Jump to content

Recommended Posts

Hello how are you?

I have a very slow PC.

I think it might be malware, as it was not so slow.

I try to run the Adwcleaner, does not open, try to open the JRT does not open, I tried to install Avast does not open the installer tried to install Panda Cloud does not open.

Run MalwareBytes, and removed 463 PUP's, but the problem still persists.

I await your help.

Thank you.  :)

 

Link to post
Share on other sites

Hello and welcome to Malwarebytes.org

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


Next,

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Settings.JPG
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

Next,

Follow the instructions in the following link to show hidden files:

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Next,

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…




If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either accept the alert or disable your security and allow FRST to run...

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.



Next,

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!



Let me see those logs in your reply....

Thank you,

Kevin...
 

Link to post
Share on other sites

Hello my friend!!!

Attach logs.

 

::: Hidden Files Windows XP - OK

 

::: Google Chrome - Save Desktop configuration OK

 

 

::: MalwareBytes

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 25/8/2015

Scan Time: 19:05:21

Logfile: mbam.txt

Administrator: Yes

 

Version: 2.1.8.1057

Malware Database: v2015.08.25.07

Rootkit Database: v2015.08.16.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows XP Service Pack 3

CPU: x86

File System: NTFS

User: 1

 

Scan Type: Custom Scan

Result: Completed

Objects Scanned: 333755

Time Elapsed: 50 min, 38 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

 

::: FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:25-08-2015 02

Ran by 1 (administrator) on HOME-0EE373B8F8 (25-08-2015 20:02:20)

Running from C:\Documents and Settings\1\Desktop

Loaded Profiles: 1 (Available Profiles: 1)

Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: Português (Brasil)

Internet Explorer Version 8 (Default browser: IE)

Boot Mode: Normal


 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(GAS Tecnologia) C:\ARQUIV~1\GbPlugin\gbpsv.exe

(Nero AG) C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe

(Malwarebytes Corporation) C:\Arquivos de programas\Malwarebytes Anti-Malware\mbamscheduler.exe

(Malwarebytes Corporation) C:\Arquivos de programas\Malwarebytes Anti-Malware\mbamservice.exe

(GAS Tecnologia LTDA) C:\Arquivos de programas\Diebold\Warsaw\core.exe

(Malwarebytes Corporation) C:\Arquivos de programas\Malwarebytes Anti-Malware\mbam.exe

(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe

(GAS Tecnologia LTDA) C:\Arquivos de programas\Diebold\Warsaw\core.exe

 

 

==================== Registry (Whitelisted) ===========================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [Diebold - Warsaw] => C:\Arquivos de programas\Diebold\Warsaw\core.exe [509752 2015-06-24] (GAS Tecnologia LTDA)

Winlogon\Notify\ GbPluginUni: C:\Arquivos de programas\GbPlugin\gbiehUni.dll [2015-07-06] (Banco Itaú Unibanco)

HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0

HKLM\...\Policies\Explorer: [HideSCAHealth] 0

Lsa: [Authentication Packages] msv1_0 nwprovau

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, AngoqpurRuqs.dll

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKU\S-1-5-21-1708537768-527237240-1417001333-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

HKU\S-1-5-21-1708537768-527237240-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-21-1708537768-527237240-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com.br/

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "hxxp://www.google.com" <======= ATTENTION

SearchScopes: HKLM -> DefaultScope {2B849849-30A7-4958-919D-FB5BFDBD58F5} URL = 

SearchScopes: HKU\S-1-5-21-1708537768-527237240-1417001333-1003 -> DefaultScope {7E707433-1A9B-4B8E-B3C5-D675BB16696E} URL = hxxp://www.google.com.br/search?hl=pt-BR&q={searchTerms}&meta=

SearchScopes: HKU\S-1-5-21-1708537768-527237240-1417001333-1003 -> {7E707433-1A9B-4B8E-B3C5-D675BB16696E} URL = hxxp://www.google.com.br/search?hl=pt-BR&q={searchTerms}&meta=

BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File

BHO: Auxiliar de Conexão do Windows Live -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)

BHO: GbIehObj Class -> {C41A1C0E-EA6C-11D4-B1B8-444553540008} -> C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehuni.dll [2015-07-06] (Banco Itaú Unibanco)

BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll [2011-05-07] (Sun Microsystems, Inc.)

BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2011-05-07] (Sun Microsystems, Inc.)

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL [2009-02-26] (Microsoft Corporation)

Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL [2009-02-26] (Microsoft Corporation)

Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL [2009-02-26] (Microsoft Corporation)

Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL [2009-02-26] (Microsoft Corporation)

Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL [2009-02-26] (Microsoft Corporation)

Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de programas\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)

Handler: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll [2006-10-26] (Microsoft Corporation)

Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL [2009-02-26] (Microsoft Corporation)

Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL [2009-02-26] (Microsoft Corporation)

Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de programas\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)

ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]

ShellExecuteHooks: GbPluginObj Class - {E37CB5F0-51F5-4395-A808-5FA49E399008} - C:\ARQUIVOS DE PROGRAMAS\GbPlugin\gbiehuni.dll [1759992 2015-07-06] (Banco Itaú Unibanco)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

Tcpip\..\Interfaces\{44A76D6D-45A2-41C9-9F2C-493B7FFBA924}: [NameServer] 201.77.112.3,201.77.112.9

Tcpip\..\Interfaces\{8E433A8A-9220-4CA2-9B9F-3D0650A77BA2}: [DhcpNameServer] 192.168.0.1

 

FireFox:

========

FF ProfilePath: C:\Documents and Settings\1\Dados de aplicativos\Mozilla\Firefox\Profiles\x22e9100.default

FF NetworkProxy: "type", 0

FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll [2012-10-28] ()

FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll [2012-06-13] (Adobe Systems, Inc.)

FF Plugin: @java.com/JavaPlugin -> C:\Arquivos de programas\Java\jre6\bin\new_plugin\npjp2.dll [2011-05-07] (Sun Microsystems, Inc.)

