutTarget: atajo.lnk -> C:\Users\Rosana\AppData\Roaming\fneuwm\mjhnaukf32.exe (Microsoft Corporation) Startup: C:\Users\Rosana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEGAsync.lnk [2015-01-28] ShortcutTarget: MEGAsync.lnk -> C:\Users\no tocar\AppData\Local\MEGAsync\MEGAsync.exe (No File) Startup: C:\Users\Rosana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recorte de pantalla y Selector de OneNote 2010.lnk [2016-04-04] ShortcutTarget: Recorte de pantalla y Selector de OneNote 2010.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 200.49.130.41 200.42.4.203 Tcpip\..\Interfaces\{9741A571-DAC8-41F5-975B-7D8B11A05D30}: [DhcpNameServer] 200.42.4.210 200.49.130.41 Tcpip\..\Interfaces\{F85C7A4E-9F6C-4A42-96A5-2003D0C580CD}: [DhcpNameServer] 200.49.130.41 200.42.4.203 Internet Explorer: ================== SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation) BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation) BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation) BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation) Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2010-05-13] (Skype Technologies) FireFox: ======== FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-03-31] ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [No File] FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-08-10] (Adobe Systems Inc.) Chrome: ======= CHR Profile: C:\Users\no tocar\AppData\Local\Google\Chrome\User Data\Default [2017-08-24] CHR Extension: (Presentaciones de Google) - C:\Users\no tocar\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-08-24] CHR Extension: (Google Docs) - C:\Users\no tocar\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-08-24] CHR Extension: (Google Drive) - C:\Users\no tocar\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-08-24] CHR Extension: (YouTube) - C:\Users\no tocar\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-08-24] CHR Extension: (Hojas de cálculo de Google) - C:\Users\no tocar\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-08-24] CHR Extension: (Documentos de Google sin conexión) - C:\Users\no tocar\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-08-24] CHR Extension: (Sistema de pagos de Chrome Web Store) - C:\Users\no tocar\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-24] CHR Extension: (Gmail) - C:\Users\no tocar\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-08-24] CHR Extension: (Chrome Media Router) - C:\Users\no tocar\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-08-24] ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 KMService; C:\windows\SysWOW64\srvany.exe [8192 2010-06-15] () [File not signed] R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6058960 2017-08-21] (Malwarebytes) R2 TGCM_ImportWiFiSvc; C:\Program Files (x86)\Movistar\Escritorio Movistar Latam\ImpWiFiSvc.exe [201080 2011-06-14] (Telefónica) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation) ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 massfilter_hs; C:\windows\System32\drivers\massfilter_hs.sys [12800 2010-10-15] (ZTE Incorporated) R2 SGDrv; C:\windows\System32\DRIVERS\SGdrv64.sys [7680 2011-04-11] (Phoenix Technologies Ltd.) S3 USBZTECCID; C:\windows\System32\DRIVERS\ZTEusbccid.sys [18432 2010-10-15] (ZTE) S3 ZTEusbMB; C:\windows\System32\DRIVERS\ZTEusbnmeaext2.sys [123520 2010-10-15] (ZTE Incorporated) S3 ZTEusbwwan; C:\windows\System32\DRIVERS\ZTEusbwwan.sys [234496 2010-12-07] (ZTE Incorporated) S3 zte_massejct; C:\windows\System32\Drivers\zte_massejct.sys [19968 2010-11-19] (ZTE Corporation) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-08-24 20:52 - 2017-08-24 20:53 - 000010756 _____ C:\Users\no tocar\Downloads\FRST.txt 2017-08-24 20:51 - 2017-08-24 20:52 - 000000000 ____D C:\FRST 2017-08-24 20:51 - 2017-08-24 20:51 - 002395648 _____ (Farbar) C:\Users\no tocar\Downloads\FRST64.exe 2017-08-24 20:48 - 2017-08-24 20:48 - 000001397 _____ C:\Users\no tocar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk 2017-08-24 20:48 - 2017-08-24 20:48 - 000000000 ____D C:\Users\no tocar\AppData\Roaming\Adobe 2017-08-24 20:48 - 2017-08-24 20:48 - 000000000 ____D C:\Users\no tocar\AppData\Local\Google 2017-08-24 20:47 - 2017-08-24 20:48 - 000000000 ____D C:\Users\no tocar 2017-08-24 20:47 - 2017-08-24 20:47 - 000000020 ___SH C:\Users\no tocar\ntuser.ini 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\Reciente 