Gokussj Posted February 20, 2019 ID:1299653 Share Posted February 20, 2019 I was advised to come here and create a topic to see if my system has any infections. Here: I'll be posting logs below Addition.txt FRST.txt mbam.txt Link to post Share on other sites More sharing options...
nasdaq Posted February 21, 2019 ID:1299891 Share Posted February 21, 2019 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from. The location is listed in the 3rd line of the FRST.txt log you have submitted. Run FRST and click Fix only once and wait. The tool will create a log (Fixlog.txt) please post it to your reply. === Reset Chrome... Open Google Chrome, click on menu icon or the 3 vertical dots located right side top of the google chrome. Click "Settings" then "Show advanced settings" at the bottom of the screen. Click "Reset and clean up" > "Restore settings to their original defaults" Restart Chrome. <<<>>> Please post the Fixlog.txt and let me know what problem persists. fixlist.txt Link to post Share on other sites More sharing options...
Gokussj Posted February 21, 2019 Author ID:1299901 Share Posted February 21, 2019 52 minutes ago, nasdaq said: Reset Chrome... Open Google Chrome, click on menu icon or the 3 vertical dots located right side top of the google chrome. Click "Settings" then "Show advanced settings" at the bottom of the screen. Click "Reset and clean up" > "Restore settings to their original defaults" If i do this, will i lose my extensions, favorites, saved passwords, etc? Thanks Link to post Share on other sites More sharing options...
Gokussj Posted February 22, 2019 Author ID:1299943 Share Posted February 22, 2019 In the meantime, here's the log. I believe it already did what you asked me to do with chrome because i was logged out from every website i was logged in Resultado da Correção pela Farbar Recovery Scan Tool (x64) Versão: 20.02.2019 02 Executado por Victor (21-02-2019 17:17:22) Run:1 Executando a partir de C:\Users\Victor\Desktop Perfis Carregados: Victor (Perfis Disponíveis: Victor) Modo da Inicialização: Normal ============================================== fixlist Conteúdo: ***************** CreateRestorePoint: EmptyTemp: CloseProcesses: HKLM\...\Policies\Explorer: [NoActiveDesktopChanges] 1 [0 2019-01-24] () HKLM\...\Policies\Explorer: [NoActiveDesktop] 1 [0 2019-01-24] () HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\...\MountPoints2: {021bdfa6-3f13-11e8-865e-10c37bc2c9b2} - "F:\Setup.exe" HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\...\MountPoints2: {0b1a89dd-a9f2-11e8-8719-5cc9d3f4fc4c} - "G:\Setup.exe" HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\...\MountPoints2: {65a81ed1-22f0-11e8-862d-10c37bc2c9b2} - "F:\Setup.exe" HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\...\MountPoints2: {7130a44a-8f2c-11e5-825c-10c37bc2c9b2} - "F:\autorun.exe" HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\...\MountPoints2: {81d9f08f-1fbf-11e9-87d6-5cc9d3f4fc4c} - "F:\Setup.exe" HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\...\MountPoints2: {81d9f0cf-1fbf-11e9-87d6-5cc9d3f4fc4c} - "F:\Setup.exe" HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\...\MountPoints2: {a2e1737e-a184-11e5-8290-10c37bc2c9b2} - "G:\autorun.exe" HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\...\MountPoints2: {a2e17385-a184-11e5-8290-10c37bc2c9b2} - "I:\autorun.exe" HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\...\MountPoints2: {c2d774e3-efb7-11e7-85ca-5cc9d3f4fc4c} - "F:\Setup.exe" HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\...\MountPoints2: {c738c06d-69f2-11e8-86ae-5cc9d3f4fc4c} - "F:\Setup.exe" HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\...\MountPoints2: {ca4b0156-ba80-11e8-8739-5cc9d3f4fc4c} - "G:\Setup.exe" HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\...