Ir ao conteúdo
  • Cadastre-se
darkzeden

Máquina infectada.

Recommended Posts

Prezados companheiros,

 

  Venho por meio deste solicitar ajuda na remoção de programas invasores que infestaram meu notebook nas últimas 24h, alguns familiares usam o mesmo corriqueiramente, ontem ao iniciar notei muitos anúncios no desktop, controle de usuário desativado e programas sendo instalados automaticamente. Agradeço previamente o suporte dado.

 

 

ZAScan.log

Compartilhar este post


Link para o post
Compartilhar em outros sites

@darkzeden

 

Por favor, atente para o seguinte:

  • Sobre o Fórum: Este é um espaço privado, não público. Seu uso é um privilégio, não um direito.
  • Caso fique sem resposta durante 3 dias, me envie uma Mensagem Privada (MP);
  • O que será passado aqui, somente será com relação ao problema do seu computador portanto, não faça mais em nenhum outro;
  • Siga, por favor, atentamente as instruções passadas e em caso de dúvidas não hesite em perguntá-las;
  • Respeite a ordem das instruções passadas.
  • Observação: Não tome outra medida além das passadas aqui; atente para que, caso peça ajuda em outro fórum, não deixe de nos informar, sob risco de desconfigurar seu computador!
Baixe a Malwarebytes Anti-Malware (MBAM).

 
Clique duas vezes no mbam-setup.exe para instalar o programa.

  • Desmarque a caixa Ativar trial gratuito do MalwareBytes Anti-Malware PRO.
  • Se houver atualizações a serem feitas, serão baixadas e instaladas..
  • Clique em Configurações, clique em Detecção e proteção, marque Verificar por Rootkits.
  • Volte ao Painel e por fim clique em Verificar agora.
  • Começará então o exame. Aguarde, pois pode demorar.
  • Ao acabar o exame, se houver itens encontrados, certifique-se que estejam todas marcados e clique no botão Remover Selecionadas
  • Ao final da desinfecção, poderá aparecer um aviso se quer reiniciar o PC. (Ver Nota abaixo)
  • O log é automaticamente salvo pelo MBAM e para vê-lo, clique na aba Histórico -> Registros do aplicativo na janela principal do programa.
  • Clique duas vezes no log (Registro de verificação). Utilize o formato .txt para exportar o log.
  • O log de Proteção é desnecessário para a análise, exporte sempre o log correto.
  • Selecione, copie e cole o conteúdo deste log em sua próxima resposta.

 

NOTA: Se o MBAM encontrar arquivos que não consiga remover, poderá ter de reiniciar o PC (talvez mais de uma vez). Faça isso imediatamente, ao ser perguntado se quer reiniciar o PC.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Prezado,

 

 Conforme instruções dadas realizei o procedimento, o mesmo encontrou aproximadamente 1000 elementos, porém antes de finalizar a máquina desligou, quando a religuei e retomei o processo, apenas 45 foram identificados, peço perdão pelo inconveniente, segue o log abaixo e aguardo novas instruções.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Data da verificação: 25/08/2016
Hora da verificação: 23:10
Arquivo de registro: logcerto.txt
Administrador: Sim

Versão: 2.2.1.1043
Banco de dados de malware: v2016.08.25.09
Banco de dados de rootkit: v2016.08.15.01
Licença: Gratuita
Proteção contra malware: Desabilitado
Proteção contra website malicioso: Desabilitado
Autoproteção: Desabilitado

Sistema operacional: Windows 7 Service Pack 1
CPU: x64
Sistema de arquivos: NTFS
Usuário: Fernando

Tipo de verificação: Verificação da ameaça
Resultado: Concluído
Objetos verificados: 394369
Tempo decorrido: 58 min, 37 seg

Memória: Habilitado
Inicialização: Habilitado
Sistema de arquivos: Habilitado
Arquivos compactados: Habilitado
Rootkits: Habilitado
Verificação detalhada de rootkit: Habilitado
Heurística: Habilitado
PUP: Habilitado
PUM: Habilitado

Processos: 4
PUP.Optional.SoEasySvc, C:\Program Files (x86)\SoSoEasy\SoSoEasySvc.exe, 2892, Excluir ao reiniciar, [94b9311ed9c106306eac10ca8e76926e]
PUP.Optional.NetworkProtector, C:\Program Files (x86)\WebShield\WebShield.exe, 7944, Excluir ao reiniciar, [400d9cb31d7d95a16c8f5a7926de7f81]
PUP.Optional.ConvertAd, C:\Users\Fernando\AppData\Local\4C4C4544-1472164838-2010-8020-A0C04F202020\qnsqFEDE.tmp, 2532, Excluir ao reiniciar, [242961eec8d263d32533d8b0867b6799]
PUP.Optional.ConvertAd.Gen, C:\Program Files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020\kns64A0.tmp, 8520, Excluir ao reiniciar, [9bb2252a41598aacca11ac41729110f0]

Módulos: 0
(Nenhum item malicioso detectado)