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\Plantillas 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\Mis documentos 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\Menú Inicio 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\Impresoras 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\Entorno de red 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\Documents\Mis vídeos 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\Documents\Mis imágenes 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\Documents\Mi música 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\Datos de programa 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\Configuración local 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\AppData\Roaming\Microsoft\Windows\Start Menu\Programas 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\AppData\Local\Historial 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\AppData\Local\Datos de programa 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 _SHDL C:\Users\no tocar\AppData\Local\Archivos temporales de Internet 2017-08-24 20:47 - 2017-08-24 20:47 - 000000000 ____D C:\Users\no tocar\AppData\Local\VirtualStore 2017-08-24 20:28 - 2017-08-24 20:28 - 002395648 _____ (Farbar) C:\Users\Rosana\Downloads\FRST64.exe 2017-08-24 20:28 - 2017-08-24 20:28 - 002395648 _____ (Farbar) C:\Users\Rosana\Desktop\FRST64.exe 2017-08-24 20:06 - 2017-08-24 20:22 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable) 2017-08-24 20:06 - 2017-08-24 20:06 - 000194776 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys 2017-08-24 20:05 - 2017-08-24 20:05 - 000109272 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamchameleon.sys 2017-08-24 20:04 - 2017-08-24 20:22 - 000000000 ____D C:\Users\Rosana\Desktop\mbar 2017-08-24 20:03 - 2017-08-24 20:03 - 016564750 _____ (Malwarebytes Corp.) C:\Users\Rosana\Downloads\mbar-1.09.4.1001.exe 2017-08-24 19:31 - 2017-08-24 19:31 - 000000000 ____D C:\Users\Rosana\Desktop\Nueva carpeta 2017-08-24 19:30 - 2017-08-24 19:30 - 001305367 _____ C:\Users\Rosana\Downloads\Autoruns.zip 2017-08-24 19:20 - 2017-08-24 19:22 - 000002102 _____ C:\Users\Rosana\Desktop\Rkill.txt 2017-08-24 19:19 - 2017-08-24 19:20 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\Rosana\Downloads\rkill.exe 2017-08-24 19:17 - 2017-08-24 19:17 - 006654960 _____ (AVAST Software) C:\Users\Rosana\Downloads\avast_free_antivirus_setup_online_cnet_2.exe 2017-08-24 19:07 - 2017-08-24 19:07 - 000001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk 2017-08-24 19:07 - 2017-08-24 19:07 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes 2017-08-24 19:07 - 2017-08-24 19:07 - 000000000 ____D C:\Program Files\Malwarebytes 2017-08-24 19:07 - 2017-08-21 07:20 - 000077440 _____ C:\windows\system32\Drivers\mbae64.sys 2017-08-24 19:05 - 2017-08-24 19:06 - 065942208 _____ (Malwarebytes ) C:\Users\Rosana\Downloads\mb3-setup-35891.35891-3.2.2.2018.exe 2017-08-24 17:57 - 2017-08-24 18:13 - 000093414 _____ C:\windows\ntbtlog.txt 2017-08-24 17:53 - 2017-08-24 17:53 - 006948656 _____ (AVAST Software) C:\Users\Rosana\Downloads\avast_free_antivirus_setup_online_a1h.exe 2017-08-24 17:53 - 2017-08-24 17:53 - 000000000 ____D C:\ProgramData\AVAST Software 2017-08-24 15:48 - 2017-08-24 15:48 - 000063719 _____ C:\Users\Rosana\Desktop\CBU SANTANDER.pdf 2017-08-23 12:32 - 2017-08-23 12:32 - 000009463 _____ C:\Users\Rosana\Downloads\201707_0009096004 (1).pdf 2017-08-23 12:31 - 2017-08-23 12:31 - 000009463 _____ C:\Users\Rosana\Downloads\201707_0009096004.pdf 2017-08-21 16:11 - 2017-08-24 09:38 - 000000000 ____D C:\Users\Rosana\Desktop\Fotos Viaje 2017-08-04 20:34 - 2017-08-04 20:34 - 000001420 _____ C:\Users\Rosana\Downloads\aanep-user-87-tests.csv 2017-08-04 18:32 - 2017-08-04 18:32 - 004875365 _____ C:\Users\Rosana\Downloads\1499358944_Pancreatitits (3).pdf 2017-08-04 18:32 - 2017-08-04 18:32 - 001028390 _____ C:\Users\Rosana\Downloads\1501532804_Módulo 4- _Soporte Nutricional al final de la vida_ _1_ (2).pdf 2017-08-04 18:31 - 2017-08-04 18:31 - 001904490 _____ C:\Users\Rosana\Downloads\1499358844_Hígado (8).pdf 2017-08-04 18:31 - 2017-08-04 18:31 - 001904490 _____ C:\Users\Rosana\Downloads\1499358844_Hígado (7).pdf 2017-08-04 18:31 - 2017-08-04 18:31 - 001157010 _____ C:\Users\Rosana\Downloads\1501532777_insuficiencia intestinal AANEP _1_.pdf 2017-08-04 18:31 - 2017-08-04 18:31 - 001157010 _____ C:\Users\Rosana\Downloads\1501532777_insuficiencia intestinal AANEP _1_ (1).pdf 2017-08-04 18:26 - 2017-08-04 18:26 - 002839162 _____ C:\Users\Rosana\Downloads\1497414040_M1 Senpe (5).pdf 2017-08-04 18:26 - 2017-08-04 18:26 - 002839162 _____ C:\Users\Rosana\Downloads\1497414040_M1 Senpe (4).pdf 2017-08-04 18:26 - 2017-08-04 18:26 - 000340374 _____ C:\Users\Rosana\Downloads\1497414009_M1 2014 ne precoz en pac critico con inestabilidad hemodinamica (3).pdf 2017-08-04 18:26 - 2017-08-04 18:26 - 000340374 _____ C:\Users\Rosana\Downloads\1497414009_M1 2014 ne precoz en pac critico con inestabilidad hemodinamica (2).pdf 2017-08-04 18:25 - 2017-08-04 18:25 - 000134260 _____ C:\Users\Rosana\Downloads\1497414000_M1 Summary Canadienses CPGs 2015 vs 2013 _1_ (5).pdf 2017-08-04 18:25 - 2017-08-04 18:25 - 000134260 _____ C:\Users\Rosana\Downloads\1497414000_M1 Summary Canadienses CPGs 2015 vs 2013 _1_ (4).pdf 2017-08-04 12:04 - 2017-08-04 12:04 - 001421429 _____ C:\Users\Rosana\Downloads\1498667080_CLASE 5 - VITAMINA D (2).pdf 2017-08-04 12:04 - 2017-08-04 12:04 - 001421429 _____ C:\Users\Rosana\Downloads\1498667080_CLASE 5 - VITAMINA D (1).pdf 2017-08-03 18:30 - 2017-08-03 18:30 - 001028390 _____ C:\Users\Rosana\Downloads\1501532804_Módulo 4- _Soporte Nutricional al final de la vida_ _1_.pdf 2017-08-03 18:30 - 2017-08-03 18:30 - 001028390 _____ C:\Users\Rosana\Downloads\1501532804_Módulo 4- _Soporte Nutricional al final de la vida_ _1_ (1).pdf 2017-08-01 18:26 - 2017-08-01 18:26 - 096282347 _____ C:\Users\Rosana\Downloads\15005677731978776078 (3).mp4 2017-08-01 17:40 - 2017-08-01 17:40 - 096282347 _____ C:\Users\Rosana\Downloads\15005677731978776078 (2).mp4 2017-07-31 10:08 - 2017-07-31 10:09 - 096282347 _____ C:\Users\Rosana\Downloads\15005677731978776078 (1).mp4 2017-07-27 19:47 - 2017-08-23 11:51 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-08-24 20:39 - 2009-07-14 00:20 - 000000000 ____D C:\windows\tracing 2017-08-24 20:38 - 2009-07-14 01:45 - 000016752 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2017-08-24 20:38 - 2009-07-14 01:45 - 000016752 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2017-08-24 20:36 - 2015-01-28 09:43 - 000001036 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job 2017-08-24 20:35 - 2012-01-13 22:49 - 000703840 _____ C:\windows\system32\perfh00A.dat 2017-08-24 20:35 - 2012-01-13 22:49 - 000137806 _____ C:\windows\system32\perfc00A.dat 2017-08-24 20:35 - 2009-07-14 02:13 - 001555646 _____ C:\windows\system32\PerfStringBackup.INI 2017-08-24 20:35 - 2009-07-14 00:20 - 000000000 ____D C:\windows\inf 2017-08-24 20:32 - 2016-10-19 14:58 - 000000000 ___HD C:\Users\Rosana\AppData\Roaming\fneuwm 2017-08-24 20:31 - 2009-07-14 02:08 - 000000006 ____H C:\windows\Tasks\SA.DAT 2017-08-24 20:06 - 2015-07-24 14:43 - 000000000 ____D C:\ProgramData\Malwarebytes 2017-08-24 20:06 - 2015-02-07 11:31 - 000001036 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d042e2cc5a5e36.job 2017-08-24 20:03 - 2015-05-17 14:01 - 000001036 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d090c32168b5a5.job 2017-08-23 11:52 - 2015-06-28 17:20 - 000004476 _____ C:\windows\System32\Tasks\Adobe Acrobat Update Task 2017-08-21 15:22 - 2015-01-28 09:49 - 000002153 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2017-08-21 15:22 - 2015-01-28 09:49 - 000002141 _____ C:\Users\Public\Desktop\Google Chrome.lnk 2017-08-01 21:03 - 2017-02-13 19:46 - 000000000 ____D C:\Users\Rosana\Desktop\Imagenes ==================== Files in the root of some directories ======= 2012-01-13 07:22 - 2012-01-13 07:23 - 000000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log 2012-01-13 07:14 - 2012-01-13 07:15 - 000000113 _____ () C:\ProgramData\{34FBC7C4-CD31-4D93-A428-0E524EAC4586}.log 2012-01-13 07:19 - 2012-01-13 07:20 - 000000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log 2012-01-13 07:16 - 2012-01-13 07:19 - 000000106 _____ () C:\ProgramData\{80E158EA-7181-40FE-A701-301CE6BE64AB}.log 2012-01-13 07:21 - 2012-01-13 07:22 - 000000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log Some files in TEMP: ==================== 2015-11-22 18:49 - 2010-10-15 05:50 - 000169808 _____ () C:\Users\Rosana\AppData\Local\Temp\card_setup.exe ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\windows\system32\winlogon.exe => File is digitally signed C:\windows\system32\wininit.exe => File is digitally signed C:\windows\SysWOW64\wininit.exe => File is digitally signed