Resultado da Correção pela Farbar Recovery Scan Tool (x64) Versão: 26-11-2022 Executado por Johnny (03-12-2022 16:54:37) Run:1 Executando a partir de C:\Users\Johnny\Desktop Perfis Carregados: Johnny & João Modo da Inicialização: Normal ============================================== fixlist Conteúdo: ***************** Start:: SystemRestore: On CreateRestorePoint: CloseProcesses: HKLM-x32\...\Run: [TeamsMachineUninstallerLocalAppData] => %LOCALAPPDATA%\Microsoft\Teams\Update.exe --uninstall --msiUninstall --source=default (Nenhum Arquivo) HKLM-x32\...\Run: [TeamsMachineUninstallerProgramData] => %ProgramData%\Microsoft\Teams\Update.exe --uninstall --msiUninstall --source=default (Nenhum Arquivo) S3 cpuz150; \??\C:\WINDOWS\temp\cpuz150\cpuz150_x64.sys [X] S3 cpuz152; \??\C:\WINDOWS\temp\cpuz152\cpuz152_x64.sys [X] S3 cpuz153; \??\C:\WINDOWS\temp\cpuz153\cpuz153_x64.sys [X] S3 cpuz154; \??\C:\WINDOWS\temp\cpuz154\cpuz154_x64.sys [X] C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare S3 wtbt; \??\d:\steam\steamapps\common\super people\engine\binaries\thirdparty\wondertrust\wtdrv64.sys [X] FirewallRules: [TCP Query User{CCFDEB75-89E8-48EB-BA80-522B039E58E6}D:\steam\steamapps\common\insurgency2\insurgency_x64.exe] => (Allow) D:\steam\steamapps\common\insurgency2\insurgency_x64.exe => Nenhum Arquivo FirewallRules: [UDP Query User{F95B608B-5F2D-4215-8677-5859BA05AAD3}D:\steam\steamapps\common\insurgency2\insurgency_x64.exe] => (Allow) D:\steam\steamapps\common\insurgency2\insurgency_x64.exe => Nenhum Arquivo FirewallRules: [{52395DDF-D246-4386-B72D-801AB1901AFE}] => (Block) D:\steam\steamapps\common\insurgency2\insurgency_x64.exe => Nenhum Arquivo FirewallRules: [{299FC1AF-4994-461E-8D73-1300549E3052}] => (Block) D:\steam\steamapps\common\insurgency2\insurgency_x64.exe => Nenhum Arquivo StartRegedit: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl] "AutoReboot"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Update\AU] "NoAutoUpdate"=- EndRegedit: StartBatch: pushd\windows\system32 bcdedit.exe /set {default} recoveryenabled yes bcdedit.exe /timeout 4 bcdedit.exe /enum DISM.exe /Online /Cleanup-image /scanhealth sfc /scannow del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Code Cache\Js\*.*" del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\Js\*.*" del /s /q "%userprofile%\AppData\Local\bravesoftware\brave-browser\User Data\Default\Code Cache\Js\*.*" del /s /q "%userprofile%\AppData\Local\Temp\*.tmp" del /s /q "%userprofile%\AppData\Local\Temp\*.tmp.*" del /s /q "%userprofile%\AppData\Local\Temp\*.sys" del /s /q "%userprofile%\AppData\Local\Temp\*.dll" del /s /q "%userprofile%\AppData\Local\Temp\*.js" del /s /q "%userprofile%\AppData\Local\Temp\*.ini" del /s /q "%userprofile%\AppData\Local\Temp\*.html" del /s /q "%userprofile%\AppData\Roaming\discord\Cache\*.*" del /f /q "%userprofile%\AppData\Local\*-gui" del /f /q "%userprofile%\AppData\Roaming\*-gui" Endbatch: StartBatch: SETLOCAL ENABLEEXTENSIONS echo userprofile=%USERPROFILE% if not defined userprofile echo no userprofile&goto :eof del /f /q "%userprofile%\AppData\Roaming\Microsoft\*.dl*" del /f /q "%userprofile%\AppData\Roaming\Microsoft\*.ex*" del /f /q "%userprofile%\AppData\Roaming\Microsoft\*.zi*" del /f /q "%userprofile%\AppData\Roaming\Microsoft\*.sy*" del /f /q "%userprofile%\AppData\Roaming\{*.