Chaves de registro: 7
PUP.Optional.SoEasySvc, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SoEasySvc, Quarentena, [94b9311ed9c106306eac10ca8e76926e], 
PUP.Optional.NetworkProtector, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\hfZNXRrj, Quarentena, [400d9cb31d7d95a16c8f5a7926de7f81], 
PUP.Optional.ConvertAd, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\zigipyro, Quarentena, [242961eec8d263d32533d8b0867b6799], 
PUP.Optional.HohoSearch, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Prpcollectorclunether.exe, Quarentena, [0e3f0649891165d1b0fce00c669b5fa1], 
PUP.Optional.Elex.SHHKRST, HKLM\SOFTWARE\CLASSES\CLSID\{6710C780-E20E-4C49-A87D-321850ED3D7C}, Quarentena, [aca17bd4b0ea280e39b9686800048f71], 
PUP.Optional.Elex.SHHKRST, HKLM\SOFTWARE\CLASSES\CLSID\{6710C780-E20E-4C49-A87D-321850ED3D7C}\INPROCSERVER32, Quarentena, [aca17bd4b0ea280e39b9686800048f71], 
PUP.Optional.ConvertAd.Gen, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\fyvotynizbt, Quarentena, [9bb2252a41598aacca11ac41729110f0], 

Valores de registro: 2
PUP.Optional.Elex.SHHKRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS|{6710C780-E20E-4C49-A87D-321850ED3D7C}, Quarentena, [aca17bd4b0ea280e39b9686800048f71], 
PUP.Optional.Elex.SHHKRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{6710C780-E20E-4C49-A87D-321850ED3D7C}, Quarentena, [60ed74db0298f73ffff32ca4a55f22de], 

Dados de registro: 0
(Nenhum item malicioso detectado)

Pastas: 1
PUP.Optional.ConvertAd.Gen, C:\Program Files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020, Excluir ao reiniciar, [9bb2252a41598aacca11ac41729110f0], 

Arquivos: 29
Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\qoiynq.sys, Substituir ao reiniciar, [d4cbb6b5aa0b087b1e2fc0bdfda867f0], 
Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\rnhnnr.sys, Substituir ao reiniciar, [d4cbb6b5aa0b087b1e2fc0bdfda867f0], 
PUP.Optional.SoEasySvc, C:\Program Files (x86)\SoSoEasy\SoSoEasySvc.exe, Excluir ao reiniciar, [94b9311ed9c106306eac10ca8e76926e], 
PUP.Optional.NetworkProtector, C:\Program Files (x86)\WebShield\WebShield.exe, Excluir ao reiniciar, [400d9cb31d7d95a16c8f5a7926de7f81], 
PUP.Optional.ConvertAd, C:\Users\Fernando\AppData\Local\4C4C4544-1472164838-2010-8020-A0C04F202020\qnsqFEDE.tmp, Excluir ao reiniciar, [242961eec8d263d32533d8b0867b6799], 
PUP.Optional.HohoSearch, C:\Program Files (x86)\Thergasetergecult\Prpcollectorclunether.exe, Quarentena, [0e3f0649891165d1b0fce00c669b5fa1], 
PUP.Optional.Elex.SHHKRST, C:\Users\Fernando\AppData\Roaming\Microsoft\Windows\Cookies\jihipy.dll, Quarentena, [aca17bd4b0ea280e39b9686800048f71], 
PUP.Optional.MultiPlug.UNS, C:\ProgramData\Mini - Adblocker\Mini - Adblocker.exe, Quarentena, [2825212eb6e424127c7d0154b151b44c], 
PUP.Optional.Elex, C:\Users\Fernando\AppData\Roaming\THREADAPP.exe, Quarentena, [97b6c58a7129cb6b5accf0cad52ff907], 
PUP.Optional.Elex, C:\Users\Fernando\AppData\Roaming\ucdlr.exe, Quarentena, [ef5ed17e19818bab7f5cece248bc4cb4], 
PUP.Optional.Elex, C:\Users\Fernando\AppData\Roaming\kpzip.exe, Quarentena, [93ba8bc48416c373f5e6dfef63a13ec2], 
PUP.Optional.BundleInstaller, C:\Users\Fernando\AppData\Local\Temp\65A4.tmp.exe, Quarentena, [123b74db1585300627442c968f751ce4], 
PUP.Optional.BundleInstaller, C:\Users\Fernando\AppData\Local\Temp\CDBA.tmp.exe, Quarentena, [50fd0649dfbb0c2acba017abcf357c84], 
PUP.Optional.BundleInstaller, C:\Users\Fernando\AppData\Local\Temp\A588.tmp.exe, Quarentena, [a1ac7bd4a3f749eda6c5923080847e82], 
PUP.Optional.BundleInstaller, C:\Users\Fernando\AppData\Local\Temp\B1A4.tmp.exe, Quarentena, [d5781f30fb9f5fd75e0d5e644ababa46], 
PUP.Optional.BundleInstaller, C:\Users\Fernando\AppData\Local\Temp\7D32.tmp.exe, Quarentena, [d17ca3ac801aaa8c94d718aa838154ac], 
PUP.Optional.BundleInstaller, C:\Users\Fernando\AppData\Local\Temp\8B85.tmp.exe, Quarentena, [58f553fc108afe384f1c16acfe069b65], 
PUP.Optional.BundleInstaller, C:\Users\Fernando\AppData\Local\Temp\91D6.tmp.exe, Quarentena, [1637d37c9dfdee4870fbc2000cf87090], 
PUP.Optional.BundleInstaller, C:\Users\Fernando\AppData\Local\Temp\7487.tmp.exe, Quarentena, [1e2f77d89604191dc8a3358d8d77d62a], 
PUP.Optional.BundleInstaller, C:\Users\Fernando\AppData\Local\Temp\7BD8.tmp.exe, Quarentena, [72db153a4d4d13233b30f9c94abaa060], 
PUP.Optional.BundleInstaller, C:\Users\Fernando\AppData\Local\Temp\64C5.tmp.exe, Quarentena, [351872dd9cfe43f31952b111f01460a0], 
PUP.Optional.BundleInstaller, C:\Users\Fernando\AppData\Local\Temp\E0F5.tmp.exe, Quarentena, [96b792bd9ffb2f076506c2007f8528d8], 
PUP.Optional.ConvertAd.Gen, C:\Program Files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020\kns64A0.tmp, Quarentena, [9bb2252a41598aacca11ac41729110f0], 
PUP.Optional.Youndoo, C:\Users\Fernando\AppData\Roaming\Profiles\7m58hrzn.default\prefs.js, Bom: (), Ruim: (user_pref("browser.search.defaultenginename", "youndoo");), Substituído,[420b88c7c6d4191d4971387157ad15eb]
PUP.Optional.Youndoo, C:\Users\Fernando\AppData\Roaming\Profiles\7m58hrzn.default\prefs.js, Bom: (), Ruim: (n is running,
 * tits.
 *
 * To make a manual chalse);
user_pref("app.update.enabled", false);
user_pref("a), Substituído,[2b22d976cecc4de9eccee8c1ca3a26da]
PUP.Optional.Youndoo, C:\Users\Fernando\AppData\Roaming\Profiles\7m58hrzn.default\prefs.js, Bom: (), Ruim: (ser_pref("app.update.lastUpdateTime.addon-background-update-timer", 1472011707);
user_pref("app.update.lastUpdateTime.background-update-timer", 1472076498);
user_pref("app.), Substituído,[7dd0aca34357b482fdbd723759ab49b7]
PUP.Optional.Youndoo, C:\Users\Fernando\AppData\Roaming\Profiles\7m58hrzn.default\prefs.js, Bom: (), Ruim: (f("app.update.lastUpdateTime.addon-background-update-timer", 1472011707);
user_pref("app.update.lastUpdateTime.background-update-timer", 1472076498);
user_pref("app.update.lastUpdateTime.blocklis), Substituído,[3a13ed62e4b68da9b00a8623da2a7d83]
PUP.Optional.Youndoo, C:\Users\Fernando\AppData\Roaming\Profiles\7m58hrzn.default\prefs.js, Bom: (), Ruim: (e.background-update-timer", 1472076498);
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1472011827);
user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 147), Substituído,[0c41232ccbcfce68d6e47237927217e9]
PUP.Optional.Youndoo, C:\Users\Fernando\AppData\Roaming\Profiles\7m58hrzn.default\prefs.js, Bom: (), Ruim: (eTime.addon-background-update-timer", 1472011707);
us), Substituído,[0f3e3619bae0c2747b3f55546b99e719]
PUP.Optional.Youndoo, C:\Users\Fernando\AppData\Roaming\Profiles\7m58hrzn.default\prefs.js, Bom: (), Ruim: (se);
user_pref("extensions.shownSelectionUI", true);
user_pref("extensions.systemAddonSet", "{\"schema\":1,\"directory\":\"{f4736577-0f38-4889-b9a1-c0855055a42e}\",\"addons\":{\"e10srollout@mozilla.org\":), Substituído,[0647b897eeacd5617c3e2c7d0afa9070]
PUP.Optional.Youndoo, C:\Users\Fernando\AppData\Roaming\Profiles\7m58hrzn.default\prefs.js, Bom: (), Ruim: (tDataSubmissionSuccessfulTime", "1464034492503");
user_pref("datareporting.healthreport.nextDataSubmissionTime", "1464120892503");
user_pref("datareporting.healthr), Substituído,[163784cb0b8faf87c4f694154cb819e7]