C:\windows\explorer.exe => File is digitally signed C:\windows\SysWOW64\explorer.exe => File is digitally signed C:\windows\system32\svchost.exe => File is digitally signed C:\windows\SysWOW64\svchost.exe => File is digitally signed C:\windows\system32\services.exe => File is digitally signed C:\windows\system32\User32.dll => File is digitally signed C:\windows\SysWOW64\User32.dll => File is digitally signed C:\windows\system32\userinit.exe => File is digitally signed C:\windows\SysWOW64\userinit.exe => File is digitally signed C:\windows\system32\rpcss.dll => File is digitally signed C:\windows\system32\dnsapi.dll => File is digitally signed C:\windows\SysWOW64\dnsapi.dll => File is digitally signed C:\windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2017-08-21 17:55 ==================== End of FRST.txt ============================ Addition.txt Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017 Ran by no tocar (24-08-2017 20:53:27) Running from C:\Users\no tocar\Downloads Windows 7 Home Basic Service Pack 1 (X64) (2015-01-28 11:51:56) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrador (S-1-5-21-297820468-187987108-3971814952-500 - Administrator - Disabled) Invitado (S-1-5-21-297820468-187987108-3971814952-501 - Limited - Disabled) no tocar (S-1-5-21-297820468-187987108-3971814952-1002 - Administrator - Enabled) => C:\Users\no tocar Rosana (S-1-5-21-297820468-187987108-3971814952-1001 - Administrator - Enabled) => C:\Users\Rosana UpdatusUser (S-1-5-21-297820468-187987108-3971814952-1000 - Limited - Enabled) => C:\Users\UpdatusUser ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Adobe Acrobat Reader DC - Español (HKLM-x32\...\{AC76BA86-7AD7-1034-7B44-AC0F074E4100}) (Version: 17.012.20095 - Adobe Systems Incorporated) Adobe Flash Player 10 ActiveX (HKLM-x32\...\{48DB5914-8772-472D-B8DF-E2092BE598F6}) (Version: 10.3.181.34 - Adobe Systems Incorporated) Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 9.0 - Atheros) CCleaner (HKLM\...\CCleaner) (Version: 5.08 - Piriform) Escritorio Movistar Latam (HKLM-x32\...\MovistarLATAM) (Version: 8.7.6.765 - Escritorio Movistar Latam) Google Chrome (HKLM-x32\...\Google Chrome) (Version: 60.0.3112.101 - Google Inc.) Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden Intel PROSet Wireless (HKLM-x32\...\ProInst) (Version: - ) Hidden Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation) Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2266 - Intel Corporation) Intel(R) PROSet/Wireless Software for Bluetooth(R) Technology (HKLM\...\{2ABA2E8D-23CF-418F-BC8F-2EC99FA51A3F}) (Version: 1.2.1.0608 - Intel Corporation) Intel(R) PROSet/Wireless WiFi Software (HKLM\...\{295AEB79-B53A-4F1B-860F-7800BB7E3681}) (Version: 14.2.1000 - Intel Corporation) Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.5.1001 - Intel Corporation) Malwarebytes versión 3.2.2.2018 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.2.2.2018 - Malwarebytes) MEGAsync 1.0.22 (HKLM-x32\...\MEGAsync) (Version: 1.0.22 - Mega Limited) Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation) Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.4763.1000 - Microsoft Corporation) Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) NVIDIA Graphics Driver 268.83 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 268.83 - NVIDIA Corporation) Paquete de idioma de Microsoft .NET Framework 4 Client Profile ESN (HKLM\...\Microsoft .NET Framework 4 Client Profile ESN Language Pack) (Version: 4.0.30319 - Microsoft Corporation) PASW Statistics 18 (HKLM-x32\...\{C25215FC-5900-48B0-B93C-8D3379027312}) (Version: 18.0.0 - SPSS Inc.) Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.44.421.2011 - Realtek) Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6413 - Realtek Semiconductor Corp.) Samsung Recovery Solution 5 (HKLM-x32\...\{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}) (Version: 5.0.1.5 - Samsung) Skype™ 4.2 (HKLM-x32\...\{D103C4BA-F905-437A-8049-DB24763BBE36}) (Version: 4.2.169 - Skype Technologies S.A.) User Guide (HKLM-x32\...\{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}) (Version: 1.3 - ) WHO Anthro (HKLM-x32\...\{AC66F0B8-8E0E-4106-AF80-3F8F1F93BE14}_is1) (Version: 3.2.2.1 - WHO) WHO AnthroPlus (HKLM-x32\...\{13A42C71-87A5-41F7-B7C9-5DC7D56038FC}_is1) (Version: 1.0.4 - WHO) WinRAR 5.21 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH) ZTE USB Driver (HKLM\...