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Arquivos de programas\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)

FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Arquivos de programas\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)

FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Arquivos de programas\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)

FF Plugin: Adobe Reader -> C:\Arquivos de programas\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)

FF SearchPlugin: C:\Arquivos de programas\mozilla firefox\searchplugins\buscape.xml.moz-backup [2012-11-01]

FF SearchPlugin: C:\Arquivos de programas\mozilla firefox\searchplugins\mercadolivre.xml.moz-backup [2012-11-01]

FF SearchPlugin: C:\Arquivos de programas\mozilla firefox\browser\searchplugins\buscape.xml [2014-06-06]

FF SearchPlugin: C:\Arquivos de programas\mozilla firefox\browser\searchplugins\mercadolivre.xml [2014-06-06]

FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ff

FF Extension: Java Quick Starter - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ff [2011-05-07]

FF HKU\S-1-5-21-1708537768-527237240-1417001333-1003\...\Firefox\Extensions: [{87F8774F-B485-47E2-A755-A40A8A5E8873}] - C:\Documents and Settings\1\Configurações locais\Dados de aplicativos\GAS Tecnologia\GBBD\uni\xpi

 

Chrome: 

=======

CHR Profile: C:\Documents and Settings\1\Configurações locais\Dados de aplicativos\Google\Chrome\User Data\Default

CHR Extension: (Avira Browser Safety) - C:\Documents and Settings\1\Configurações locais\Dados de aplicativos\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2015-02-05]

CHR Extension: (GBBD Guardião - Itaú 30 horas) - C:\Documents and Settings\1\Configurações locais\Dados de aplicativos\Google\Chrome\User Data\Default\Extensions\kgmpojlddncminmkddkpoegdjhojjipg [2014-11-01]

CHR Extension: (Chrome Hotword Shared Module) - C:\Documents and Settings\1\Configurações locais\Dados de aplicativos\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-04-17]

CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\1\Configurações locais\Dados de aplicativos\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-28]

CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx

 

==================== Services (Whitelisted) ========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 GbpSv; C:\Arquivos de programas\GbPlugin\gbpsv.exe [546104 2014-09-29] (GAS Tecnologia)

S4 gupdate; C:\Arquivos de programas\Google\Update\GoogleUpdate.exe [116648 2012-11-16] (Google Inc.)

S4 gupdatem; C:\Arquivos de programas\Google\Update\GoogleUpdate.exe [116648 2012-11-16] (Google Inc.)

S3 hpqcxs08; C:\Arquivos de programas\HP\Digital Imaging\bin\hpqcxs08.dll [217088 2007-03-12] (Hewlett-Packard Co.) [File not signed]

S4 IDriverT; C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]

R2 InCDsrv; C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe [1554728 2007-11-26] (Nero AG)

S4 JavaQuickStarterService; C:\Arquivos de programas\Java\jre6\bin\jqs.exe [153376 2011-05-07] (Sun Microsystems, Inc.)

R2 MBAMScheduler; C:\Arquivos de programas\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)

R2 MBAMService; C:\Arquivos de programas\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)

S4 MDM; C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]

S4 MozillaMaintenance; C:\Arquivos de programas\Mozilla Maintenance Service\maintenanceservice.exe [119408 2014-06-06] (Mozilla Foundation)

R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [43520 2006-11-08] (Hewlett-Packard) [File not signed]

S4 NMIndexingService; C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe [279848 2007-06-27] (Nero AG)

R2 NWCWorkstation; C:\WINDOWS\System32\nwwks.dll [65536 2008-04-13] (Microsoft Corporation)

R2 NwSapAgent; C:\WINDOWS\System32\ipxsap.dll [66560 2001-10-28] (Microsoft Corporation)

S4 odserv; C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE12\ODSERV.EXE [441712 2008-11-04] (Microsoft Corporation)

S4 ose; C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE [145184 2006-10-26] (Microsoft Corporation)

R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53248 2006-11-08] (Hewlett-Packard) [File not signed]

S4 tor; C:\Arquivos de programas\Tor\tor.exe [3233806 2013-08-30] () [File not signed]

R2 Warsaw Technology; C:\Arquivos de programas\Diebold\Warsaw\core.exe [509752 2015-06-24] (GAS Tecnologia LTDA)

S4 WMPNetworkSvc; C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe [914944 2006-11-02] (Microsoft Corporation)

 

===================== Drivers (Whitelisted) ==========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-17] (Creative)

R0 GbpKm; C:\WINDOWS\System32\drivers\gbpkm.sys [46392 2014-08-12] (GAS Tecnologia)

S3 gdrv; C:\WINDOWS\gdrv.sys [17488 2011-05-07] (Windows ® 2000 DDK provider)

S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2007-03-08] (HP)

S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2007-03-08] (HP)

S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2007-03-08] (HP)

R4 InCDfs; C:\WINDOWS\System32\drivers\InCDFs.sys [118952 2007-11-26] (Nero AG)

R1 InCDPass; C:\WINDOWS\System32\drivers\InCDPass.sys [36776 2007-11-26] (Nero AG)

U1 InCDrec; C:\WINDOWS\system32\Drivers\InCDrec.sys [16040 2007-11-26] (Nero AG)

R1 incdrm; C:\WINDOWS\System32\drivers\InCDRm.sys [38440 2007-11-26] (Nero AG)

R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)

R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [98520 2015-08-25] (Malwarebytes Corporation)

S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-17] (Creative Technology Ltd.)

S3 Ndisrd; C:\WINDOWS\System32\DRIVERS\gbpndisrdn.sys [31448 2015-02-20] (GAS Tecnologia)

R3 NdisrdMP; C:\WINDOWS\System32\DRIVERS\gbpndisrdn.sys [31448 2015-02-20] (GAS Tecnologia)

R2 NwlnkIpx; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [88320 2008-04-13] (Microsoft Corporation)

R2 NwlnkNb; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [63232 2001-10-28] (Microsoft Corporation)

R2 NwlnkSpx; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [55936 2001-10-28] (Microsoft Corporation)

R3 NWRDR; C:\WINDOWS\System32\DRIVERS\nwrdr.sys [163584 2008-04-13] (Microsoft Corporation)

S3 se45bus; C:\WINDOWS\System32\DRIVERS\se45bus.sys [61536 2006-11-30] (MCCI)

S3 se45mdfl; C:\WINDOWS\System32\DRIVERS\se45mdfl.sys [9360 2006-11-30] (MCCI)

S3 se45mdm; C:\WINDOWS\System32\DRIVERS\se45mdm.sys [97088 2006-11-30] (MCCI)

S3 se45mgmt; C:\WINDOWS\System32\DRIVERS\se45mgmt.sys [88624 2006-11-30] (MCCI)

S3 se45nd5; C:\WINDOWS\System32\DRIVERS\se45nd5.sys [18704 2006-11-30] (MCCI)

S3 se45obex; C:\WINDOWS\System32\DRIVERS\se45obex.sys [86432 2006-11-30] (MCCI)

S3 se45unic; C:\WINDOWS\System32\DRIVERS\se45unic.sys [90800 2006-11-30] (MCCI)

S3 usbbus; C:\WINDOWS\System32\DRIVERS\lgusbbus.sys [13056 2008-11-19] (LG Electronics Inc.)

S3 UsbDiag; C:\WINDOWS\System32\DRIVERS\lgusbdiag.sys [19968 2008-11-19] (LG Electronics Inc.)

S3 USBModem; C:\WINDOWS\System32\DRIVERS\lgusbmodem.sys [24832 2008-11-19] (LG Electronics Inc.)