*" rd /s /q "%userprofile%\AppData\Roaming\discord\Cache" rd /s /q "%userprofile%\AppData\Roaming\discord\code cache" rd /s /q "%userprofile%\AppData\Roaming\discord\gpucache" :eof EndBatch: StartBatch: WMIC SERVICE WHERE Name="dcomlaunch" set startmode="auto" WMIC SERVICE WHERE Name="nsi" set startmode="auto" WMIC SERVICE WHERE Name="dhcp" set startmode="auto" WMIC SERVICE WHERE Name="rpcss" set startmode="auto" WMIC SERVICE WHERE Name="rpceptmapper" set startmode="auto" WMIC SERVICE WHERE Name="winmgmt" set startmode="auto" WMIC SERVICE WHERE Name="sdrsvc" set startmode="manual" WMIC SERVICE WHERE Name="vss" set startmode="manual" WMIC SERVICE WHERE Name="eventlog" set startmode="auto" WMIC SERVICE WHERE Name="bfe" set startmode="auto" WMIC SERVICE WHERE Name="eventsystem" set startmode="auto" WMIC SERVICE WHERE Name="msiserver" set startmode="manual" WMIC SERVICE WHERE Name="sstpsvc" set startmode="manual" WMIC SERVICE WHERE Name="rasman" set startmode="manual" WMIC SERVICE WHERE Name="trustedinstaller" set startmode="auto" net start sdrsvc net start vss net start rpcss net start eventsystem net start winmgmt net start msiserver net start bfe net start trustedinstaller WMIC SERVICE WHERE Name="windefend" CALL ChangeStartMode "automatic" WMIC SERVICE WHERE Name="windefend" CALL startservice WMIC SERVICE WHERE Name="securityhealthservice" CALL ChangeStartMode "manual" WMIC SERVICE WHERE Name="securityhealthservice" CALL startservice net start windefend net start mpssvc net start mpsdrv "%WINDIR%\SYSTEM32\lodctr.exe" /R "%WINDIR%\SysWOW64\lodctr.exe" /R "%WINDIR%\SYSTEM32\lodctr.exe" /R "%WINDIR%\SysWOW64\lodctr.exe" /R NETSH winsock reset catalog NETSH int ipv4 reset reset.log NETSH int ipv6 reset reset.log ipconfig /release ipconfig /renew ipconfig /flushdns ipconfig /registerdns bitsadmin /list /allusers bitsadmin /reset /allusers Winmgmt /salvagerepository Winmgmt /resetrepository Winmgmt /resyncperf Endbatch: exportkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions startpowershell: Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -force # 03*12-2022 # Funtion Remove-all-windefend-excludes to Remove all exclusions on MS Windefend Function Remove-all-windefend-excludes { $Paths=(Get-MpPreference).ExclusionPath $Extensions=(Get-MpPreference).ExclusionExtension $Processes=(Get-MpPreference).ExclusionProcess foreach ($Path in $Paths) { Remove-MpPreference -ExclusionPath $Path -force} foreach ($Extension in $Extensions) { Remove-MpPreference -ExclusionExtension $Extension -force} foreach ($Process in $Processes) { Remove-MpPreference -ExclusionProcess $Process -force} } # Remove all exclusions on MS Windefend Write-Output "Removing all exclusions on MS Windefend antivirus" Set-MpPreference -DisableAutoExclusions $true -Force Remove-all-windefend-excludes EndPowerShell: startpowershell: Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -force # 10-26-2022 M. Naggar Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiVirus" -Type DWORD -Value 0 –Force Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWORD -Value 0 –Force Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "PUAProtection" -Type DWORD -Value 1 –Force Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -force Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -force Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -force Set-Service -Name windefend -StartupType Automatic -force Get-Service windefend | Select-Object -Property Name, StartType, Status Set-Service -Name securityhealthservice -StartupType manual -force Get-Service securityhealthservice | Select-Object -Property Name, StartType, Status Set-MpPreference -CheckForSignaturesBeforeRunningScan $true -Force Set-MpPreference -DisableArchiveScanning $false -Force Set-MpPreference -DisableBehaviorMonitoring $false -Force Set-MpPreference -DisableEmailScanning $False -Force Set-MpPreference -DisableIOAVProtection $false -Force Set-MpPreference -DisablePrivacyMode $true -Force Set-MpPreference -DisableRealtimeMonitoring $false -Force Set-MpPreference -MAPSReporting Advanced -Force Set-MpPreference -PUAProtection enabled -Force Set-MpPreference -SignatureScheduleDay Everyday -Force Set-MpPreference -DisableRemovableDriveScanning $false -Force Set-MpPreference -SubmitSamplesConsent SendSafeSamples # Reset and check Secure Health status Get-AppxPackage Microsoft.SecHealthUI -AllUsers | Reset-AppxPackage Get-AppxPackage Microsoft.SecHealthUI -AllUsers|select Name, Status # Check if these services are running Get-Service mbamservice, Windefend, SecurityHealthService, wscsvc, mpsdrv, mpssvc, bfe, WdNisSvc, WdNisDrv, sense, winmgmt, rpcss, RpcEptMapper, bits, cryptsvc, wuauserv, dcomlaunch | Select Name, DisplayName, Status, starttype EndPowerShell: startpowershell: Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -force Write-Output "updating" Update-MpSignature Write-Output "scanning" Start-MpScan -ScanType QuickScan Remove-MpThreat Start-MpScan -ScanType customScan -ScanPath "%userprofile%\AppData\Local" Remove-MpThreat Start-MpScan -ScanType customScan -ScanPath "%userprofile%\AppData\Roaming" Remove-MpThreat EndPowerShell: startpowershell: Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -force # Check computer status again after setting to make sure changes were applied Get-MpComputerStatus Get-MpPreference Get-MpThreatDetection # get statuses of services Get-Service BITS | Select-Object -Property Name, StartType, Status Get-Service Dhcp | Select-Object -Property Name, StartType, Status Get-Service EventLog | Select-Object -Property Name, StartType, Status Get-Service EventSystem | Select-Object -Property Name, StartType, Status Get-Service mbamservice | Select-Object -Property Name, StartType, Status Get-Service mpsdrv | Select-Object -Property Name, StartType, Status Get-Service MpsSvc | Select-Object -Property Name, StartType, Status Get-Service msiserver | Select-Object -Property Name, StartType, Status Get-Service nsi | Select-Object -Property Name, StartType, Status Get-Service RasMan | Select-Object -Property Name, StartType, Status Get-Service rpcss | Select-Object -Property Name, StartType, Status Get-Service SDRSVC | Select-Object -Property Name, StartType, Status Get-Service sense | Select-Object -Property Name, StartType, Status Get-Service securityhealthservice | Select-Object -Property Name, StartType, Status Get-Service SstpSvc | Select-Object -Property Name, StartType, Status Get-Service TrustedInstaller | Select-Object -Property Name, StartType, Status Get-Service UsoSvc | Select-Object -Property Name, StartType, Status Get-Service VSS | Select-Object -Property Name, StartType, Status Get-Service wdnissvc | Select-Object -Property Name, StartType, Status Get-Service windefend | Select-Object -Property Name, StartType, Status Get-Service Winmgmt | Select-Object -Property Name, StartType, Status Get-Service wscsvc | Select-Object -Property Name, StartType, Status Get-Service wuauserv | Select-Object -Property Name, StartType, Status New-NetFirewallRule -DisplayName "Block Inb" -Direction Inbound –LocalPort 135-139, 445, 1234, 3389, 5555 -Protocol tcp -Action Block New-NetFirewallRule -DisplayName "Block Inb" -Direction Inbound –LocalPort 135-139, 445, 1234, 3389, 5555 -Protocol udp -Action Block EndPowerShell: C:\Windows\Temp\*.* C:\WINDOWS\system32\*.tmp C:\WINDOWS\system32\drivers\*.tmp C:\WINDOWS\syswow64\*.tmp cmd: del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*" cmd: del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*" cmd: del /s /q "%userprofile%\AppData\Local\bravesoftware\brave-browser\User Data\Default\Cache\*.*" cmd: del /s /q "%userprofile%\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCACHE\IE\*.*" cmd: del /s /q "%userprofile%\AppData\Local\Temp\*.exe" C:\Windows\Temp\*.* C:\WINDOWS\system32\*.tmp C:\WINDOWS\syswow64\*.tmp cmd: del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*" cmd: del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*" cmd: del /s /q "%userprofile%\AppData\Local\bravesoftware\brave-browser\User Data\Default\Cache\*.*" cmd: del /s /q "%userprofile%\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCACHE\IE\*.*" cmd: del /s /q "%userprofile%\AppData\Local\Temp\*.exe" cmd: sfc /scannow Hosts: EmptyTemp: Reboot: End:: ***************** SystemRestore: On => Erro -> 9% Ponto de Restauração criado com sucesso. Processos fechados com sucesso. "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\TeamsMachineUninstallerLocalAppData" => removido (a) com sucesso. "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\TeamsMachineUninstallerProgramData" => removido (a) com sucesso. HKLM\System\CurrentControlSet\Services\cpuz150 => removido (a) com sucesso. cpuz150 => o serviço removido (a) com sucesso. HKLM\System\CurrentControlSet\Services\cpuz152 => removido (a) com sucesso. cpuz152 => o serviço removido (a) com sucesso. HKLM\System\CurrentControlSet\Services\cpuz153 => removido (a) com sucesso. cpuz153 => o serviço removido (a) com sucesso. HKLM\System\CurrentControlSet\Services\cpuz154 => removido (a) com sucesso. cpuz154 => o serviço removido (a) com sucesso. "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare" => não encontrado (a) HKLM\System\CurrentControlSet\Services\wtbt => removido (a) com sucesso. wtbt => o serviço removido (a) com sucesso. "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{CCFDEB75-89E8-48EB-BA80-522B039E58E6}D:\steam\steamapps\common\insurgency2\insurgency_x64.exe" => removido (a) com sucesso. "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{F95B608B-5F2D-4215-8677-5859BA05AAD3}D:\steam\steamapps\common\insurgency2\insurgency_x64.exe" => removido (a) com sucesso. "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{52395DDF-D246-4386-B72D-801AB1901AFE}" => removido (a) com sucesso. "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{299FC1AF-4994-461E-8D73-1300549E3052}" => removido (a) com sucesso. Registro ====> A opera��o foi conclu�da com �xito. ========= Batch: ========= 0 A opera‡Æo foi conclu¡da com ˆxito. A opera‡Æo foi conclu¡da com ˆxito. Gerenciador de Inicializa‡Æo do Windows --------------------------------------- identificador {bootmgr} device partition=\Device\HarddiskVolume2 description Windows Boot Manager locale pt-BR inherit {globalsettings} default {current} resumeobject {0807b10d-6d06-11ec-baaa-dbb563df7cb8} displayorder {current} toolsdisplayorder {memdiag} timeout 4 Carregador de Inicializa‡Æo do Windows -------------------------------------- identificador {current} device partition=C: path \WINDOWS\system32\winload.exe description Windows 10 locale pt-BR inherit {bootloadersettings} recoverysequence {73fad0e5-d29f-11eb-82a1-c0d613c2f771} displaymessageoverride Recovery recoveryenabled Yes allowedinmemorysettings 0x15000075 osdevice partition=C: systemroot \WINDOWS resumeobject {0807b10d-6d06-11ec-baaa-dbb563df7cb8} nx OptIn bootmenupolicy Standard