\ZTE USB Driver) (Version: 1.0.1.31_TME - ZTE Corporation) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Rosana\AppData\Local\MEGAsync\ShellExtX64.dll [2017-06-22] () ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Rosana\AppData\Local\MEGAsync\ShellExtX64.dll [2017-06-22] () ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Rosana\AppData\Local\MEGAsync\ShellExtX64.dll [2017-06-22] () ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Rosana\AppData\Local\MEGAsync\ShellExtX64.dll [2017-06-22] () ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Rosana\AppData\Local\MEGAsync\ShellExtX64.dll [2017-06-22] () ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Rosana\AppData\Local\MEGAsync\ShellExtX64.dll [2017-06-22] () ContextMenuHandlers1: [###MegaContextMenuExt] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Rosana\AppData\Local\MEGAsync\ShellExtX64.dll [2017-06-22] () ContextMenuHandlers1: [BTMSentToExt] -> {0A7D34C2-E9DA-48A1-9E34-0CDFC2DE3B44} => C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll [2011-10-18] (Intel Corporation) ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2015-02-24] (Alexander Roshal) ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2015-02-24] (Alexander Roshal) ContextMenuHandlers4: [###MegaContextMenuExt] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Rosana\AppData\Local\MEGAsync\ShellExtX64.dll [2017-06-22] () ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\windows\system32\igfxpph.dll [2010-12-16] (Intel Corporation) ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\windows\system32\nvshext.dll [2011-06-04] (NVIDIA Corporation) ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2015-02-24] (Alexander Roshal) ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2015-02-24] (Alexander Roshal) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {07CB5A75-96E0-4D66-88C7-F2666F94077D} - System32\Tasks\advSRS5 => C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe [2011-06-24] (SEC) Task: {121DE78F-183A-4F59-9AA5-1C57FA8A5136} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-07-17] (Piriform Ltd) Task: {53F6F71F-4A3E-4176-8E94-27DBC07AFEC2} - System32\Tasks\GoogleUpdateTaskMachineUA1d090c32168b5a5 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.) Task: {5515514A-2CB2-4A60-91D7-37D4182B9151} - System32\Tasks\GoogleUpdateTaskMachineUA1d042e2cc5a5e36 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.) Task: {5DABAC5F-FD17-44F4-90BC-394A0837F5D0} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => %windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate -nolegacy Task: {66D69F35-443E-40EF-93EC-C19FC4498399} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.) Task: {7021709C-206D-4684-8AAA-2DCCED3157C2} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated) Task: {7AFFE065-2FE6-4B8C-80C4-42DDA6B5644A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.) Task: {F78D955E-7D98-4EA1-8766-B22A586EBB07} - System32\Tasks\GoogleUpdateTaskMachineUA1d0c0ba410d388d => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d042e2cc5a5e36.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d090c32168b5a5.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe ==================== Shortcuts & WMI ======================== (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== 2015-01-28 16:00 - 2010-06-15 20:44 - 000008192 _____ () C:\windows\SysWOW64\srvany.exe 2015-01-28 16:00 - 2013-02-14 10:44 - 000273920 _____ () C:\windows\KMService.exe 2010-01-30 02:40 - 2010-01-30 02:40 - 004254560 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF 2014-05-01 11:13 - 2017-06-22 19:48 - 000598528 _____ () C:\Users\Rosana\AppData\Local\MEGAsync\ShellExtX64.dll 2011-07-21 02:51 - 2010-12-16 06:37 - 000094208 _____ () C:\Windows\System32\IccLibDll_x64.dll 2014-05-01 11:15 - 2017-06-22 19:48 - 000569856 _____ () C:\Users\Rosana\AppData\Local\MEGAsync\ShellExtX32.dll 2010-01-30 02:41 - 2010-01-30 02:41 - 004254560 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF 2017-08-21 15:22 - 2017-08-11 03:24 - 002881368 _____ () C:\Program Files (x86)\Google\Chrome\Application\60.0.3112.101\libglesv2.dll 2017-08-21 15:22 - 2017-08-11 03:24 - 000086360 _____ () C:\Program Files (x86)\Google\Chrome\Application\60.0.3112.101\libegl.dll 2012-01-13 06:25 - 2010-05-07 11:22 - 001636864 _____ () C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\Resdll.