S3 catchme; \??\C:\ComboFix\catchme.sys [X]

S2 ckptib4; \??\C:\WINDOWS\SYSTEM32\DRIVERS\ckptib4.sys [X]

S4 IntelIde; no ImagePath

 

==================== NetSvcs (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

 

==================== One Month Created files and folders ========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2015-08-25 20:02 - 2015-08-25 20:02 - 00015931 _____ C:\Documents and Settings\1\Desktop\FRST.txt

2015-08-25 20:01 - 2015-08-25 20:02 - 00000000 ____D C:\FRST

2015-08-25 19:59 - 2015-08-25 20:00 - 18772040 _____ C:\Documents and Settings\1\Desktop\RogueKiller.exe

2015-08-25 19:58 - 2015-08-25 19:58 - 01690112 _____ (Farbar) C:\Documents and Settings\1\Desktop\FRST.exe

2015-08-25 19:56 - 2015-08-25 19:56 - 00001050 _____ C:\Documents and Settings\1\Desktop\mbam.txt

2015-08-24 23:38 - 2015-08-24 23:38 - 00000564 _____ C:\Documents and Settings\All Users\Desktop\desktop turbo 1.lnk

2015-08-24 22:26 - 2015-08-25 19:05 - 00098520 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys

2015-08-24 22:26 - 2015-08-24 22:26 - 00000000 ____D C:\Documents and Settings\All Users\Menu Iniciar\Programas\Malwarebytes Anti-Malware

2015-08-24 22:25 - 2015-08-24 22:26 - 00000000 ____D C:\Arquivos de programas\Malwarebytes Anti-Malware

2015-08-24 22:25 - 2015-06-18 08:41 - 00121560 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys

2015-08-24 22:04 - 2015-08-24 22:04 - 00009900 _____ C:\ComboFix.txt

2015-08-24 22:04 - 2015-08-24 22:04 - 00000000 ____D C:\Documents and Settings\NetworkService\Configurações locais\temp

2015-08-24 22:04 - 2015-08-24 22:04 - 00000000 ____D C:\Documents and Settings\LocalService\Configurações locais\temp

2015-08-24 21:50 - 2015-08-25 20:02 - 00000000 ____D C:\Documents and Settings\1\Configurações locais\temp

2015-08-24 21:38 - 2011-06-26 03:45 - 00256000 _____ C:\WINDOWS\PEV.exe

2015-08-24 21:38 - 2010-11-07 14:20 - 00208896 _____ C:\WINDOWS\MBR.exe

2015-08-24 21:38 - 2009-04-20 01:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe

2015-08-24 21:38 - 2000-08-30 21:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe

2015-08-24 21:38 - 2000-08-30 21:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe

2015-08-24 21:38 - 2000-08-30 21:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe

2015-08-24 21:38 - 2000-08-30 21:00 - 00098816 _____ C:\WINDOWS\sed.exe

2015-08-24 21:38 - 2000-08-30 21:00 - 00080412 _____ C:\WINDOWS\grep.exe

2015-08-24 21:38 - 2000-08-30 21:00 - 00068096 _____ C:\WINDOWS\zip.exe

2015-08-24 21:37 - 2015-08-24 22:04 - 00000000 ____D C:\Qoobox

2015-08-24 21:37 - 2015-08-24 22:04 - 00000000 _____ C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

2015-08-24 21:11 - 2015-08-25 18:35 - 00000159 ____N C:\WINDOWS\wiadebug.log

2015-08-24 21:11 - 2015-08-25 18:35 - 00000049 ____N C:\WINDOWS\wiaservc.log

2015-08-24 21:11 - 2015-08-24 21:11 - 00000000 ____N C:\WINDOWS\Sti_Trace.log

2015-08-24 21:10 - 2015-08-25 16:18 - 00006280 ____N C:\WINDOWS\SchedLgU.Txt

2015-08-24 21:09 - 2015-08-25 18:36 - 00027721 ____N C:\WINDOWS\WindowsUpdate.log

 

==================== One Month Modified files and folders ========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2015-08-25 19:17 - 2012-11-16 19:56 - 00001072 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job

2015-08-25 19:04 - 2011-05-07 11:50 - 00065536 _____ C:\WINDOWS\system32\config\ODiag.evt

2015-08-25 19:04 - 2007-01-01 04:44 - 00000000 ____D C:\Documents and Settings\1

2015-08-25 19:04 - 2007-01-01 03:14 - 00065536 _____ C:\WINDOWS\system32\config\Internet.evt

2015-08-25 18:35 - 2007-01-01 04:36 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT

2015-08-25 16:17 - 2007-01-01 04:45 - 00000210 ___SH C:\Documents and Settings\1\ntuser.ini

2015-08-24 23:24 - 2015-02-20 07:26 - 00000000 ____D C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2015-08-24 22:55 - 2007-01-01 00:13 - 00000000 ___RD C:\Arquivos de programas

2015-08-24 22:54 - 2007-01-01 04:44 - 00000000 ___HD C:\Documents and Settings\1\Configurações locais\Dados de aplicativos

2015-08-24 22:54 - 2007-01-01 03:35 - 00000000 ___HD C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos

2015-08-24 22:26 - 2012-10-27 09:27 - 00000000 ____D C:\Documents and Settings\1\Dados de aplicativos\Malwarebytes

2015-08-24 22:26 - 2007-01-01 00:11 - 00000000 ___RD C:\Documents and Settings\All Users\Menu Iniciar\Programas

2015-08-24 22:25 - 2012-10-27 09:26 - 00000000 ____D C:\Documents and Settings\All Users\Dados de aplicativos\Malwarebytes

2015-08-24 22:20 - 2007-01-01 04:44 - 00000000 ___RD C:\Documents and Settings\1\Menu Iniciar\Programas

2015-08-24 22:15 - 2015-02-06 23:13 - 00406294 _____ C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\WPFFontCache_v0400-S-1-5-21-1708537768-527237240-1417001333-1003-0.dat

2015-08-24 22:15 - 2015-02-05 07:26 - 00203566 _____ C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\WPFFontCache_v0400-System.dat

2015-08-24 22:15 - 2014-11-25 20:41 - 00000000 ____D C:\Documents and Settings\All Users\Dados de aplicativos\Package Cache

2015-08-24 22:15 - 2013-01-19 18:28 - 00000000 ____D C:\Documents and Settings\All Users\Dados de aplicativos\Avira

2015-08-24 22:15 - 2013-01-19 18:28 - 00000000 ____D C:\Arquivos de programas\Avira

2015-08-24 22:15 - 2007-01-01 00:08 - 00000000 __RHD C:\Documents and Settings\All Users\Dados de aplicativos

2015-08-24 22:13 - 2012-06-02 19:09 - 00000000 ____D C:\Arquivos de programas\MegaJogos

2015-08-24 22:09 - 2007-01-01 04:44 - 00000000 __RHD C:\Documents and Settings\1\Dados de aplicativos

2015-08-24 22:04 - 2007-01-01 04:36 - 00000000 ___HD C:\Documents and Settings\LocalService\Configurações locais

2015-08-24 22:04 - 2007-01-01 03:35 - 00000000 ___HD C:\Documents and Settings\NetworkService\Configurações locais

2015-08-24 21:56 - 2001-10-28 13:07 - 00000246 _____ C:\WINDOWS\system.ini

2015-08-24 21:50 - 2007-01-01 04:44 - 00000000 ___HD C:\Documents and Settings\1\Configurações locais

2015-08-24 21:47 - 2007-01-01 00:13 - 00000000 ____D C:\Arquivos de programas\Arquivos comuns

2015-08-24 21:35 - 2012-10-28 14:02 - 00000000 ____D C:\WINDOWS\erdnt

2015-08-24 21:26 - 2007-01-01 00:06 - 00000211 ___SH C:\boot.ini

2015-08-24 21:26 - 2001-10-28 13:07 - 00000582 _____ C:\WINDOWS\win.ini

2015-08-24 21:22 - 2013-08-30 08:15 - 00000000 ____D C:\Documents and Settings\LocalService\Dados de aplicativos\tor

2015-08-24 20:53 - 2011-05-07 08:47 - 00000738 _____ C:\Documents and Settings\All Users\Desktop\CCleaner.lnk

2015-08-24 20:53 - 2011-05-07 08:47 - 00000000 ____D C:\Documents and Settings\All Users\Menu Iniciar\Programas\CCleaner

2015-08-24 20:53 - 2011-05-07 08:46 - 00000000 ____D C:\Arquivos de programas\CCleaner

2015-08-24 16:23 - 2011-05-21 19:16 - 00000000 ____D C:\WINDOWS\system32\NtmsData

2015-08-24 15:34 - 2007-01-01 03:11 - 00000000 ____D C:\WINDOWS\Registration

2015-08-21 13:24 - 2007-01-01 00:12 - 00000626 _____ C:\WINDOWS\system32\AUTOEXEC.NT

2015-08-10 15:59 - 2007-01-01 04:44 - 00000000 ___RD C:\Documents and Settings\1\Meus documentos

2015-08-02 00:56 - 2013-04-03 19:20 - 00000000 ____D C:\WINDOWS\Minidump

2015-07-31 17:43 - 2012-06-09 18:23 - 00000000 ____D C:\Documents and Settings\1\Configurações locais\Dados de aplicativos\Google

 

==================== Files in the root of some directories =======

 

2013-02-19 18:56 - 2013-02-19 18:56 - 0000288 _____ () C:\Documents and Settings\1\Dados de aplicativos\.backup.dm

2014-02-20 16:43 - 2014-02-20 16:43 - 0000052 _____ () C:\Documents and Settings\1\Dados de aplicativos\id

2014-02-28 22:38 - 2014-02-28 22:38 - 0000041 _____ () C:\Documents and Settings\1\Dados de aplicativos\WB.CFG

2011-05-07 08:41 - 2015-07-16 16:04 - 0023040 _____ () C:\Documents and Settings\1\Configurações locais\Dados de aplicativos\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-06-29 14:43 - 2012-06-29 14:43 - 0000134 _____ () C:\Documents and Settings\1\Configurações locais\Dados de aplicativos\fusioncache.dat

 

Some zero byte size files/folders:

==========================

C:\Windows\System32\Drivers\PROCEXP113.SYS

 

==================== Bamital & volsnap =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\WINDOWS\explorer.exe => File is digitally signed

C:\WINDOWS\system32\winlogon.exe => File is digitally signed

C:\WINDOWS\system32\svchost.exe => File is digitally signed

C:\WINDOWS\system32\services.exe => File is digitally signed

C:\WINDOWS\system32\User32.dll => File is digitally signed

C:\WINDOWS\system32\userinit.exe => File is digitally signed

C:\WINDOWS\system32\rpcss.dll => File is digitally signed

C:\WINDOWS\system32\dnsapi.dll => File is digitally signed

C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

 

==================== End of FRST.txt ============================

 

 

 

 

::: Addition

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:25-08-2015 02

Ran by 1 (2015-08-25 20:03:14)

Running from C:\Documents and Settings\1\Desktop

Boot Mode: Normal

==========================================================

 

 

==================== Accounts: =============================

 

1 (S-1-5-21-1708537768-527237240-1417001333-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\1

Administrador (S-1-5-21-1708537768-527237240-1417001333-500 - Administrator - Enabled)

ASPNET (S-1-5-21-1708537768-527237240-1417001333-1005 - Limited - Disabled)

Convidado (S-1-5-21-1708537768-527237240-1417001333-501 - Limited - Disabled)

HelpAssistant (S-1-5-21-1708537768-527237240-1417001333-1000 - Limited - Disabled)

SUPPORT_388945a0 (S-1-5-21-1708537768-527237240-1417001333-1002 - Limited - Disabled)

 

==================== Security Center ========================

 

(If an entry is included in the fixlist, it will be removed.)

 

 

==================== Installed Programs ======================

 

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 

2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}) (Version:  - Microsoft)

32 Bit HP CIO Components Installer (Version: 1.0.0 - Hewlett-Packard) Hidden

Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.0.1.152 - Adobe Systems Incorporated)

Adobe Flash Player 11 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 11.4.402.287 - Adobe Systems Incorporated)

Adobe Reader XI (11.0.08) - Português (HKLM\...\{AC76BA86-7AD7-1046-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)

Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.5.635 - Adobe Systems, Inc.)

AIO_Scan (Version: 90.0.222.000 - Hewlett-Packard) Hidden

Assistente de Conexão do Windows Live (HKLM\...\{51A9E3DD-37B8-47BB-8E67-5B76B3EFBC48}) (Version: 5.000.818.5 - Microsoft Corporation)

Atualização de Segurança para o Windows Media Player 11 (KB954154) (HKLM\...\KB954154_WM11) (Version:  - Microsoft Corporation)

Atualização de Segurança para Windows Internet Explorer 8 (KB2497640) (HKLM\...\KB2497640-IE8) (Version: 1 - Microsoft Corporation)

Atualização de Segurança para Windows Internet Explorer 8 (KB2510531) (HKLM\...\KB2510531-IE8) (Version: 1 - Microsoft Corporation)

Atualização de Segurança para Windows Internet Explorer 8 (KB2530548) (HKLM\...\KB2530548-IE8) (Version: 1 - Microsoft Corporation)

Atualização de Segurança para Windows Internet Explorer 8 (KB2544521) (HKLM\...\KB2544521-IE8) (Version: 1 - Microsoft Corporation)

Atualização de Segurança para Windows Internet Explorer 8 (KB2559049) (HKLM\...\KB2559049-IE8) (Version: 1 - Microsoft Corporation)

Atualização de Segurança para Windows Internet Explorer 8 (KB2586448) (HKLM\...\KB2586448-IE8) (Version: 1 - Microsoft Corporation)

Atualização de Segurança para Windows Internet Explorer 8 (KB2618444) (HKLM\...\KB2618444-IE8) (Version: 1 - Microsoft Corporation)

Atualização de Segurança para Windows Internet Explorer 8 (KB2675157) (HKLM\...\KB2675157-IE8) (Version: 1 - Microsoft Corporation)

Atualização de Segurança para Windows XP (KB923789) (HKLM\...\KB923789) (Version:  - Microsoft Corporation)

Atualização de Segurança para Windows XP (KB941569) (HKLM\...\KB941569) (Version:  - Microsoft Corporation)

Atualização de Segurança para Windows XP (KB950760) (HKLM\...\KB950760) (Version: 1 - Microsoft Corporation)

CCleaner (HKLM\...\CCleaner) (Version: 5.08 - Piriform)

Disc2Phone (HKLM\...\{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}) (Version: 1.4.0.112 - Sony Media Software)

dj_aio_corporate (Version: 90.0.222.000 - Hewlett-Packard) Hidden

DJ_AIO_Software_min (Version: 90.0.222.000 - Hewlett-Packard) Hidden

Ferramenta de Carregamento do Windows Live (HKLM\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)

Google Chrome (HKLM\...\Google Chrome) (Version: 44.0.2403.157 - Google Inc.)

Google Update Helper (Version: 1.3.28.1 - Google Inc.) Hidden

HP Deskjet All-In-One Driver Software 9.0.A Corporate Edition (HKLM\...\{B2C61EBB-F47C-48ba-B375-27A40F8F48F7}) (Version: 9.0 - HP)

Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )

Java 6 Update 24 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216024FF}) (Version: 6.0.240 - Oracle)

LG USB Modem Drivers (HKLM\...\{E1640DA5-89B4-4F52-B15D-5DA3D14F29D4}) (Version: 4.9.4 - LG Electronics)

Malwarebytes Anti-Malware versão 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)

MegaJogos (HKLM\...\MegaJogos) (Version:  - )

Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )

Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)

Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)

Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6425.1000 - Microsoft Corporation)

Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)

Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)

Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)

Motorola SM56 Speakerphone Modem (HKLM\...\SMSERIAL) (Version:  - )

Mozilla Firefox 30.0 (x86 pt-BR) (HKLM\...\Mozilla Firefox 30.0 (x86 pt-BR)) (Version: 30.0 - Mozilla)

Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 30.0 - Mozilla)

MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)

MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)

Nero 7 Essentials (HKLM\...\{45B3A3BD-F90D-48FE-A147-D74878A51046}) (Version: 7.03.0920 - Nero AG)

Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.6235 - Realtek Semiconductor Corp.)

Scan (Version: 9.0.0.0 - Hewlett-Packard) Hidden

Segoe UI (Version: 14.0.4327.805 - Microsoft Corp) Hidden

Sony Ericsson PC Suite (HKLM\...\{FC906D5C-91F9-4DA4-A765-6DCBB669F317}) (Version: 2.0.52 - Sony Ericsson)

swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden

Toolbox (Version: 90.0.146.000 - Hewlett-Packard) Hidden

Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)

Update for Outlook 2007 Junk Email Filter (KB2596560) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{2964DDE1-4925-4DF1-AF2C-0A36B3442228}) (Version:  - Microsoft)

Warsaw 1.3.1 (HKLM\...\{20E60725-16C8-4FB9-8BC2-AF92C5F8D06D}_is1) (Version: 1.3.1 - GAS Tecnologia)

WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden

Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)

Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)

Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)

Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation)

Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )

Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )

WinRAR archiver (HKLM\...\WinRAR archiver) (Version:  - )

XP Codec Pack (HKLM\...\XP Codec Pack) (Version:  - )

 

==================== Custom CLSID (Whitelisted): ==========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{00B7E0AB-817A-44AD-A04B-D1148D524136}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{7C6E29BC-8B8B-4C3D-859E-AF6CD158BE0F}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{88D969C0-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{88D969C1-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{88D969C2-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{88D969C3-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{88D969C4-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{88D969C5-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{88D969C6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{88D969C8-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{88D969C9-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{88D969CA-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-1708537768-527237240-1417001333-1003_Classes\CLSID\{88D969D6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

 

==================== Restore Points =========================

 

28-05-2015 12:51:23 Ponto de verificação do sistema

30-05-2015 13:42:51 Ponto de verificação do sistema

03-06-2015 11:31:16 Ponto de verificação do sistema

04-06-2015 13:19:13 Ponto de verificação do sistema

11-06-2015 14:50:43 Ponto de verificação do sistema

12-06-2015 15:52:15 Ponto de verificação do sistema

13-06-2015 16:37:07 Ponto de verificação do sistema

16-06-2015 13:24:23 Ponto de verificação do sistema

19-06-2015 12:35:25 Ponto de verificação do sistema

21-06-2015 18:16:34 Ponto de verificação do sistema

23-06-2015 11:30:02 Ponto de verificação do sistema

24-06-2015 15:55:09 Ponto de verificação do sistema

26-06-2015 09:47:05 Ponto de verificação do sistema

29-06-2015 10:50:53 Ponto de verificação do sistema

01-07-2015 11:07:12 Ponto de verificação do sistema

02-07-2015 12:03:07 Ponto de verificação do sistema

03-07-2015 12:05:37 Ponto de verificação do sistema

04-07-2015 15:53:14 Ponto de verificação do sistema

06-07-2015 11:08:30 Ponto de verificação do sistema

08-07-2015 09:56:36 Ponto de verificação do sistema

14-07-2015 15:51:01 Ponto de verificação do sistema

17-07-2015 16:59:45 Ponto de verificação do sistema

22-07-2015 12:08:53 Ponto de verificação do sistema

23-07-2015 19:50:43 Ponto de verificação do sistema

25-07-2015 14:03:39 Ponto de verificação do sistema

29-07-2015 09:19:10 Ponto de verificação do sistema

31-07-2015 15:32:54 Ponto de verificação do sistema

03-08-2015 15:55:50 Ponto de verificação do sistema

04-08-2015 16:58:34 Ponto de verificação do sistema

06-08-2015 10:33:53 Ponto de verificação do sistema

08-08-2015 18:24:29 Ponto de verificação do sistema

10-08-2015 12:34:22 Ponto de verificação do sistema

13-08-2015 06:29:30 Ponto de verificação do sistema

16-08-2015 16:12:42 Ponto de verificação do sistema

19-08-2015 10:43:31 Ponto de verificação do sistema

21-08-2015 12:32:03 Ponto de verificação do sistema

22-08-2015 19:55:38 Ponto de verificação do sistema

24-08-2015 11:02:13 Ponto de verificação do sistema

 

==================== Hosts content: ==========================

 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

 

2001-10-28 13:06 - 2015-08-24 21:55 - 00000027 ____N C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

 

==================== Scheduled Tasks (Whitelisted) =============

 

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

 

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

 

==================== Loaded Modules (Whitelisted) ==============

 

2006-03-09 16:45 - 2006-03-09 16:45 - 00081920 ____R () C:\Arquivos de programas\Arquivos comuns\Teleca Shared\boost_log-vc71-mt-1_33.dll

 

==================== Alternate Data Streams (Whitelisted) =========

 

(If an entry is included in the fixlist, only the ADS will be removed.)

 

AlternateDataStreams: C:\WINDOWS\system32\drivers:GbpKmAp.lst

 

==================== Safe Mode (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

 

 

==================== EXE Association (Whitelisted) ===============

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

 

 

==================== Internet Explorer trusted/restricted ===============

 

(If an entry is included in the fixlist, it will be removed from the registry.)

 

IE trusted site: HKU\S-1-5-21-1708537768-527237240-1417001333-1003\...\itau.com.br -> bankline.itau.com.br

IE trusted site: HKU\S-1-5-21-1708537768-527237240-1417001333-1003\...\itau.com.br -> hxxps://bankline.itau.com.br

IE trusted site: HKU\S-1-5-21-1708537768-527237240-1417001333-1003\...\itaupersonnalite.com.br -> hxxp://www.itaupersonnalite.com.br

 

 

==================== Other Areas ============================

 

(Currently there is no automatic fix for this section.)

 

HKU\S-1-5-21-1708537768-527237240-1417001333-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\1\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp

DNS Servers: 192.168.0.1

Windows Firewall is enabled.

 

==================== MSCONFIG/TASK MANAGER disabled items ==

 

(Currently there is no automatic fix for this section.)

 

 

==================== FirewallRules (Whitelisted) ===============

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\sessmgr.exe] => Disabled:@xpsp2res.dll,-22019

 

==================== Faulty Device Manager Devices =============

 

Name: Realtek RTL8169/8110 Family Gigabit Ethernet NIC

Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC

Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}

Manufacturer: Realtek Semiconductor Corp.

Service: RTL8023xp

Problem: : This device is disabled. (Code 22)

Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

 

 

==================== Event log errors: =========================

 

Application errors:

==================

 

System errors:

=============

Error: (08/25/2015 07:17:17 PM) (Source: DCOM) (EventID: 10005) (User: AUTORIDADE NT)

Description: Erro "%%1058" no DCOM na tentativa de iniciar o serviço gupdate com argumentos "/comsvc"

para iniciar o servidor:

{4EB61BAC-A3B6-4760-9581-655041EF4D69}

 

 

Microsoft Office:

=========================

 

==================== Memory info =========================== 

 

Processor: Intel® Core2 Duo CPU E4500 @ 2.20GHz

Percentage of memory in use: 57%

Total physical RAM: 1015.48 MB

Available physical RAM: 435.39 MB

Total Virtual: 2442.86 MB

Available Virtual: 1885.96 MB

 

==================== Drives ================================

 

Drive c: () (Fixed) (Total:149.04 GB) (Free:123.7 GB) NTFS ==>[drive with boot components (Windows XP)]

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (Size: 149 GB) (Disk ID: C5BEC5BE)

Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

 

==================== End of Addition.txt ============================

 

 

::: RogueKiller

 

RogueKiller V10.10.2.0 [Aug 24 2015] por Adlice Software





 

Sistema Operacional : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Iniciou : Modo normal

Usuário : 1 [Administrador]

Started from : C:\Documents and Settings\1\Desktop\RogueKiller.exe

Modo : Escanear -- Data : 08/25/2015 20:14:25

 

¤¤¤ Processos : 0 ¤¤¤

 

¤¤¤ Registro : 4 ¤¤¤

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{44A76D6D-45A2-41C9-9F2C-493B7FFBA924} | NameServer : 201.77.112.3,201.77.112.9 ([(Unknown Country?) (XX)][-])  -> Encontrado

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{44A76D6D-45A2-41C9-9F2C-493B7FFBA924} | NameServer : 201.77.112.3,201.77.112.9 ([(Unknown Country?) (XX)][-])  -> Encontrado

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{44A76D6D-45A2-41C9-9F2C-493B7FFBA924} | NameServer : 201.77.112.3,201.77.112.9 ([(Unknown Country?) (XX)][-])  -> Encontrado

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{44A76D6D-45A2-41C9-9F2C-493B7FFBA924} | NameServer : 201.77.112.3,201.77.112.9 ([(Unknown Country?) (XX)][-])  -> Encontrado

 

¤¤¤ Tarefas : 0 ¤¤¤

 

¤¤¤ Arquivos : 0 ¤¤¤

 

¤¤¤ Arquivos de hosts : 1 ¤¤¤

[C:\WINDOWS\system32\drivers\etc\hosts] 127.0.0.1       localhost

 

¤¤¤ Antirootkit : 0 (Driver: Carregado) ¤¤¤

 

¤¤¤ Navegadores : 0 ¤¤¤

 

¤¤¤ Verificação da MBR : ¤¤¤

+++++ PhysicalDrive0: WDC WD1600BB-55RDA0 +++++

--- User ---

[MBR] a07e7a1f1cc0d93c2b74b0b073c6432a

[bSP] 494bed100c01b186d14f57b0928e57ac : Windows XP|VT.Unknown MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 152617 MB [Windows XP Bootstrap | Windows XP Bootloader]

User = LL1 ... OK

User = LL2 ... OK

 

+++++ PhysicalDrive1: Myson CS8819A2-109  0 USB Device +++++

Error reading User MBR! ([15] O dispositivo não está pronto. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] Não há suporte para o pedido. )

 

+++++ PhysicalDrive2: Myson CS8819A2-109  1 USB Device +++++

Error reading User MBR! ([15] O dispositivo não está pronto. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] Não há suporte para o pedido. )

 

+++++ PhysicalDrive3: Myson CS8819A2-109  2 USB Device +++++

Error reading User MBR! ([15] O dispositivo não está pronto. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] Não há suporte para o pedido. )

 

+++++ PhysicalDrive4: Myson CS8819A2-109  3 USB Device +++++

Error reading User MBR! ([15] O dispositivo não está pronto. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] Não há suporte para o pedido. )

 


Thank you very much!!! 

I await answers  :) 

Link to post
Share on other sites

OK!!!

 

::::Combofix

 

ComboFix 15-08-24.01 - 1 24/08/2015  21:41:40.3.2 - x86

Microsoft Windows XP Professional  5.1.2600.3.1252.55.1046.18.1015.644 [GMT -3:00]
Executando de: c:\documents and settings\1\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADO !!
.
ADS - system32: deleted 2 bytes in 1 streams.
ADS - drivers: deleted 224 bytes in 2 streams.
.
(((((((((((((((((((((((((((((((((((((   Outras Exclusões   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\1\CONFIG~1\Temp\avgnt.exe\Avira.OE.ExtApi.dll
c:\documents and settings\1\Configurações locais\temp\avgnt.exe\Avira.OE.ExtApi.dll
.
.
((((((((((((((((   Arquivos/Ficheiros criados de 2015-07-25 to 2015-08-25  ))))))))))))))))))))))))))))
.
.
2015-08-25 00:37 . 2015-08-25 00:37 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2015-08-25 00:07 . 2015-08-25 00:20 -------- d-----w- C:\AdwCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((   Relatório Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-06-19 11:42 . 2013-01-19 21:28 136728 ----a-w- c:\windows\system32\drivers\avipbb.sys
2015-06-19 11:42 . 2013-01-19 21:28 108448 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-03-28 . 4F907A212112BB564EC491ED0E6CE6AC . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas. 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{4e8f6cb8-79e6-4def-8f44-6ffd56e07774}"= "c:\arquivos de programas\FileConverter_1.1\prxtbFile.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{4e8f6cb8-79e6-4def-8f44-6ffd56e07774}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4E8F6CB8-79E6-4DEF-8F44-6FFD56E07774}"= "c:\arquivos de programas\FileConverter_1.1\prxtbFile.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{4e8f6cb8-79e6-4def-8f44-6ffd56e07774}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2015-06-19 730416]
"Diebold - Warsaw"="c:\arquivos de programas\Diebold\Warsaw\core.exe" [2015-06-25 509752]
"Avira Systray"="c:\arquivos de programas\Avira\Launcher\Avira.Systray.exe" [2015-07-02 134368]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
"HideSCAHealth"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= "c:\arquivos de programas\GBPLUGIN\gbiehuni.dll" [2015-07-06 1759992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginUni]
2015-07-06 18:20 1759992 ----a-w- c:\arquivos de programas\GbPlugin\gbiehuni.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ    msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, AngoqpurRuqs.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"tor"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"MozillaMaintenance"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Arquivos de programas\\Diebold\\Warsaw\\core.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23872:TCP"= 23872:TCP:Tornado-TCP-IN-23872
"23872:UDP"= 23872:UDP:Tornado-UDP-IN-23872
"23875:TCP"= 23875:TCP:Tornado-TCP-IN-23875
"23875:UDP"= 23875:UDP:Tornado-UDP-IN-23875
.
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [20/2/2015 07:26 46392]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [19/1/2013 18:28 37896]
R2 AntiVirSchedulerService;Avira Agendamento;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [19/1/2013 18:29 450808]
R2 Avira.ServiceHost;Avira Service Host;c:\arquivos de programas\Avira\Launcher\Avira.ServiceHost.exe [2/7/2015 13:13 218816]
R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [20/2/2015 07:26 546104]
R2 Warsaw Technology;Warsaw Technology;c:\arquivos de programas\Diebold\Warsaw\core.exe [20/2/2015 07:23 509752]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\gbpndisrdn.sys [20/2/2015 07:28 31448]
S2 AntiVirMailService;Avira Mail Protection;c:\arquivos de programas\Avira\AntiVir Desktop\avmailc.exe [8/4/2015 12:50 825136]
S2 AntiVirWebService;Avira Web Protection;c:\arquivos de programas\Avira\AntiVir Desktop\avwebgrd.exe [19/1/2013 18:28 1187336]
S2 ckptib4;ckptib4;\??\c:\windows\SYSTEM32\DRIVERS\ckptib4.sys --> c:\windows\SYSTEM32\DRIVERS\ckptib4.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/5/2011 08:17 1691480]
S3 Ndisrd;GAS Tecnologia Service;c:\windows\system32\drivers\gbpndisrdn.sys [20/2/2015 07:28 31448]
S4 tor;Tor Win32 Service;c:\arquivos de programas\Tor\tor.exe [30/8/2013 08:14 3233806]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ    hpqcxs08
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-08-22 17:19 993608 ----a-w- c:\arquivos de programas\Google\Chrome\Application\44.0.2403.157\Installer\chrmstp.exe
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2015-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-11-16 22:56]
.
.
------- Scan Suplementar -------
.
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: itau.com.br
Trusted Zone: itau.com.br\bankline
Trusted Zone: itau.com.br\clickbanking
Trusted Zone: itau.com.br\guardiao
Trusted Zone: itau.com.br\www
Trusted Zone: itaupersonnalite.com.br\www
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{44A76D6D-45A2-41C9-9F2C-493B7FFBA924}: NameServer = 201.77.112.3,201.77.112.9
FF - ProfilePath - c:\documents and settings\1\Dados de aplicativos\Mozilla\Firefox\Profiles\x22e9100.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-08-24 21:58
Windows 5.1.2600 Service Pack 3 NTFS
.
Procurando processos ocultos ... 
.
Procurando entradas auto inicializáveis ocultas ... 
.
Procurando ficheiros/arquivos ocultos ... 
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
.
**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ea,cb,4a,ef,bc,31,03,43,86,9c,0d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c9,c9,62,8e,37,47,9e,48,9c,bf,1d,\
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
.
- - - - - - - > 'winlogon.exe'(1024)
c:\arquivos de programas\GBPLUGIN\gbiehuni.dll
.
- - - - - - - > 'explorer.exe'(4068)
c:\windows\system32\WININET.dll
c:\arquivos de programas\GBPLUGIN\gbiehuni.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\MPR.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe
c:\arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
c:\arquivos de programas\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Tempo para conclusão: 2015-08-24  22:04:32 - Máquina reiniciou
ComboFix-quarantined-files.txt  2015-08-25 01:04
.
Pré-execução: 14 pasta(s) 131.176.374.272 bytes disponíveis
Pós execução: 15 pasta(s) 131.884.146.688 bytes disponíveis
.
WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
.
- - End Of File - - 0639B0227209A959D50FDD4C755F1125
239FC8B1C26D5286165A956F5A98D8D7
 
:::Qoobox Attach
 

Qoobox.zip

Link to post
Share on other sites

Continue as follows:

 

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

ClearJavaCache::

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

Next,

 

ESETOnline.png Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:

  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.


To perform the scan:

  • Make sure that Remove found threats is Checked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Under “Enable Stealth Technology select “Change” select any extra drives in that window.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.



Please include this logfiles in your next reply. Don't forget to re-enable protection software!

 

Let me know if there are any remaining issues or concerns..

 

Thank you,

 

Kevin


 

Link to post
Share on other sites

:)

 

:::ComboFix

 

ComboFix 15-08-27.01 - 1 29/08/2015  17:57:03.4.2 - x86

Microsoft Windows XP Professional  5.1.2600.3.1252.55.1046.18.1015.682 [GMT -3:00]
Executando de: c:\documents and settings\1\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\1\Desktop\CFScript.txt
.
ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADO !!
.
ADS - system32: deleted 2 bytes in 1 streams.
ADS - drivers: deleted 310 bytes in 1 streams.
.
((((((((((((((((   Arquivos/Ficheiros criados de 2015-07-28 to 2015-08-29  ))))))))))))))))))))))))))))
.
.
2015-08-25 23:04 . 2015-08-25 23:04 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-08-25 23:04 . 2015-08-25 23:15 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\RogueKiller
2015-08-25 23:01 . 2015-08-25 23:03 -------- d-----w- C:\FRST
2015-08-25 01:26 . 2015-08-29 19:26 98520 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-08-25 01:25 . 2015-06-18 11:41 121560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-08-25 01:25 . 2015-08-25 01:26 -------- d-----w- c:\arquivos de programas\Malwarebytes Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((   Relatório Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-08-26 17:35 . 2015-02-20 10:26 49496 ----a-w- c:\windows\system32\drivers\gbpkm.sys
2015-06-18 11:41 . 2012-10-27 12:26 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-03-28 . 4F907A212112BB564EC491ED0E6CE6AC . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Diebold - Warsaw"="c:\arquivos de programas\Diebold\Warsaw\core.exe" [2015-06-25 509752]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
"HideSCAHealth"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= "c:\arquivos de programas\GBPLUGIN\gbiehuni.dll" [2015-07-06 1759992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
2015-08-19 17:36 1896320 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginUni]
2015-07-06 18:20 1759992 ----a-w- c:\arquivos de programas\GbPlugin\gbiehuni.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ   msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, AngoqpurRuqs.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"tor"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"MozillaMaintenance"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [20/2/2015 07:26 49496]
R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [20/2/2015 07:26 587576]
R2 Warsaw Technology;Warsaw Technology;c:\arquivos de programas\Diebold\Warsaw\core.exe [20/2/2015 07:23 509752]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [24/8/2015 22:26 98520]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\gbpndisrdn.sys [20/2/2015 07:28 31448]
S2 ckptib4;ckptib4;\??\c:\windows\SYSTEM32\DRIVERS\ckptib4.sys --> c:\windows\SYSTEM32\DRIVERS\ckptib4.sys [?]
S2 MBAMScheduler;MBAMScheduler;c:\arquivos de programas\Malwarebytes Anti-Malware\mbamscheduler.exe [24/8/2015 22:25 1871160]
S2 MBAMService;MBAMService;c:\arquivos de programas\Malwarebytes Anti-Malware\mbamservice.exe [24/8/2015 22:25 1133880]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/5/2011 08:17 1691480]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [27/10/2012 09:26 23256]
S3 Ndisrd;GAS Tecnologia Service;c:\windows\system32\drivers\gbpndisrdn.sys [20/2/2015 07:28 31448]
S4 tor;Tor Win32 Service;c:\arquivos de programas\Tor\tor.exe [30/8/2013 08:14 3233806]
.
--- =Outros Serviços/Drivers Na Memória ---
.
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - GbFtIn
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ   hpqcxs08
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-08-22 17:19 993608 ----a-w- c:\arquivos de programas\Google\Chrome\Application\44.0.2403.157\Installer\chrmstp.exe
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2015-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cef46c12b9a648.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-11-16 20:20]
.
2015-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-11-16 20:20]
.
.
------- Scan Suplementar -------
.
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: bancobrasil.com.br\www14
Trusted Zone: bancobrasil.com.br\www2
Trusted Zone: bb.com.br\seg
Trusted Zone: bb.com.br\www
Trusted Zone: itau.com.br
Trusted Zone: itau.com.br\bankline
Trusted Zone: itau.com.br\clickbanking
Trusted Zone: itau.com.br\guardiao
Trusted Zone: itau.com.br\www
Trusted Zone: itaupersonnalite.com.br\www
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{44A76D6D-45A2-41C9-9F2C-493B7FFBA924}: NameServer = 201.77.112.3,201.77.112.9
FF - ProfilePath - c:\documents and settings\1\Dados de aplicativos\Mozilla\Firefox\Profiles\x22e9100.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORFÃOS REMOVIDOS - - - -
.
AddRemove-MegaJogos - c:\arquivos de programas\MegaJogos\starter.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-08-29 18:16
Windows 5.1.2600 Service Pack 3 NTFS
.
Procurando processos ocultos ... 
.
Procurando entradas auto inicializáveis ocultas ... 
.
Procurando ficheiros/arquivos ocultos ... 
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
.
**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ea,cb,4a,ef,bc,31,03,43,86,9c,0d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c9,c9,62,8e,37,47,9e,48,9c,bf,1d,\
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
.
- - - - - - - > 'winlogon.exe'(984)
c:\arquivos de programas\GbPlugin\gbieh.dll
c:\arquivos de programas\GBPLUGIN\gbiehuni.dll
.
- - - - - - - > 'explorer.exe'(4048)
c:\windows\system32\WININET.dll
c:\arquivos de programas\GBPLUGIN\gbiehuni.dll
c:\arquivos de programas\GbPlugin\gbieh.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\MPR.dll
.
Tempo para conclusão: 2015-08-29  18:24:48
ComboFix-quarantined-files.txt  2015-08-29 21:24
ComboFix2.txt  2015-08-25 01:04
.
Pré-execução: 14 pasta(s) 132.338.536.448 bytes disponíveis
Pós execução: 15 pasta(s) 132.325.302.272 bytes disponíveis
.
- - End Of File - - CB4C61183739F1B1614B8E9CA4222DCE
239FC8B1C26D5286165A956F5A98D8D7
 
 
::::Eset Online Scanner
 
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=007368402f5e0545bb989fa39e039429
# end=init
# utc_time=2015-08-29 09:29:19
# local_time=2015-08-29 06:29:19 (-0300, Hora oficial do Brasil)
# country="Brazil"
# osver=5.1.2600 NT Service Pack 3
Update Init
Update Download
Update Finalize
Updated modules version: 25511
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=007368402f5e0545bb989fa39e039429
# end=updated
# utc_time=2015-08-29 09:33:37
# local_time=2015-08-29 06:33:37 (-0300, Hora oficial do Brasil)
# country="Brazil"
# osver=5.1.2600 NT Service Pack 3
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7777
# api_version=3.1.1
# EOSSerial=007368402f5e0545bb989fa39e039429
# engine=25511
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-08-29 10:14:44
# local_time=2015-08-29 07:14:44 (-0300, Hora oficial do Brasil)
# country="Brazil"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=37915
# found=3
# cleaned=3
# scan_time=2466
sh=969E17C4265BC47F864359F5145B49F0BE9788CE ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\AskToolbar\avr-4.cab"
sh=26A805726393E1B2D98DE963CB049C8819743275 ft=1 fh=163693b253a2e06d vn="a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\AskToolbar\Downloaded Program Files\AviraBrowserSecurity.dll"
sh=A35031C560B581B66EBC1AE996AB55AEA289C823 ft=0 fh=0000000000000000 vn="Win32/Tifaut.C worm (cleaned by deleting - quarantined)" ac=C fn="C:\WINDOWS\system32\autorun.i"
Link to post
Share on other sites

What is the current status of your system, are there any remaining issues or concerns?

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)
Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

If Security Check will not run or you get an alert saying it is not supported, Re-boot your PC then try again...
 

Thanks,

 

Kevin

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.