Setores físicos: 0
(Nenhum item malicioso detectado)


(end)

Compartilhar este post


Link para o post
Compartilhar em outros sites

@darkzeden

 

Leia as instruções contidas neste link: "Como usar o ComboFix"
 
Faça o download do ComboFix e salve em sua Área de Trabalho (Desktop).

 

Desative temporariamente seu antivírus, antispywares e firewall, para não causar conflitos.

 

  • Clique duas vezes em ComboFix.exe salvo em sua Área de Trabalho (Desktop).
    • Atenção: Usuários Windows Vista, 7 e 8, cliquem com o botão direito do mouse e escolha: execadmin.png
  • Leia e aceite as condições, teclando ENTER.
  • Atenção: Não utilize o mouse nem o teclado enquanto a ferramenta estiver sendo executada, isso pode fazer com que o computador pare.
  • Poderá surgir o aviso que é necessário reiniciar o computador.  
  • NÃO REINICIE!!! O ComboFix reiniciará o computador automaticamente.
  • Quando a ferramenta terminar, será gerado um log (o arquivo C:\ComboFix.txt).
  • Copie e cole o conteúdo desse arquivo em sua próxima resposta.

 

Compartilhar este post


Link para o post
Compartilhar em outros sites

Boa noite Carlos,

 

  Como instruído, segui as orientações, abaixo o log:

 

ComboFix 16-08-21.02 - Fernando 28/08/2016  20:06:32.1.4 - x64
Microsoft Windows 7 Home Basic   6.1.7601.1.1252.55.1046.18.6038.4313 [GMT -3:00]
Executando de: c:\users\Fernando\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
SP: Microsoft Security Essentials *Disabled/Updated* {CDE0C533-D3CD-62A1-E772-AFADDF863628}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((   Outras Exclusões   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\4316092494054420833
c:\programdata\4316092494054420833\26b7099b005799dbe17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\37775abd6f6704a2e17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\4775d99c57b1799ee17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\4cc9484e5308b1bce17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\7524bb24f4426bd4e17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\8176d51b956c13fee17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\954accd1ef18255be17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\ab04ecb30c557b37e17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\ad5e6328e91d5a25e17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\c5dda88116364677e17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\c85a0ede773eb389e17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\cd5b15e575e1c3d0e17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\d10de703829fe2d8e17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\d1b1b8b13a226202e17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\d1b823d8a4cc4149e17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\d38e8734560118a9e17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\d6ae24e4beaa0e72e17ddbbc89da3a60.ini
c:\programdata\4316092494054420833\dede21b2540a951ce17ddbbc89da3a60.ini
c:\programdata\Amazon.ico
c:\programdata\MercadoLivre.ico
c:\programdata\Mini - Adblocker
c:\programdata\Mini - Adblocker\Mini - Adblocker.exe
c:\users\Fernando\AppData\Local\Temp\KZipShell.dll.del
c:\users\Fernando\AppData\Roaming\adb.exe
c:\users\Fernando\AppData\Roaming\fastboot.exe
c:\users\Fernando\AppData\Roaming\kpzip.exe
c:\users\Fernando\AppData\Roaming\RandomDelJiheReg.exe
c:\users\Fernando\AppData\Roaming\THREADAPP.exe
c:\users\Fernando\AppData\Roaming\ucdlr.exe
c:\windows\msdownld.tmp
c:\windows\SysWow64\images
c:\windows\SysWow64\images\3da.jpg
c:\windows\SysWow64\images\ts_back2.gif
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Serviços   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_PCSUService
.
.
((((((((((((((((   Arquivos/Ficheiros criados de 2016-07-28 to 2016-08-28  ))))))))))))))))))))))))))))
.
.
2016-08-28 23:28 . 2016-08-28 23:28    --------    d-----w-    c:\users\Default\AppData\Local\temp
2016-08-28 23:28 . 2016-08-28 23:28    --------    d-----w-    c:\users\Convidado.Fernando-PC\AppData\Local\temp
2016-08-28 22:34 . 2016-08-28 22:37    --------    d-----w-    c:\program files\¿ìѹ
2016-08-28 22:32 . 2016-08-28 22:43    --------    d-----w-    c:\users\Fernando\AppData\Roaming\Ludashi
2016-08-26 20:06 . 2016-08-26 20:06    --------    d-----w-    c:\users\Fernando\AppData\Roaming\MCorp
2016-08-26 03:32 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\LdsLite
2016-08-26 00:57 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2016-08-26 00:57 . 2016-08-26 00:57    --------    d-----w-    c:\programdata\Malwarebytes
2016-08-24 04:15 . 2016-07-08 15:32    2048    ----a-w-    c:\windows\system32\tzres.dll
2016-08-24 04:15 . 2016-07-08 15:16    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2016-08-24 03:57 . 2016-08-24 03:57    --------    d-----w-    c:\users\Fernando\AppData\Local\Profiles
2016-08-24 03:34 . 2016-08-26 08:42    --------    d-----w-    c:\users\Convidado.Fernando-PC\AppData\Roaming\lockhomepage
2016-08-24 03:34 . 2016-08-24 03:35    --------    d-----w-    c:\users\Convidado.Fernando-PC\AppData\Roaming\Ludashi
2016-08-24 03:34 . 2016-08-24 03:38    --------    d-----w-    c:\users\Convidado.Fernando-PC\AppData\Roaming\KuaiZip
2016-08-24 03:34 . 2016-08-26 08:42    --------    d-----w-    c:\users\Convidado.Fernando-PC\AppData\Roaming\WeatherTool
2016-08-24 03:18 . 2016-08-24 03:17    60136    ----a-w-    c:\windows\system32\drivers\MPCKpt.sys
2016-08-24 03:16 . 2016-08-19 07:46    6765520    ----a-w-    c:\users\Fernando\AppData\Roaming\AdAnti13.exe
2016-08-24 03:12 . 2016-08-24 03:12    --------    d-----w-    c:\program files (x86)\{516D9F5A-D8E3-485A-838A-AE688ED07E5C}
2016-08-24 02:45 . 2016-08-26 08:42    --------    d-----w-    c:\users\Fernando\AppData\Roaming\lockhomepage
2016-08-24 02:44 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\LDSGameCenter
2016-08-24 02:41 . 2016-08-24 04:55    --------    d-----w-    c:\program files (x86)\GreatMaker
2016-08-24 02:41 . 2016-08-24 04:29    --------    d-----w-    c:\users\Fernando\AppData\Local\app
2016-08-24 02:41 . 2016-07-01 09:19    8284704    ----a-w-    c:\users\Fernando\AppData\Roaming\MaoHaWiFiSetup_262.exe
2016-08-24 02:41 . 2016-08-28 22:40    92872    ----a-w-    c:\windows\system32\drivers\KuaiZipDrive.sys
2016-08-24 02:41 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\AdAnti
2016-08-24 02:40 . 2016-08-24 02:40    --------    d-----w-    c:\users\Fernando\AppData\Roaming\Softlink
2016-08-24 02:39 . 2016-08-28 23:03    --------    d-----w-    c:\users\Fernando\AppData\Roaming\Kuaizip
2016-08-24 02:38 . 2016-02-18 09:10    5267952    ----a-w-    c:\users\Fernando\AppData\Roaming\ziptool_wc-9015_setup.exe
2016-08-24 02:37 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\sbqh
2016-08-24 02:36 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\ttwifi
2016-08-24 02:36 . 2016-08-26 08:42    --------    d-----w-    c:\users\Fernando\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk
2016-08-24 02:36 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\mpck
2016-08-24 02:35 . 2016-08-26 08:43    --------    d-----w-    c:\users\Fernando\AppData\Roaming\UPUpdata
2016-08-24 02:34 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\EasyHotspot
2016-08-24 02:32 . 2016-08-27 10:15    --------    d-----w-    c:\program files (x86)\WebShield
2016-08-24 02:31 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020
2016-08-24 02:29 . 2016-08-27 22:05    --------    d-----w-    c:\program files (x86)\Velocidade Do PC
2016-08-24 02:23 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\DPower
2016-08-24 02:21 . 2016-08-24 02:21    --------    d-----w-    c:\users\Fernando\AppData\Roaming\Desktop
2016-08-24 02:21 . 2016-08-26 08:50    --------    d-----w-    c:\program files (x86)\MPC Cleaner
2016-08-24 02:20 . 2016-08-24 03:30    --------    d-----w-    c:\programdata\AVAST Software
2016-08-24 02:19 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\SoSoEasy
2016-08-24 02:19 . 2016-08-24 03:30    --------    d--h--w-    c:\program files (x86)\vuo6B2A
2016-08-24 02:18 . 2016-08-24 02:31    --------    d-----w-    c:\users\Fernando\AppData\Local\prlwardsepershcasesy
2016-08-24 02:17 . 2016-08-24 02:19    --------    d-----w-    c:\users\Fernando\AppData\Roaming\Profiles
2016-08-24 02:17 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\Thergasetergecult
2016-08-24 02:14 . 2016-08-24 02:14    2628285    ----a-w-    c:\windows\chromebrowser.exe
2016-08-18 04:12 . 2016-05-18 16:10    312832    ----a-w-    c:\windows\SysWow64\gdi32.dll
2016-08-18 04:12 . 2016-05-18 16:09    405504    ----a-w-    c:\windows\system32\gdi32.dll
2016-08-18 04:12 . 2016-03-16 00:16    760320    ----a-w-    c:\windows\system32\samsrv.dll
2016-08-18 04:12 . 2016-03-16 00:16    106496    ----a-w-    c:\windows\system32\samlib.dll
2016-08-18 04:12 . 2016-03-15 23:53    60416    ----a-w-    c:\windows\SysWow64\samlib.dll
2016-08-18 03:53 . 2016-04-09 07:01    986344    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2016-08-18 03:53 . 2016-04-09 07:01    264936    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2016-08-18 03:53 . 2016-04-09 06:57    144384    ----a-w-    c:\windows\system32\cdd.dll
2016-08-18 03:48 . 2016-07-08 15:01    3218944    ----a-w-    c:\windows\system32\win32k.sys
2016-08-04 01:50 . 2015-09-16 06:07    127432    ----a-w-    c:\windows\system32\drivers\VBoxUSBMon.sys
2016-08-04 01:49 . 2015-09-16 03:29    253384    ----a-w-    c:\windows\system32\drivers\XQHDrv.sys
2016-08-04 01:42 . 2016-08-26 08:42    --------    d-----w-    c:\program files (x86)\WeatherTool
2016-08-04 01:42 . 2016-08-26 08:42    --------    d-----w-    c:\users\Fernando\AppData\Roaming\WeatherTool
2016-08-02 05:28 . 2016-04-09 07:01    5546216    ----a-w-    c:\windows\system32\ntoskrnl.exe
2016-08-02 05:27 . 2016-04-14 13:49    603648    ----a-w-    c:\windows\SysWow64\d3d10level9.dll
2016-08-02 05:26 . 2016-03-09 19:00    396800    ----a-w-    c:\windows\system32\webio.dll
2016-08-02 05:26 . 2016-03-09 18:40    316416    ----a-w-    c:\windows\SysWow64\webio.dll
2016-08-02 05:26 . 2016-03-06 18:53    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2016-08-02 05:26 . 2016-03-06 18:53    1885696    ----a-w-    c:\windows\system32\msxml3.dll
2016-08-02 05:26 . 2016-03-06 18:38    2048    ----a-w-    c:\windows\SysWow64\msxml3r.dll
2016-08-02 05:26 . 2016-03-06 18:38    1240576    ----a-w-    c:\windows\SysWow64\msxml3.dll
2016-08-02 05:26 . 2016-01-21 00:51    73664    ----a-w-    c:\windows\system32\drivers\disk.sys
2016-08-02 05:26 . 2016-02-02 18:57    511488    ----a-w-    c:\windows\system32\rpcss.dll
2016-08-01 06:28 . 2016-08-01 06:28    --------    d-----w-    c:\users\Fernando\Nox_share
2016-08-01 06:28 . 2016-08-24 03:53    --------    d-----w-    c:\users\Fernando\vmlogs
2016-08-01 06:25 . 2016-08-01 06:25    --------    d-----w-    c:\program files\DIFX
2016-08-01 06:22 . 2016-08-24 04:27    --------    d-----w-    c:\users\Fernando\AppData\Roaming\Nox
2016-08-01 06:22 . 2016-08-24 04:26    --------    d-----w-    c:\users\Fernando\AppData\Local\Nox
2016-07-30 02:56 . 2016-07-30 02:56    --------    d-----w-    c:\users\Fernando\AppData\Roaming\Mael
2016-07-30 02:56 . 2016-07-30 02:56    --------    d-----w-    c:\program files (x86)\HxD
.
.
.
(((((((((((((((((((((((((((((((((((((   Relatório Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-08-28 23:39 . 2015-08-28 03:06    28888    ----a-w-    c:\windows\system32\drivers\gbpddfac64.sys
2016-08-28 23:36 . 2016-05-31 02:14    101080    ----a-w-    c:\windows\system32\drivers\wsddfac.sys
2016-08-18 05:02 . 2014-02-01 06:26    147640136    -c--a-w-    c:\windows\system32\MRT.exe
2016-08-02 22:36 . 2016-08-28 22:47    11847048    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6CF17EAF-054E-40F5-8E1B-B79D1AD7A398}\mpengine.dll
2016-08-02 22:36 . 2016-08-26 20:18    11847048    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2016-07-27 19:25 . 2013-12-27 15:49    504488    ------w-    c:\windows\system32\MpSigStub.exe
2016-07-14 10:06 . 2013-12-27 18:34    796352    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2016-07-14 10:06 . 2013-12-27 18:34    142528    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2016-07-02 17:13 . 2012-07-17 16:37    24800    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2016-06-14 15:21 . 2016-08-02 05:26    2560    ----a-w-    c:\windows\apppatch\AcRes.dll
2016-05-31 04:11 . 2016-05-31 04:11    1856    ----a-w-    c:\windows\Fonts\Warsaw Bold.ttf
2015-04-17 01:54 . 2015-04-17 01:54    79    ----a-w-    c:\program files (x86)\prefs.js
2010-01-26 12:11 . 2014-01-07 19:54    444283    ----a-w-    c:\program files\Common Files\WinPcapNmap.exe
2004-12-12 22:13 . 2015-03-15 18:45    208896    ----a-w-    c:\program files (x86)\3DAnalyze.exe
2004-12-11 00:44 . 2015-03-15 18:45    52736    ----a-w-    c:\program files (x86)\ForceDLL.dll
2004-12-11 00:44 . 2015-03-15 18:45    90112    ----a-w-    c:\program files (x86)\hook_3DA.dll
2009-07-13 23:19    64512    --sha-w-    c:\windows\System32\drivers\alifide.sys
2009-07-13 23:19    64512    --sha-w-    c:\windows\System32\drivers\ppjpql.sys
2001-08-17 05:59    273696    --sha-w-    c:\windows\System32\drivers\pztzmr.sys
2009-07-13 23:19    64512    --sha-w-    c:\windows\System32\drivers\rrlrpr.sys
.
.
((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2015-10-19 8551848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"iCloud"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloud.exe" [2016-04-22 67384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
2016-06-16 14:34    1947872    ----a-w-    c:\program files (x86)\GbPlugin\gbieh.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"RequireSignedAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R0 gbpddreg;Gbpddreg svc;c:\windows\system32\drivers\gbpddreg64.sys;c:\windows\SYSNATIVE\drivers\gbpddreg64.sys [x]
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys;c:\windows\SYSNATIVE\drivers\GbpKm.sys [x]
R1 rrlrpr;rrlrpr; [x]
R2 165c96fd;TurboSys;c:\windows\system32\rundll32.exe;c:\windows\SYSNATIVE\rundll32.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 dowidoly;Renew Single Click;c:\program files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020\jnsl4564.tmp;c:\program files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020\jnsl4564.tmp [x]
R2 Prpcollectorclunether.exe;Perpushpherwerty Collector;c:\program files (x86)\Thergasetergecult\Prpcollectorclunether.exe {C25DA384-2010-45A4-A1ED-BFA540D4789B} {9DC74CD5-24EA-4ADE-9C42-608A8CE17116};c:\program files (x86)\Thergasetergecult\Prpcollectorclunether.exe {C25DA384-2010-45A4-A1ED-BFA540D4789B} {9DC74CD5-24EA-4ADE-9C42-608A8CE17116} [x]
R2 rijufoze;Reservation Plastic;c:\program files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020\hnsq6708.tmp;c:\program files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020\hnsq6708.tmp [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 wofokucuzbt;Optimise Temporary Internet Files;c:\program files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020\kns1F97.tmp;c:\program files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020\kns1F97.tmp [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Intel(R) Capability Licensing Service TCP IP Interface;Intel(R) Capability Licensing Service TCP IP Interface;c:\program files\Intel\iCLS Client\SocketHeciServer.exe;c:\program files\Intel\iCLS Client\SocketHeciServer.exe [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys;c:\windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Inspeção de Rede da Microsoft;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys;c:\windows\SYSNATIVE\DRIVERS\RTL8187B.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 X6va015;X6va015;c:\windows\SysWOW64\Drivers\X6va015;c:\windows\SysWOW64\Drivers\X6va015 [x]
R3 X6va017;X6va017;c:\windows\SysWOW64\Drivers\X6va017;c:\windows\SysWOW64\Drivers\X6va017 [x]
R3 X6va029;X6va029;c:\windows\SysWOW64\Drivers\X6va029;c:\windows\SysWOW64\Drivers\X6va029 [x]
R3 X6va031;X6va031;c:\windows\SysWOW64\Drivers\X6va031;c:\windows\SysWOW64\Drivers\X6va031 [x]
R3 X6va035;X6va035;c:\windows\SysWOW64\Drivers\X6va035;c:\windows\SysWOW64\Drivers\X6va035 [x]
R3 X6va037;X6va037;c:\windows\SysWOW64\Drivers\X6va037;c:\windows\SysWOW64\Drivers\X6va037 [x]
R3 xhunter1;xhunter1;c:\windows\xhunter1.sys;c:\windows\xhunter1.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S1 gbpddfac;Warsaw File Access svc;c:\windows\system32\drivers\gbpddfac64.sys;c:\windows\SYSNATIVE\drivers\gbpddfac64.sys [x]
S1 MPCKpt;MPCKpt;c:\windows\system32\DRIVERS\MPCKpt.sys;c:\windows\SYSNATIVE\DRIVERS\MPCKpt.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x]
S1 wsddfac;wsddfac;c:\windows\system32\drivers\wsddfac.sys;c:\windows\SYSNATIVE\drivers\wsddfac.sys [x]
S1 wsddpp;Warsaw - Driver (PP);c:\windows\system32\drivers\wsddpp.sys;c:\windows\SYSNATIVE\drivers\wsddpp.sys [x]
S1 XQHDrv;BigNox Service;c:\windows\system32\DRIVERS\XQHDrv.sys;c:\windows\SYSNATIVE\DRIVERS\XQHDrv.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 ComputerZLock;ComputerZLock;c:\program files (x86)\LdsLite0\ComputerZLock_x64.sys;c:\program files (x86)\LdsLite0\ComputerZLock_x64.sys [x]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 GbpSv;Gbp Service;c:\progra~2\GbPlugin\GbpSv.exe;c:\progra~2\GbPlugin\GbpSv.exe [x]
S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [x]
S2 KuaiZipDrive;KuaiZipDrive;c:\windows\system32\drivers\KuaiZipDrive.sys;c:\windows\SYSNATIVE\drivers\KuaiZipDrive.sys [x]
S2 KuaizipUpdateChecker;KuaizipUpdateChecker;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 LolScreenSaverService;Proteção de Tela de League;c:\riot games\LolScreenSaver\service\service.exe;c:\riot games\LolScreenSaver\service\service.exe [x]
S2 MPCProtectService;MPC Core Protect Service;c:\program files (x86)\MPC Cleaner\MPCProtectService.exe;c:\program files (x86)\MPC Cleaner\MPCProtectService.exe [x]
S2 mqJlboyQ;sCViEvsrYb;c:\program files (x86)\WebShield\WebShield.exe;c:\program files (x86)\WebShield\WebShield.exe [x]
S2 PSI_SVC_2_x64;Corel License Validation Service V2 x64, Powered by arvato;c:\program files\Common Files\Protexis\License Service\PsiService_2.exe;c:\program files\Common Files\Protexis\License Service\PsiService_2.exe [x]
S2 RtkAudioService;Realtek Audio Service;c:\program files\Realtek\Audio\HDA\RtkAudioService64.exe;c:\program files\Realtek\Audio\HDA\RtkAudioService64.exe [x]
S2 SoEasySvc;SoEasySvc;c:\program files (x86)\SoSoEasy\SoSoEasySvc.exe {8DE54EC4-2DF3-4F56-9F19-EBC2BDF2FF59};c:\program files (x86)\SoSoEasy\SoSoEasySvc.exe {8DE54EC4-2DF3-4F56-9F19-EBC2BDF2FF59} [x]
S2 TheDesktopWeatherService;The Desktop Weather Service;c:\program files (x86)\WeatherTool\2.0.1.11389\WeatherService.exe;c:\program files (x86)\WeatherTool\2.0.1.11389\WeatherService.exe [x]
S2 Warsaw Technology;Warsaw Technology;c:\program files\Diebold\Warsaw\core.exe;c:\program files\Diebold\Warsaw\core.exe [x]
S3 GBPRCM;Service for G-Buster Driver (PM);c:\program files (x86)\GBPLUGIN\gbprcm64.sys;c:\program files (x86)\GBPLUGIN\gbprcm64.sys [x]
S3 ICCWDT;Intel(R) Watchdog Timer Driver (Intel(R) WDT);c:\windows\system32\DRIVERS\ICCWDT.sys;c:\windows\SYSNATIVE\DRIVERS\ICCWDT.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 Warsaw_PP;Warsaw Protector;c:\progra~2\GbPlugin\wsftprp64.sys;c:\progra~2\GbPlugin\wsftprp64.sys [x]
S4 WinDivert1.1;WinDivert1.1;c:\program files\Diebold\Warsaw\WinDivert64.sys;c:\program files\Diebold\Warsaw\WinDivert64.sys [x]
.
.
--- =Outros Serviços/Drivers Na Memória ---
.
*NewlyCreated* - PPJPQL
*NewlyCreated* - WS2IFSL
*Deregistered* - GbFtIn
*Deregistered* - ppjpql
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       SSDPSRV upnphost SCardSvr QWAVE wcncsvc
zipsvcs    REG_MULTI_SZ       ziphost
kuaizipupdatesvc    REG_MULTI_SZ       KuaizipUpdateChecker
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
HpSvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2016-08-09 01:23    1262408    ----a-w-    c:\program files (x86)\Google\Chrome\Application\52.0.2743.116\Installer\chrmstp.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2016-06-30 11:55    322232    ----a-w-    c:\program files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2016-08-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-27 10:06]
.
2016-08-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4049816919-3172257985-131058368-1000Core.job
- c:\users\Fernando\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-02-27 00:48]
.
2016-08-27 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4049816919-3172257985-131058368-1000UA.job
- c:\users\Fernando\AppData\Local\Facebook\Update\FacebookUpdate.exe [2014-02-27 00:48]
.
2016-08-27 c:\windows\Tasks\PC SpeedUp Service Deactivator.job
- c:\program files (x86)\Velocidade Do PC\PCSUSD.exe [2016-08-24 01:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KzShlobj]
@="{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}"
[HKEY_CLASSES_ROOT\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}]
2016-08-28 22:40    532696    ----a-w-    c:\program files\¿ìѹ\X64\KZipShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2013-10-22 7203032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2013-11-07 171992]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2013-11-07 399832]
"Persistence"="c:\windows\system32\igfxpers.exe" [2013-11-07 442328]
"Diebold - Warsaw"="c:\program files\Diebold\Warsaw\core.exe" [2016-06-22 925744]
.
------- Scan Suplementar -------
.
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://search.delta-homes.com/web/?type=ds&ts=1415778728&from=wpm11122&uid=ST500LM012XHN-M500MBB_S2ZAJ5DD916348&q={searchTerms}
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xportar para o Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: bancobrasil.com.br\www
Trusted Zone: bancobrasil.com.br\www14
Trusted Zone: bancobrasil.com.br\www2
Trusted Zone: bb.com.br\seg
Trusted Zone: bb.com.br\www
Trusted Zone: clonewarsadventures.com
Trusted Zone: dell.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 189.124.132.33 189.124.132.32
TCP: Interfaces\{13D7D58C-157F-42AC-B60B-87AAD4EB687E}: NameServer = 188.120.239.115,8.8.8.8
TCP: Interfaces\{800C1EC7-A2A1-4B6C-9760-83EDA4BC263C}: NameServer = 188.120.239.115,8.8.8.8
FF - ProfilePath - c:\users\Fernando\AppData\Roaming\Mozilla\Firefox\Profiles\wmw8qnm7.default-1463870672655\
FF - prefs.js: browser.startup.homepage - search.mpc.am
.
- - - - ORFÃOS REMOVIDOS - - - -
.
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
ShellIconOverlayIdentifiers-{0A93904A-BB1E-4a0c-9753-B57B9AE272CC} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
ShellExecuteHooks-{6710C780-E20E-4C49-A87D-321850ED3D7C} - (no file)
AddRemove-{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{165c96fd} - c:\progra~2\TurboSys\TurboSys.dll
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\dowidoly]
"ImagePath"="c:\program files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020\jnsl4564.tmp"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\rijufoze]
"ImagePath"="c:\program files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020\hnsq6708.tmp"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\wofokucuzbt]
"ImagePath"="c:\program files (x86)\4C4C4544-1472005875-2010-8020-A0C04F202020\kns1F97.tmp"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va015]
"ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va015"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va017]
"ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va017"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va029]
"ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va029"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va031]
"ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va031"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va035]
"ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va035"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va037]
"ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va037"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_22_0_0_210_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_22_0_0_210_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_22_0_0_210_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_22_0_0_210_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_22_0_0_210.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.22"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_22_0_0_210.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_22_0_0_210.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_22_0_0_210.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Outros Processos em Execução ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\SoSoEasy\SoSoEasySvc.exe
c:\program files (x86)\MPC Cleaner\MPCTray.exe
c:\program files (x86)\LdsLite0\LdsLite.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files (x86)\MPC Cleaner\MPCNews.exe
.
**************************************************************************
.
Tempo para conclusão: 2016-08-28  20:54:41 - Máquina reiniciou
ComboFix-quarantined-files.txt  2016-08-28 23:54
.
Pré-execução: 141.033.680.896 bytes disponíveis
Pós execução: 139.196.121.088 bytes disponíveis
.
- - End Of File - - 17A9FA0282BB91C09C67346559CDC247
A36C5E4F47E84449FF07ED3517B43A31
 

Compartilhar este post


Link para o post
Compartilhar em outros sites

Ok,
 
Desative temporariamente seu antivírus, antispywares e firewall, para não causar conflitos.


Selecione e copie o texto dentro do CODE. Abra o Bloco de Notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.
 

Killall::
 
ClearJavaCache::

Folder::
c:\program files (x86)\MPC Cleaner
c:\users\Fernando\AppData\Roaming\Ludashi
c:\users\Convidado.Fernando-PC\AppData\Roaming\Ludashi
c:\program files (x86)\sbqh
c:\program files (x86)\ttwifi
c:\users\Fernando\AppData\Local\kemgadeojglibflomicg
c:\users\Fernando\AppData\Roaming\UPUpdatanfeopkdfflnk
c:\program files (x86)\mpck

Driver::
MPCProtectService
MPCKpt

Firefox::
FF - prefs.js: browser.startup.homepage - 

NetSvc::
HpSvc

File::
c:\windows\system32\drivers\MPCKpt.sys

DDS::


Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.


cfscript.gif

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.
* Caso isso não aconteça, então reinicie manualmente.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes.

Aos visitantes: Se estiverem com um problema semelhante, não utilizem esse script, pois o uso sem supervisão pode causar danos ao sistema.


Quando acabar, será gerado um log, que estará em C:\ComboFix.txt. Poste seu conteúdo.

 

Compartilhar este post


Link para o post
Compartilhar em outros sites

Tópico Arquivado

 

Como o autor não respondeu ao tópico por mais de 10 dias, o mesmo foi arquivado. Caso você seja o autor do tópico e quer que o mesmo seja reaberto, entre em contato com um Analista de Segurança do Fórum solicitando o desbloqueio.

 

CarlosTurco

diego_moicano

 

 

Compartilhar este post


Link para o post
Compartilhar em outros sites
Visitante
Este tópico está impedido de receber novos posts.





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×