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service" ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 23:34 - 2009-06-10 18:00 - 000000824 _____ C:\windows\system32\Drivers\etc\hosts ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-297820468-187987108-3971814952-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\no tocar\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg DNS Servers: 200.49.130.41 - 200.42.4.203 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [{1A418863-A2F1-4E6B-A310-D8D0E6EE09CF}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe FirewallRules: [{176B72BE-1CBA-436D-9BBB-BF94541B379F}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe FirewallRules: [{DE375D98-2F97-4D92-A1F9-2C623D8D052A}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe FirewallRules: [{587907F4-564A-4122-81DE-302FF871D30B}] => (Allow) C:\Program Files (x86)\SPSSInc\PASWStatistics18\WinWrapIDE.exe FirewallRules: [{6ADCB451-128C-478C-8210-50FFE451A385}] => (Allow) C:\Program Files (x86)\SPSSInc\PASWStatistics18\paswstat.exe FirewallRules: [{E7013C7A-65D6-4113-84EA-8D3A1C1DC5A0}] => (Allow) C:\Program Files (x86)\SPSSInc\PASWStatistics18\paswstat.com FirewallRules: [{061CA267-62E6-4F7A-932C-4C8EA076148B}] => (Allow) C:\Program Files (x86)\SPSSInc\PASWStatistics18\WinWrapIDE.exe FirewallRules: [{675287DB-5E90-4F15-9E6A-4DD5BA57BDA6}] => (Allow) C:\Program Files (x86)\SPSSInc\PASWStatistics18\paswstat.exe FirewallRules: [{23B1AD8B-1924-4BBF-AF9A-4250F8F48D86}] => (Allow) C:\Program Files (x86)\SPSSInc\PASWStatistics18\paswstat.com FirewallRules: [TCP Query User{6080E1D4-5A0B-41B3-9251-25771FA4C916}C:\program files (x86)\spssinc\paswstatistics18\paswstat.exe] => (Block) C:\program files (x86)\spssinc\paswstatistics18\paswstat.exe FirewallRules: [UDP Query User{E5B41267-9043-431B-9B4F-51B6638F9951}C:\program files (x86)\spssinc\paswstatistics18\paswstat.exe] => (Block) C:\program files (x86)\spssinc\paswstatistics18\paswstat.exe FirewallRules: [TCP Query User{B3278673-BA8F-4884-B2CA-63FE94D1B5B2}C:\programdata\videodownloaderultimatewinapp\videodownloaderultimate.exe] => (Allow) C:\programdata\videodownloaderultimatewinapp\videodownloaderultimate.exe FirewallRules: [UDP Query User{4F784418-C4E8-4E03-8DC9-5B3B9CE4E0CF}C:\programdata\videodownloaderultimatewinapp\videodownloaderultimate.exe] => (Allow) C:\programdata\videodownloaderultimatewinapp\videodownloaderultimate.exe FirewallRules: [{8B38C1FB-CC6C-4ADA-A087-F0A8C3BA8C53}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ==================== Restore Points ========================= 21-05-2017 10:28:39 Windows Update 11-06-2017 17:13:19 Windows Update 28-06-2017 18:47:56 Punto de control programado 06-07-2017 20:12:25 Punto de control programado 27-07-2017 21:12:40 Punto de control programado 23-08-2017 10:00:05 Windows Update ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (08/24/2017 08:32:30 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: No se pudo reactivar el filtro de eventos con la consulta "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" en el espacio de nombres "//./root/CIMV2" por el error 0x80041003. Los eventos no se podrán entregar a través de este filtro hasta que se corrija este problema. Error: (08/24/2017 07:23:14 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Nombre de la aplicación con errores: mbam.exe, versión: 3.0.0.1169, marca de tiempo: 0x599723f1 Nombre del módulo con errores: Qt5Core.dll, versión: 5.6.2.0, marca de tiempo: 0x594d4411 Código de excepción: 0xc0000005 Desplazamiento de errores: 0x001a9fd6 Id. del proceso con errores: 0x108 Hora de inicio de la aplicación con errores: 0x01d31d2793c6d1a7 Ruta de acceso de la aplicación con errores: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe Ruta de acceso del módulo con errores: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll Id. del informe: d18ac517-891a-11e7-bf77-e8039a50c695 Error: (08/24/2017 07:16:29 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Nombre de la aplicación con errores: mbam.exe, versión: 3.0.0.1169, marca de tiempo: 0x599723f1 Nombre del módulo con errores: Qt5Core.dll, versión: 5.6.2.0, marca de tiempo: 0x594d4411 Código de excepción: 0xc0000005 Desplazamiento de errores: 0x001a9fd6 Id. del proceso con errores: 0x13ac Hora de inicio de la aplicación con errores: 0x01d31d26a27a5598 Ruta de acceso de la aplicación con errores: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe Ruta de