\MountPoints2: {d145e799-efe8-11e8-878c-5cc9d3f4fc4c} - "F:\Setup.exe" SearchScopes: HKU\S-1-5-21-3928538914-1254491160-1078913021-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-3928538914-1254491160-1078913021-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = CustomCLSID: HKU\S-1-5-21-3928538914-1254491160-1078913021-1001_Classes\CLSID\{F0D5B8DF-FA50-4AC1-B644-6DD3DABA2DC0}\InprocServer32 -> 42494E41525953545245414D0300000003000000591248CE8BE38A631FB24E0033D1BD35475DB327E7A9CAA293834BF04FC6 => Nenhum Arquivo ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => -> Nenhum Arquivo FirewallRules: [TCP Query User{949C8AE4-B322-49A1-917A-5BD734FF6F10}C:\program files\java\jdk1.8.0_131\bin\jmc.exe] => (Block) C:\program files\java\jdk1.8.0_131\bin\jmc.exe Nenhum Arquivo FirewallRules: [UDP Query User{D258D11B-A796-4157-9489-0F984D486AF9}C:\program files\java\jdk1.8.0_131\bin\jmc.exe] => (Block) C:\program files\java\jdk1.8.0_131\bin\jmc.exe Nenhum Arquivo FirewallRules: [TCP Query User{B8F0A294-E864-4C2C-9ABB-B9A263EBE038}C:\program files\android\android studio\jre\bin\java.exe] => (Allow) C:\program files\android\android studio\jre\bin\java.exe Nenhum Arquivo FirewallRules: [UDP Query User{728F8E4A-8674-4476-AF77-30F656BB3CB7}C:\program files\android\android studio\jre\bin\java.exe] => (Allow) C:\program files\android\android studio\jre\bin\java.exe Nenhum Arquivo FirewallRules: [{4EE0C92B-443B-46BA-B28B-F5CDDF60FECF}] => (Allow) C:\Program Files\Microsoft Office\Office16\lync.exe Nenhum Arquivo FirewallRules: [{06679319-6A7B-4472-B4A8-33F0D47F8AB1}] => (Allow) C:\Program Files\Microsoft Office\Office16\lync.exe Nenhum Arquivo FirewallRules: [{7FE8EB3D-3470-43E5-B236-C550309BC058}] => (Allow) C:\Program Files\Microsoft Office\Office16\UcMapi.exe Nenhum Arquivo FirewallRules: [{7C7437CF-E1B4-4EF2-84D8-BC5F84EF5C80}] => (Allow) C:\Program Files\Microsoft Office\Office16\UcMapi.exe Nenhum Arquivo Reboot: ***************** Ponto de Restauração criado com sucesso. Processos fechados com sucesso. "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoActiveDesktopChanges" => removido (a) com sucesso. "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoActiveDesktop" => removido (a) com sucesso. HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{021bdfa6-3f13-11e8-865e-10c37bc2c9b2} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{021bdfa6-3f13-11e8-865e-10c37bc2c9b2} => não encontrado (a) HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b1a89dd-a9f2-11e8-8719-5cc9d3f4fc4c} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{0b1a89dd-a9f2-11e8-8719-5cc9d3f4fc4c} => não encontrado (a) HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{65a81ed1-22f0-11e8-862d-10c37bc2c9b2} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{65a81ed1-22f0-11e8-862d-10c37bc2c9b2} => não encontrado (a) HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7130a44a-8f2c-11e5-825c-10c37bc2c9b2} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{7130a44a-8f2c-11e5-825c-10c37bc2c9b2} => não encontrado (a) HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81d9f08f-1fbf-11e9-87d6-5cc9d3f4fc4c} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{81d9f08f-1fbf-11e9-87d6-5cc9d3f4fc4c} => não encontrado (a) HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81d9f0cf-1fbf-11e9-87d6-5cc9d3f4fc4c} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{81d9f0cf-1fbf-11e9-87d6-5cc9d3f4fc4c} => não encontrado (a) HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2e1737e-a184-11e5-8290-10c37bc2c9b2} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{a2e1737e-a184-11e5-8290-10c37bc2c9b2} => não encontrado (a) HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2e17385-a184-11e5-8290-10c37bc2c9b2} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{a2e17385-a184-11e5-8290-10c37bc2c9b2} => não encontrado (a) HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c2d774e3-efb7-11e7-85ca-5cc9d3f4fc4c} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{c2d774e3-efb7-11e7-85ca-5cc9d3f4fc4c} => não encontrado (a) HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c738c06d-69f2-11e8-86ae-5cc9d3f4fc4c} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{c738c06d-69f2-11e8-86ae-5cc9d3f4fc4c} => não encontrado (a) HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ca4b0156-ba80-11e8-8739-5cc9d3f4fc4c} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{ca4b0156-ba80-11e8-8739-5cc9d3f4fc4c} => não encontrado (a) HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d145e799-efe8-11e8-878c-5cc9d3f4fc4c} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{d145e799-efe8-11e8-878c-5cc9d3f4fc4c} => não encontrado (a) "HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removido (a) com sucesso. HKU\S-1-5-21-3928538914-1254491160-1078913021-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => não encontrado (a) HKU\S-1-5-21-3928538914-1254491160-1078913021-1001_Classes\CLSID\{F0D5B8DF-FA50-4AC1-B644-6DD3DABA2DC0} => removido (a) com sucesso. HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\ANotepad++64 => removido (a) com sucesso. HKLM\Software\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} => não encontrado (a) "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{949C8AE4-B322-49A1-917A-5BD734FF6F10}C:\program files\java\jdk1.8.0_131\bin\jmc.exe" => removido (a) com sucesso. "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{D258D11B-A796-4157-9489-0F984D486AF9}C:\program files\java\jdk1.8.0_131\bin\jmc.exe" => removido (a) com sucesso. "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{B8F0A294-E864-4C2C-9ABB-B9A263EBE038}C:\program files\android\android studio\jre\bin\java.exe" => removido (a) com sucesso. "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{728F8E4A-8674-4476-AF77-30F656BB3CB7}C:\program files\android\android studio\jre\bin\java.exe" => removido (a) com sucesso. "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4EE0C92B-443B-46BA-B28B-F5CDDF60FECF}" => removido (a) com sucesso. "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{06679319-6A7B-4472-B4A8-33F0D47F8AB1}" => removido (a) com sucesso. "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7FE8EB3D-3470-43E5-B236-C550309BC058}" => removido (a) com sucesso. "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7C7437CF-E1B4-4EF2-84D8-BC5F84EF5C80}" => removido (a) com sucesso. =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 75965248 B Java, Flash, Steam htmlcache => 1154 B Windows/system/drivers => 517804933 B Edge => 0 B Chrome => 400065908 B Firefox => 838210877 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile32 => 0 B LocalService => 326878 B NetworkService => 1062 B Victor => 247243285 B RecycleBin => 0 B EmptyTemp: => 1.9 GB de dados temporários Removidos. ================================ O sistema precisou ser reiniciado. ==== Fim de Fixlog 17:23:47 ==== Link to post Share on other sites More sharing options...
nasdaq Posted February 22, 2019 ID:1300026 Share Posted February 22, 2019 Has the problem been solved with MBAM? Link to post Share on other sites More sharing options...
Gokussj Posted February 22, 2019 Author ID:1300044 Share Posted February 22, 2019 43 minutes ago, nasdaq said: Has the problem been solved with MBAM? Actually i couldn't update MBAM but it updated after. But it seems MBAM exe files won't run on my computer. Right now i tried to run MBAM support tool but nothing happens when i click it Link to post Share on other sites More sharing options...
nasdaq Posted February 22, 2019 ID:1300054 Share Posted February 22, 2019 Hi, If you right click the malwarebytes .exe file as an Administrator does it run? Any other .exe file you cannot run to execution? Link to post Share on other sites More sharing options...
Gokussj Posted February 22, 2019 Author ID:1300101 Share Posted February 22, 2019 3 hours ago, nasdaq said: Hi, If you right click the malwarebytes .exe file as an Administrator does it run? No, it doesn't run either 3 hours ago, nasdaq said: Any other .exe file you cannot run to execution? No, not that i'm aware. All the rest will run just fine Link to post Share on other sites More sharing options...
nasdaq Posted February 23, 2019 ID:1300228 Share Posted February 23, 2019 Hi, Report this problem to the experts. Start a new topic in the MBAM 3 forum. https://forums.malwarebytes.com/forum/41-malwarebytes-3-support-forum/ Link to post Share on other sites More sharing options...
Gokussj Posted February 23, 2019 Author ID:1300252 Share Posted February 23, 2019 1 hour ago, nasdaq said: Hi, Report this problem to the experts. Start a new topic in the MBAM 3 forum. https://forums.malwarebytes.com/forum/41-malwarebytes-3-support-forum/ I actually created a topic in there first but i was told to come here. I create a new topic or keep the old one? Here: Link to post Share on other sites More sharing options...
nasdaq Posted February 23, 2019 ID:1300283 Share Posted February 23, 2019 Keep the old one. Link to post Share on other sites More sharing options...
Gokussj Posted February 23, 2019 Author ID:1300290 Share Posted February 23, 2019 24 minutes ago, nasdaq said: Keep the old one. Ok Link to post Share on other sites More sharing options...
Gokussj Posted March 3, 2019 Author ID:1301832 Share Posted March 3, 2019 On 2/23/2019 at 4:02 PM, nasdaq said: Keep the old one. Hey, sorry for coming back here. I don't know if i should create a new topic. Tell me if that's necessary I did a scan with malwarebytes and it found a bitcoin miner. This is just the scan log but i deleted it all. Here's the log: Malwarebytes www.malwarebytes.com -Detalhes de registro- Data da análise: 03/03/2019 Hora da análise: 19:20 Arquivo de registro: 8d867ca8-3e02-11e9-846a-5cc9d3f4fc4c.json -Informação do software- Versão: 3.7.1.2839 Versão de componentes: 1.0.538 Versão do pacote de definições: 1.0.9524 Licença: Premium -Informação do sistema- Sistema operacional: Windows 8.1 CPU: x64 Sistema de arquivos: NTFS Usuário: ASUS-PC\Victor -Resumo da análise- Tipo de análise: Análise Rápida Análise Iniciada Por: Manual Resultado: Concluído Objetos verificados: 2191 Ameaças detectadas: 5 Ameaças em quarentena: 0 Tempo decorrido: 1 min, 36 seg -Opções da análise- Memória: Habilitado Inicialização: Desabilitado Sistema de arquivos: Desabilitado Arquivos compactados: Habilitado Rootkits: Desabilitado Heurística: Desabilitado PUP: Detectar PUM: Detectar -Detalhes da análise- Processo: 0 (Nenhum item malicioso detectado) Módulo: 0 (Nenhum item malicioso detectado) Chave de registro: 3 RiskWare.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft Windows Search Indexer, Nenhuma ação do usuário, [734], [574717],1.0.9524 RiskWare.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{D96E71FD-8C1B-4F81-BEFD-CDD9ADC4428F}, Nenhuma ação do usuário, [734], [574717],1.0.9524 RiskWare.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{D96E71FD-8C1B-4F81-BEFD-CDD9ADC4428F}, Nenhuma ação do usuário, [734], [574717],1.0.9524 Valor de registro: 0 (Nenhum item malicioso detectado) Dados de registro: 0 (Nenhum item malicioso detectado) Fluxo de dados: 0 (Nenhum item malicioso detectado) Pasta: 0 (Nenhum item malicioso detectado) Arquivo: 2 RiskWare.BitCoinMiner, C:\WINDOWS\SYSTEM32\TASKS\Microsoft Windows Search Indexer, Nenhuma ação do usuário, [734], [574717],1.0.9524 RiskWare.BitCoinMiner, C:\USERS\VICTOR\APPDATA\ROAMING\ZHP\WINDOWS SEARCH\SEARCHINDEXER.EXE, Nenhuma ação do usuário, [734], [574717],1.0.9524 Setor físico: 0 (Nenhum item malicioso detectado) Instrumentação do Windows (WMI): 0 (Nenhum item malicioso detectado) (end) Link to post Share on other sites More sharing options...
Gokussj Posted March 3, 2019 Author ID:1301833 Share Posted March 3, 2019 I'll attach the quarantine log, just in case mbam log.rar Link to post Share on other sites More sharing options...
nasdaq Posted March 4, 2019 ID:1301947 Share Posted March 4, 2019 Hi Please just post a fresh MBAM log. Has the bitcoin been removed and the computer is running well. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 4, 2019 Root Admin ID:1301989 Share Posted March 4, 2019 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts