Author Topic: mensagem de infeccção recorrente  (Read 12959 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
mensagem de infeccção recorrente
« on: August 27, 2015, 01:42:22 PM »
Bom dia. Meu Avast está enviando sem parar as seguintes mensagens:
1) O Módulo Internet do Avast bloqueou uma página web ou um arquivo nocivo.
Objeto: http://disorderstatus.ru/order.php
Detalhes da infecção:
URL: http://disorderstatus.ru/order.php
Infecção: URL:Mal
Processo: C:\Windows\SysWOW64\msiexec.exe

2) O Módulo Internet do Avast bloqueou uma página web ou um arquivo nocivo.
Objeto: http://differentia.ru/diff.php
Detalhes da infecção:
URL: http://differentia.ru/diff.php
Infecção: URL:Mal
Processo: C:\Windows\SysWOW64\msiexec.exe

Não consigo corrigir isso e a mensagem fica aparecendo sem parar! Já escaneei com o antivírus, no modo rápido, completo e ao reiniciar. O resultado acusa não haver vírus e haver arquivos não escaneados por estarem protegidos. Não sei se isso tem relação com a infecção ou não. Grato. George

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6677
  • volunteer
Re: mensagem de infeccção recorrente
« Reply #1 on: August 27, 2015, 10:51:44 PM »
Boa noite.

Foi notificado e especialista em remoção de malware,
para agilizar faça os procedimentos a seguir

Por favor download Farbar Recovery Scan Tool e salve-o em seu Desktop.
 
Nota: Você precisa executar a versão compatível com seu sistema. Se você não tem certeza de qual versão se aplica ao seu sistema de baixar os dois e tentar executá-los. Apenas um deles será executado no seu sistema, que será a versão correta.
 
  • Botão direito do mouse para executar como administrador (usuários do Windows XP clique em Executar após o recebimento do Aviso de Segurança do Windows - Abrir arquivo). Quando a ferramenta abre clique em yes para aviso de isenção.
  • Selecionar  additions na parte inferior
  • Pressione botão Scan .


  • Ela irá produzir um registro chamado FRST.txt no mesmo diretório que a ferramenta é executado a partir.

    • A primeira vez que a ferramenta é executada, faz também um outro log (Addition.txt).

  • Por favor, anexar os dois logs gerados.

REDACTED

  • Guest
Re: mensagem de infeccção recorrente
« Reply #2 on: September 01, 2015, 10:22:31 PM »
Estou com o mesmo problema... segue o log.

Additional scan result of Farbar Recovery Scan Tool (x86) Version:31-08-2015
Ran by paula (2015-09-01 17:10:26)
Running from C:\Users\paula\Downloads
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrador (S-1-5-21-1570636431-2002634432-3308993495-500 - Administrator - Disabled)
Convidado (S-1-5-21-1570636431-2002634432-3308993495-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1570636431-2002634432-3308993495-1002 - Limited - Enabled)
paula (S-1-5-21-1570636431-2002634432-3308993495-1000 - Administrator - Enabled) => C:\Users\paula

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Reader XI (11.0.12) - Português (HKLM\...\{AC76BA86-7AD7-1046-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated)
Avast Free Antivirus (HKLM\...\avast) (Version: 10.3.2225 - AVAST Software)
CCleaner (HKLM\...\CCleaner) (Version: 4.16 - Piriform)
CDBurnerXP (HKLM\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.4.0.2905 - CDBurnerXP)
Google Chrome (HKLM\...\Google Chrome) (Version: 44.0.2403.157 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.28.13 - Google Inc.) Hidden
HP Deskjet 2050 J510 series Ajuda (HKLM\...\{7A3DF2E2-CF13-44FB-A93E-F71D5381DB3F}) (Version: 140.0.61.61 - Hewlett Packard)
HP Deskjet 2050 J510 series Estudo de aprimoramento de produtos (HKLM\...\{D63C6E54-882C-478B-91AB-53D1E89C80BA}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Deskjet 2050 J510 series Software básico do dispositivo (HKLM\...\{6A653EE1-F8B9-4885-BB4A-E9D9481F626C}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Support Solutions Framework (HKLM\...\{CAF5FFBA-8F3B-409C-9126-74DF66A036DF}) (Version: 12.0.30.81 - Hewlett-Packard Company)
HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
K-Lite Mega Codec Pack 8.0.0 (HKLM\...\KLiteCodecPack_is1) (Version: 8.0.0 - )
ManyCam 4.0.109 (HKLM\...\ManyCam) (Version: 4.0.109 - Visicom Media Inc.)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.5 - NVIDIA Corporation)
NVIDIA ForceWare Network Access Manager (HKLM\...\InstallShield_{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}) (Version: 1.00.7313 - NVIDIA Corporation)
Realtek USB 2.0 Card Reader (HKLM\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7100.30098 - Realtek Semiconductor Corp.)
TeamViewer 10 (HKLM\...\TeamViewer) (Version: 10.0.45862 - TeamViewer)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

11-05-2015 16:25:46 Ponto de Verificação Agendado
03-06-2015 14:04:04 avast! antivirus system restore point
31-08-2015 21:04:20 Installed HP Support Solutions Framework
01-09-2015 09:16:02 avast! antivirus system restore point

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 23:04 - 2014-09-15 11:04 - 00000864 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 validation.sls.microsoft.com

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {338D1438-38B4-4D61-AE40-CE3E81FE1F7F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {41E7C652-C760-4851-84F0-B22B79EBDEE9} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated)
Task: {4AF7F961-CD05-419F-9246-421EAB35B8D3} - System32\Tasks\HPCustParticipation HP Deskjet 2050 J510 series => C:\Program Files\HP\HP Deskjet 2050 J510 series\Bin\HPCustPartic.exe [2012-10-02] (Hewlett-Packard Co.)
Task: {607F1040-6EF2-40D4-B0BF-59E188E64F98} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-09-01] (AVAST Software)
Task: {A560C85B-05A1-4C7E-9D54-AE7155407D5B} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2015-06-24] (Hewlett-Packard)
Task: {C581E38C-F5BD-43C5-A9FC-C9142104A710} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {DCA3432A-17D1-4564-BAC6-C4361ED2C5D1} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-07-23] (Piriform Ltd)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2015-09-01 09:18 - 2015-09-01 09:18 - 00102864 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2015-09-01 09:18 - 2015-09-01 09:18 - 00123976 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2015-09-01 13:30 - 2015-09-01 13:30 - 02961408 _____ () C:\Program Files\AVAST Software\Avast\defs\15090100\algo.dll
2014-09-15 19:47 - 2010-03-15 11:28 - 00141824 _____ () C:\Program Files\WinRAR\rarext.dll
2009-07-23 17:23 - 2009-07-23 17:23 - 00387616 _____ () C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
2009-07-23 17:23 - 2009-07-23 17:23 - 00068128 _____ () C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nv_common.dll
2009-07-23 17:23 - 2009-07-23 17:23 - 00436768 _____ () C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\SpecialCase.dll
2009-07-23 17:23 - 2009-07-23 17:23 - 00178720 _____ () C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
2015-06-03 14:21 - 2015-06-03 14:21 - 40540672 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2015-08-21 19:07 - 2015-08-18 02:23 - 01405768 _____ () C:\Program Files\Google\Chrome\Application\44.0.2403.157\libglesv2.dll
2015-08-21 19:07 - 2015-08-18 02:23 - 00081224 _____ () C:\Program Files\Google\Chrome\Application\44.0.2403.157\libegl.dll
2015-06-03 14:21 - 2015-06-03 14:21 - 00985600 _____ () C:\Program Files\AVAST Software\Avast\ffmpegsumo.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1570636431-2002634432-3308993495-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\paula\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{F6D89241-A150-4818-A057-8A009E4B92E3}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
FirewallRules: [{BD63275B-5808-478B-B467-9E95951D1D38}] => (Allow) C:\Program Files\HP\HP Deskjet 2050 J510 series\Bin\USBSetup.exe
FirewallRules: [{92B9FB9E-845C-4624-94AB-D8F436306FBD}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{25FAB2A3-7634-4037-A4AC-F0ED999D27DA}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{2C84E14D-62F3-4F25-82B5-8BC8ABFE6636}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{4C8391D1-E8CA-4D86-BAEF-17A742F643A0}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe

==================== Faulty Device Manager Devices =============

Name: Unknown Device
Description: Unknown Device
Class Guid: {36fc9e60-c465-11cf-8056-444553540000}
Manufacturer: (Standard USB Host Controller)
Service:
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/01/2015 05:06:37 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: O programa FRST.exe versão 31.8.2015.0 parou de interagir com o Windows e foi fechado. Para ver se há mais informações disponíveis sobre o problema, verifique o histórico de problemas no painel de controle da Central de Ações.

ID de Processo: 9ec

Hora de Início: 01d0e4f186ecb358

Hora de Término: 55

Caminho do Aplicativo: C:\Users\paula\Downloads\FRST.exe

Id do Relatório:

Error: (09/01/2015 09:16:01 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Erro do Serviço de Cópias de Sombra de Volume: erro inesperado ao consultar a interface IVssWriterCallback.  hr =  0x80070005, Acesso negado.
.
Muitas vezes, isso é causado por configurações de segurança incorretas no processo gravador ou solicitante.


Operação:
   Obtendo Dados do Gravador

Contexto:
   Id de Classe de Gravador: {e8132975-6f93-4464-a53e-1050253ae220}
   Nome do Gravador: System Writer
   ID de Instância de Gravador: {ee4a65ce-eec0-42d2-ad3e-eef363328692}

Error: (07/16/2015 09:50:58 AM) (Source: MsiInstaller) (EventID: 1024) (User: paula-PC)
Description: Produto: Adobe Reader XI (11.0.11) - Português - A atualização '{AC76BA86-7AD7-0000-2550-7A8C40011012}' não pôde ser instalada. Código de erro 1625. O Windows Installer pode criar logs para ajudar a solucionar problemas na instalação de pacotes de software. Use o link a seguir para obter informações sobre ativação do suporte a registro em log: http://go.microsoft.com/fwlink/?LinkId=23127

Error: (06/03/2015 02:04:03 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Erro do Serviço de Cópias de Sombra de Volume: erro inesperado ao consultar a interface IVssWriterCallback.  hr =  0x80070005, Acesso negado.
.
Muitas vezes, isso é causado por configurações de segurança incorretas no processo gravador ou solicitante.


Operação:
   Obtendo Dados do Gravador

Contexto:
   Id de Classe de Gravador: {e8132975-6f93-4464-a53e-1050253ae220}
   Nome do Gravador: System Writer
   ID de Instância de Gravador: {731a6413-7663-4077-8e15-56bc88a803f0}

Error: (05/18/2015 08:53:42 AM) (Source: MsiInstaller) (EventID: 1024) (User: paula-PC)
Description: Produto: Adobe Reader XI (11.0.10) - Português - A atualização '{AC76BA86-7AD7-0000-2550-7A8C40011011}' não pôde ser instalada. Código de erro 1625. O Windows Installer pode criar logs para ajudar a solucionar problemas na instalação de pacotes de software. Use o link a seguir para obter informações sobre ativação do suporte a registro em log: http://go.microsoft.com/fwlink/?LinkId=23127

Error: (04/17/2015 06:39:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nome de aplicativo com falha: chrome.exe, versão: 41.0.2272.76, carimbo de hora: 0x54f10bed
Nome do módulo de falhas: chrome.dll, versão: 41.0.2272.76, carimbo de hora: 0x54f107cb
Código de exceção: 0x80000003
Deslocamento com falha: 0x00502d28
Identificação do processo com falha: 0xe88
Hora de início do aplicativo com falha: 0xchrome.exe0
Caminho do aplicativo com falha: chrome.exe1
FCaminho do módulo de falhas: chrome.exe2
Identificação do Relatório: chrome.exe3

Error: (04/17/2015 06:37:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nome de aplicativo com falha: chrome.exe, versão: 41.0.2272.76, carimbo de hora: 0x54f10bed
Nome do módulo de falhas: chrome.dll, versão: 41.0.2272.76, carimbo de hora: 0x54f107cb
Código de exceção: 0x80000003
Deslocamento com falha: 0x00502d28
Identificação do processo com falha: 0x984
Hora de início do aplicativo com falha: 0xchrome.exe0
Caminho do aplicativo com falha: chrome.exe1
FCaminho do módulo de falhas: chrome.exe2
Identificação do Relatório: chrome.exe3

Error: (04/17/2015 06:35:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nome de aplicativo com falha: chrome.exe, versão: 41.0.2272.76, carimbo de hora: 0x54f10bed
Nome do módulo de falhas: chrome.dll, versão: 41.0.2272.76, carimbo de hora: 0x54f107cb
Código de exceção: 0x80000003
Deslocamento com falha: 0x00502d28
Identificação do processo com falha: 0x964
Hora de início do aplicativo com falha: 0xchrome.exe0
Caminho do aplicativo com falha: chrome.exe1
FCaminho do módulo de falhas: chrome.exe2
Identificação do Relatório: chrome.exe3

Error: (04/17/2015 06:35:31 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nome de aplicativo com falha: chrome.exe, versão: 41.0.2272.76, carimbo de hora: 0x54f10bed
Nome do módulo de falhas: chrome.dll, versão: 41.0.2272.76, carimbo de hora: 0x54f107cb
Código de exceção: 0x80000003
Deslocamento com falha: 0x00502d28
Identificação do processo com falha: 0x4ac
Hora de início do aplicativo com falha: 0xchrome.exe0
Caminho do aplicativo com falha: chrome.exe1
FCaminho do módulo de falhas: chrome.exe2
Identificação do Relatório: chrome.exe3

Error: (04/17/2015 06:32:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nome de aplicativo com falha: chrome.exe, versão: 41.0.2272.76, carimbo de hora: 0x54f10bed
Nome do módulo de falhas: chrome.dll, versão: 41.0.2272.76, carimbo de hora: 0x54f107cb
Código de exceção: 0x80000003
Deslocamento com falha: 0x00502d28
Identificação do processo com falha: 0xf2c
Hora de início do aplicativo com falha: 0xchrome.exe0
Caminho do aplicativo com falha: chrome.exe1
FCaminho do módulo de falhas: chrome.exe2
Identificação do Relatório: chrome.exe3


System errors:
=============
Error: (09/01/2015 04:27:35 PM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: WMPNetworkSvc0x80004005

Error: (09/01/2015 04:27:04 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Falha ao carregar o(s) seguinte(s) driver(s) de início do sistema ou de inicialização:
cdrom

Error: (09/01/2015 11:47:33 AM) (Source: Microsoft-Windows-HAL) (EventID: 12) (User: )
Description: O firmware da plataforma corrompeu a memória na transição de energia anterior.  Use um firmware atualizado em seu sistema.

Error: (09/01/2015 09:23:24 AM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: WMPNetworkSvc0x80004005

Error: (09/01/2015 09:22:49 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Falha ao carregar o(s) seguinte(s) driver(s) de início do sistema ou de inicialização:
cdrom

Error: (09/01/2015 08:51:45 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Falha ao carregar o(s) seguinte(s) driver(s) de início do sistema ou de inicialização:
cdrom

Error: (08/31/2015 11:11:06 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Falha ao carregar o(s) seguinte(s) driver(s) de início do sistema ou de inicialização:
cdrom

Error: (08/31/2015 07:55:05 PM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: WMPNetworkSvc0x80004005

Error: (08/31/2015 07:54:19 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Falha ao carregar o(s) seguinte(s) driver(s) de início do sistema ou de inicialização:
cdrom

Error: (08/31/2015 07:08:57 PM) (Source: Tcpip) (EventID: 4199) (User: )
Description: O sistema detectou um conflito de endereço entre o endereço IP 192.168.0.100 e o sistema
que possui o endereço de hardware de rede AC-36-13-41-64-28. Como resultado desse conflito, as operações de rede nesse sistema podem ser
interrompidas.


Microsoft Office:
=========================

==================== Memory info ===========================

Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz
Percentage of memory in use: 56%
Total physical RAM: 1789.97 MB
Available physical RAM: 776.81 MB
Total Virtual: 3579.95 MB
Available Virtual: 2316.17 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:97.56 GB) (Free:57.99 GB) NTFS
Drive d: () (Fixed) (Total:135.23 GB) (Free:104.25 GB) NTFS
Drive e: (Reservado pelo Sistema) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: DA1DCD93)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=135.2 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6677
  • volunteer
Re: mensagem de infeccção recorrente
« Reply #3 on: September 01, 2015, 10:41:38 PM »
eu notifiquei o especialista em remoção de malware

para não ocupar muito espaço em paginas inteiras do topico

utilize a opção anexos e outras opções na próxima resposta.

veja a imagem em anexo
« Last Edit: September 01, 2015, 11:18:55 PM by jefferson sant »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: mensagem de infeccção recorrente
« Reply #4 on: September 02, 2015, 03:25:24 PM »
Please attach both FRST logs :)

Por favor anexe ambos os logs FRST

REDACTED

  • Guest
Re: mensagem de infeccção recorrente
« Reply #5 on: September 15, 2015, 05:09:00 PM »
Olá,

seguem os arquivos gerados nesse computador.

Se puderem ajudar agradeço.

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6677
  • volunteer
Re: mensagem de infeccção recorrente
« Reply #6 on: September 15, 2015, 09:38:37 PM »
Olá,

seguem os arquivos gerados nesse computador.

Se puderem ajudar agradeço.

Boa tarde.

aguarde um momento enquanto o especialista em remoção foi notificado para ajuda-lo.

wait a moment while the removal specialist was notified to help you.



Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: mensagem de infeccção recorrente
« Reply #7 on: September 15, 2015, 09:50:51 PM »
This should stop the alerts

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
HKLM\...\Policies\Explorer\Run: [1584721395] => C:\Documents and Settings\All Users\mshwvvsxd.exe [96423296 2008-05-19] ()
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "about:newtab" <======= ATTENTION
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKU\S-1-5-21-1060284298-1957994488-1606980848-1003 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKU\S-1-5-21-1060284298-1957994488-1606980848-1003 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-1060284298-1957994488-1606980848-1003 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKU\S-1-5-21-1060284298-1957994488-1606980848-1003 -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
SearchScopes: HKU\S-1-5-21-1060284298-1957994488-1606980848-1003 -> {0D7562AE-8EF6-416d-A838-AB665251703A} URL = hxxp://start.facemoods.com/?a=pcmega&s={searchTerms}&f=4
SearchScopes: HKU\S-1-5-21-1060284298-1957994488-1606980848-1003 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=18563
SearchScopes: HKU\S-1-5-21-1060284298-1957994488-1606980848-1003 -> {162EE9D0-F8E9-461F-B9DF-E1745CF0025B} URL = hxxp://rts.dsrlte.com/?affID=&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1060284298-1957994488-1606980848-1003 -> {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL =
SearchScopes: HKU\S-1-5-21-1060284298-1957994488-1606980848-1003 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxp://isearch.avg.com/search?cid={7FCFA135-D49B-43B1-824B-632725537F67}&mid=0ca7b576117d30eded41390a3187754e-99758be5667f6f1cad8119f06fd9df8c41c335ad&lang=pt-br&ds=AVG&pr=fr&d=2011-12-10 09:40:17&v=9.0.0.18&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1060284298-1957994488-1606980848-1003 -> {978F0B8D-BE92-4C0E-9898-B4235DF9A085} URL = hxxp://rts.dsrlte.com/?affID=na&q={searchTerms}
FF Extension: Speed Analysis 2 - C:\Documents and Settings\cliente\Dados de aplicativos\Mozilla\Extensions\speedanalysis02@SpeedAnalysis.com [2013-04-18]
FF HKU\S-1-5-21-1060284298-1957994488-1606980848-1003\...\Firefox\Extensions: [findlyrics@findlyrics.co] - C:\Arquivos de programas\FindLyrics\FF
FF HKU\S-1-5-21-1060284298-1957994488-1606980848-1003\...\Firefox\Extensions: [speedanalysis02@SpeedAnalysis.com] - C:\Documents and Settings\cliente\Dados de aplicativos\Mozilla\Extensions\speedanalysis02@SpeedAnalysis.com
CHR HKLM\...\Chrome\Extension: [dgjkhjdcljddbedokogakmmdjgnbeanf] - C:\Documents and Settings\cliente\Dados de aplicativos\SpeedAnalysis2\speedanalysis.crx [2013-04-17]
CHR HKLM\...\Chrome\Extension: [dhkplhfnhceodhffomolpfigojocbpcb] - C:\Arquivos de programas\Babylon\Babylon-Pro\Utils\BabylonChrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [jmhhdaimhfblnamlcdijbaakkifakade] - C:\Arquivos de programas\FindLyrics\Chrome.crx <not found>
2015-08-25 13:09 - 2015-08-25 13:09 - 00000000 ____D C:\WINDOWS\CD95F661A5C444F5A6AAECDD91C240EC.TMP
2008-04-14 09:00 - 2008-05-19 00:57 - 96423296 ___SH () C:\Documents and Settings\All Users\mshwvvsxd.exe
C:\Documents and Settings\cliente\Dados de aplicativos\SpeedAnalysis2
C:\Arquivos de programas\Babylon
C:\Arquivos de programas\FindLyrics
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[CX].txt as well.

REDACTED

  • Guest
Re: mensagem de infeccção recorrente
« Reply #8 on: September 16, 2015, 02:40:50 AM »
Hello,

I'm posting the logs.


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: mensagem de infeccção recorrente
« Reply #9 on: September 16, 2015, 11:49:19 AM »
Have the alerts ceased ?

REDACTED

  • Guest
Re: mensagem de infeccção recorrente
« Reply #10 on: September 16, 2015, 02:30:31 PM »
Yes!

Thanks essexboy.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: mensagem de infeccção recorrente
« Reply #11 on: September 16, 2015, 02:39:43 PM »
Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:


Remove tools

Download and run Delfix
Select the options as shown



: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select  Remove Java Runtime.  Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme  ;)

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave:

REDACTED

  • Guest
Re: mensagem de infeccção recorrente
« Reply #12 on: September 17, 2015, 04:40:23 PM »
Meu Avast está repetindo estas msg
Bom dia. Meu Avast está enviando sem parar as seguintes mensagens:
1) O Módulo Internet do Avast bloqueou uma página web ou um arquivo nocivo.
Objeto: http://disorderstatus.ru/order.php
Detalhes da infecção:
URL: http://disorderstatus.ru/order.php
Infecção: URL:Mal
Processo: C:\Windows\SysWOW64\msiexec.exe

2) O Módulo Internet do Avast bloqueou uma página web ou um arquivo nocivo.
Objeto: http://differentia.ru/diff.php
Detalhes da infecção:
URL: http://differentia.ru/diff.php
Infecção: URL:Mal
Processo: C:\Windows\SysWOW64\msiexec.exe

Fiz o teste com o farbar recovery scan tool
e em anexo segue os arquivos gerados:
...

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6677
  • volunteer
Re: mensagem de infeccção recorrente
« Reply #13 on: September 17, 2015, 09:36:20 PM »
My Avast is repeating these msg
Good day. My Avast is sending nonstop the following messages:
1) Avast Internet Module blocked a web page or a harmful file.
Object: hxxp://disorderstatus.ru/order.php
Infection details:
URL: hxxp://disorderstatus.ru/order.php
Infection: URL: Mal
Process: C: \ Windows \ SysWOW64 \ msiexec.exe

 2) Avast Internet Module blocked a web page or a harmful file.
 Object: http://differentia.ru/diff.php
 Infection details:
 URL: hxxp://differentia.ru/diff.php
 Infection: URL: Mal
 Process: C: \ Windows \ SysWOW64 \ msiexec.exe

 I auditioned with farbar recovery scan tool
 and attached follows the generated files:
...

aguarde alguns instantes enquanto remoção de malware perito será notificado para analisar os logs e as instruções necessárias.

wait a few moments while expert malware removal will be notified to analyze the logs and the necessary instructions.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: mensagem de infeccção recorrente
« Reply #14 on: September 17, 2015, 10:10:56 PM »
CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-18\...\RunOnce: [{90120000-0030-0000-0000-0000000FF1CE}] => C:\Windows\system32\cmd.exe /C del "C:\ProgramData\Microsoft Help\Rgstrtn.lck" /Q /A:H
AppInit_DLLs-x32: c:\progra~3\winweb~1\winweb~1.dll => No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-1980476737-2968053403-991394769-1000\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
BHO: No Name -> {08145CA7-E729-793B-1745-15F5870AB2A0} ->  No File
BHO: No Name -> {288226CE-5297-F70A-2910-C707A61A95FA} ->  No File
BHO-x32: No Name -> {08145CA7-E729-793B-1745-15F5870AB2A0} ->  No File
BHO-x32: No Name -> {288226CE-5297-F70A-2910-C707A61A95FA} ->  No File
BHO-x32: No Name -> {D704FFB2-98B6-A157-ED8D-D7FA9074BC30} ->  No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
S1 Bprotect; \??\C:\Windows\System32\drivers\Bprotect.sys [X]
2015-08-25 00:36 - 2015-08-25 00:36 - 00003406 _____ C:\Windows\System32\Tasks\{620FDB60-D7CA-4447-92FD-6DF079DD0193}
2015-09-17 09:42 - 2012-08-02 00:34 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2015-09-17 09:42 - 2012-08-02 00:34 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2015-09-15 16:50 - 2014-04-02 17:44 - 00000000 ____D C:\Users\Todos os Usuários\NewiSaaveor
2015-09-15 16:50 - 2014-04-02 17:44 - 00000000 ____D C:\ProgramData\NewiSaaveor
2015-09-15 16:50 - 2014-01-30 20:13 - 00000000 ____D C:\Users\Todos os Usuários\TubEITAdBlockFR
2015-09-15 16:50 - 2014-01-30 20:13 - 00000000 ____D C:\ProgramData\TubEITAdBlockFR
2015-09-15 16:50 - 2013-12-30 17:44 - 00000000 ____D C:\Users\Todos os Usuários\DDeaLExxpareSSs
2015-09-15 16:50 - 2013-12-30 17:44 - 00000000 ____D C:\ProgramData\DDeaLExxpareSSs
2015-07-14 19:58 - 2015-06-15 18:42 - 96654720 ___SH () C:\ProgramData\msfmz.exe
C:\ProgramData\msfmz.exe
C:\Users\Fernando\Clic02 Edit setup(v3.3.100303).exe
C:\Users\Todos os Usuários\msfmz.exe
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S0].txt as well.