acceso del módulo con errores: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll Id. del informe: e03966f6-8919-11e7-bf77-e8039a50c695 Error: (08/24/2017 07:15:33 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Nombre de la aplicación con errores: mbam.exe, versión: 3.0.0.1169, marca de tiempo: 0x599723f1 Nombre del módulo con errores: Qt5Core.dll, versión: 5.6.2.0, marca de tiempo: 0x594d4411 Código de excepción: 0xc0000005 Desplazamiento de errores: 0x001a9fd6 Id. del proceso con errores: 0x10c4 Hora de inicio de la aplicación con errores: 0x01d31d2680cfad65 Ruta de acceso de la aplicación con errores: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe Ruta de acceso del módulo con errores: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll Id. del informe: be8bd889-8919-11e7-bf77-e8039a50c695 Error: (08/24/2017 07:13:36 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Nombre de la aplicación con errores: assistant.exe, versión: 3.0.0.1169, marca de tiempo: 0x5997238a Nombre del módulo con errores: Qt5Core.dll, versión: 5.6.2.0, marca de tiempo: 0x594d4411 Código de excepción: 0xc0000005 Desplazamiento de errores: 0x001a9fd6 Id. del proceso con errores: 0x1248 Hora de inicio de la aplicación con errores: 0x01d31d263b4e4d1c Ruta de acceso de la aplicación con errores: C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe Ruta de acceso del módulo con errores: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll Id. del informe: 7907b915-8919-11e7-bf77-e8039a50c695 Error: (08/24/2017 07:13:06 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Nombre de la aplicación con errores: mbam.exe, versión: 3.0.0.1169, marca de tiempo: 0x599723f1 Nombre del módulo con errores: Qt5Core.dll, versión: 5.6.2.0, marca de tiempo: 0x594d4411 Código de excepción: 0xc0000005 Desplazamiento de errores: 0x001a9fd6 Id. del proceso con errores: 0xef8 Hora de inicio de la aplicación con errores: 0x01d31d262936d75b Ruta de acceso de la aplicación con errores: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe Ruta de acceso del módulo con errores: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll Id. del informe: 670f1668-8919-11e7-bf77-e8039a50c695 Error: (08/24/2017 07:09:19 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Nombre de la aplicación con errores: mbam.exe, versión: 3.0.0.1169, marca de tiempo: 0x599723f1 Nombre del módulo con errores: Qt5Core.dll, versión: 5.6.2.0, marca de tiempo: 0x594d4411 Código de excepción: 0xc0000005 Desplazamiento de errores: 0x001a9fd6 Id. del proceso con errores: 0x850 Hora de inicio de la aplicación con errores: 0x01d31d25a23cb5d7 Ruta de acceso de la aplicación con errores: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe Ruta de acceso del módulo con errores: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll Id. del informe: dffdea1d-8918-11e7-bf77-e8039a50c695 Error: (08/24/2017 07:03:11 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: No se pudo reactivar el filtro de eventos con la consulta "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" en el espacio de nombres "//./root/CIMV2" por el error 0x80041003. Los eventos no se podrán entregar a través de este filtro hasta que se corrija este problema. Error: (08/24/2017 05:59:42 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: No se pudo reactivar el filtro de eventos con la consulta "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" en el espacio de nombres "//./root/CIMV2" por el error 0x80041003. Los eventos no se podrán entregar a través de este filtro hasta que se corrija este problema. Error: (08/24/2017 09:26:13 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: No se pudo reactivar el filtro de eventos con la consulta "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" en el espacio de nombres "//./root/CIMV2" por el error 0x80041003. Los eventos no se podrán entregar a través de este filtro hasta que se corrija este problema. System errors: ============= Error: (08/24/2017 07:20:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: El servicio KMService terminó inesperadamente. Esto se ha repetido 1 veces. Se realizará la siguiente acción correctora en 60000 milisegundos: Reiniciar el servicio. Error: (08/24/2017 07:16:00 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: El servicio Malwarebytes Service terminó inesperadamente. Esto se ha repetido 1 veces. Se realizará la siguiente acción correctora en 5000 milisegundos: Reiniciar el servicio. Error: (08/24/2017 06:05:12 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: Error de DCOM "1068" al intentar iniciar el servicio BITS con argumentos "" para ejecutar el servidor: {4991D34B-80A1-4291-83B6-3328366B9097} Error: (08/24/2017 05:58:44 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: Error de DCOM "1084" al intentar iniciar el servicio NVSvc con argumentos "" para ejecutar el servidor: {DCAB0989-1301-4319-BE5F-ADE89F88581C} Error: (08/24/2017 05:58:24 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: Error de DCOM "1084" al intentar iniciar el servicio WSearch con argumentos "" para ejecutar el servidor: {9E175B6D-F52A-11D8-B9A5-505054503030} Error: (08/24/2017 05:58:24 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: Error de DCOM "1084" al intentar iniciar el servicio WSearch con argumentos "" para ejecutar el servidor: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} Error: (08/24/2017 05:58:22 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: Error de DCOM "1084" al intentar iniciar el servicio EventSystem con argumentos "" para ejecutar el servidor: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error: (08/24/2017 05:58:16 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: Error de DCOM "1084" al intentar iniciar el servicio ShellHWDetection con argumentos "" para ejecutar el servidor: {DD522ACC-F821-461A-A407-50B198B896DC} Error: (08/24/2017 05:57:59 PM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: El siguiente controlador de inicio del sistema o de inicio del arranque no se cargó correctamente: discache SABI spldr Wanarpv6 Error: (08/21/2017 05:27:40 PM) (Source: Disk) (EventID: 11) (User: ) Description: El controlador detectó un error de controladora en \Device\Harddisk1\DR5. ==================== Memory info =========================== Processor: Intel(R) Core(TM) i3-2350M CPU @ 2.30GHz Percentage of memory in use: 72% Total physical RAM: 1961.55 MB Available physical RAM: 545.38 MB Total Virtual: 3923.09 MB Available Virtual: 2305.49 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:443.58 GB) (Free:375.2 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 465.8 GB) (Disk ID: 16C5B7BC) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=443.6 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=22.1 GB) - (Type=27) ==================== End of Addition.txt ============================ Link to post Share on other sites More sharing options...
Aura Posted August 25, 2017 ID:1156755 Share Posted August 25, 2017 I don't see anything malicious really. Let's try this. Farbar Recovery Scan Tool (FRST) - Fix mode Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located) Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Click on the Fix button On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad Copy and paste its content in your next reply fixlist.txt Link to post Share on other sites More sharing options...
Aura Posted August 27, 2017 ID:1157606 Share Posted August 27, 2017 Hi MartinR, Are you still with me? Link to post Share on other sites More sharing options...
MartinR Posted August 27, 2017 Author ID:1157658 Share Posted August 27, 2017 Sorry, my mother in law had to travel so I can't look to hers laptop until Tuesday. I'm sorry Link to post Share on other sites More sharing options...
Aura Posted August 27, 2017 ID:1157662 Share Posted August 27, 2017 All good, I'll be waiting Link to post Share on other sites More sharing options...
Aura Posted August 30, 2017 ID:1158675 Share Posted August 30, 2017 Hi MartinR, Is your mother-in-law back? Link to post Share on other sites More sharing options...
MartinR Posted August 30, 2017 Author ID:1158693 Share Posted August 30, 2017 Hi aura, Yes, she's back but she is going to buy a new laptop. Possibly I will keep this one and install elementary OS or another Linux distro. Thanks for your help Link to post Share on other sites More sharing options...
Aura Posted August 30, 2017 ID:1158714 Share Posted August 30, 2017 No problem Martin, you're welcome. If you ever need help in removing that infection from that laptop (if you change idea), send me a PM and I'll re-open this thread Stay safe! Link to post Share on other sites More sharing options...
Aura Posted August 30, 2017 ID:1158715 Share Posted August 30, 2017 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts