Hi,
Ihave one desktop here who freezes after Windows xp inicialization. Can you help me?
I'm posting from another pc, since the other can't access the internet. I'm copying the logs to a pen drive and posting here. I had to run the infected pc in safe mode in order to run DDS, etc.
One more thing: in addition to creating th log file, aswMBR created a .dat file named MBR. Is that normal?
Thanks in advance.
DDS (Ver_2012-11-20.01) - NTFS_x86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by Administrador at 16:55:53 on 2014-04-30
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1015.760 [GMT -3:00]
.
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Arquivos de programas\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\arquivos de programas\microsoft office\office12\GrooveShellExtensions.dll
BHO: Auxiliar de Conexão do Windows Live: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: GbIehObj Class: {C41A1C0E-EA6C-11D4-B1B8-444553540000} - c:\arquivos de programas\gbplugin\gbieh.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [NeroHomeFirstStart] c:\arquivos de programas\arquivos comuns\ahead\lib\NMFirstStart.exe
mRun: [SpeedTouch USB Diagnostics] "c:\arquivos de programas\alcatel\speedtouch usb\Dragdiag.exe" /icon
mRun: [MSC] "c:\arquivos de programas\microsoft security client\msseces.exe" -hide -runkey
mRun: [UserFaultCheck] c:\windows\system32\dumprep 0 -u
dRun: [DWQueuedReporting] "c:\arquiv~1\arquiv~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\menuin~1\progra~1\inicia~1\recort~1.lnk - c:\arquivos de programas\microsoft office\office12\ONENOTEM.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\arquivos de programas\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\arquivos de programas\microsoft office\office12\GrooveSystemServices.dll
Notify: GbPluginBb - c:\arquivos de programas\gbplugin\gbieh.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\arquivos de programas\microsoft office\office12\GrooveShellExtensions.dll
SEH: GbPluginObj Class - {E37CB5F0-51F5-4395-A808-5FA49E399F83} - c:\arquivos de programas\gbplugin\gbieh.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\arquivos de programas\google\chrome\application\34.0.1847.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [2013-1-4 46440]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S2 GbpSv;Gbp Service;c:\arquiv~1\gbplugin\GbpSv.exe [2013-1-4 280168]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2012-8-22 36048]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-2-10 1691480]
S3 Ndisrd;GAS Tecnologia Service;c:\windows\system32\drivers\GbpNdisrd.sys [2013-8-22 31088]
S3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\GbpNdisrd.sys [2013-8-22 31088]
S3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2002-6-10 31232]
.
=============== Created Last 30 ================
.
2014-04-29 18:07:11 -------- d-----w- c:\documents and settings\administrador\configurações locais\dados de aplicativos\Adobe
2014-04-18 13:27:14 -------- d-----w- c:\documents and settings\administrador\configurações locais\dados de aplicativos\Google
2014-04-15 22:49:55 8049928 ----a-w- c:\documents and settings\all users\dados de aplicativos\microsoft\microsoft antimalware\definition updates\{b7f4ca06-3aca-4b78-9755-227f0bad7424}\mpengine.dll
.
==================== Find3M ====================
.
2014-04-30 19:35:57 31088 ----a-w- c:\windows\system32\drivers\GbpNdisrd.sys
2014-03-17 18:18:28 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-17 18:18:28 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-17 18:18:21 5777288 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-01-20 22:46:10 17464864 ----a-w- c:\arquivos de programas\PDFCreator-1_6_2_setup.exe
2012-12-02 21:14:24 13326040 ----a-w- c:\arquivos de programas\MacDrive Standard 9.0.4.21 (en) Setup.exe
2011-10-23 22:48:03 1094656 ----a-w- c:\arquivos de programas\paint.exe
2011-06-26 22:02:27 1029000 ----a-w- c:\arquivos de programas\SkypeSetup.exe
.
============= FINISH: 16:56:25,85 ===============
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-04-30 16:57:37
-----------------------------
16:57:37.250 OS Version: Windows 5.1.2600 Service Pack 3
16:57:37.250 Number of processors: 1 586 0xF0D
16:57:37.250 ComputerName: HOME UserName:
16:57:39.406 Initialize success
16:57:58.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:57:58.703 Disk 0 Vendor: Hitachi_HDS721616PLA380 P22OABEA Size: 152626MB BusType: 3
16:57:58.859 Disk 0 MBR read successfully
16:57:58.875 Disk 0 MBR scan
16:57:58.890 Disk 0 Windows XP default MBR code
16:57:58.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
16:57:58.921 Disk 0 scanning sectors +312560640
16:57:59.046 Disk 0 scanning C:\WINDOWS\system32\drivers
16:58:15.640 Service scanning
16:58:41.328 Modules scanning
16:58:48.562 Disk 0 trace - called modules:
16:58:48.593 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
16:58:48.609 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f22ab8]
16:58:48.625 3 CLASSPNP.SYS[f77d6fd7] -> nt!IofCallDriver -> \Device\0000005f[0x86f253b8]
16:58:48.640 5 ACPI.sys[f774d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f6c940]
16:58:48.671 Scan finished successfully
16:59:13.015 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrador\Desktop\MBR.dat"
16:59:13.031 The log file has been saved successfully to "C:\Documents and Settings\Administrador\Desktop\aswMBR.txt"
Click on this link to download : ADWCleaner
Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.
Do not click on any links in the top Advertisment.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Scan.
After the scan is complete click on "Clean"
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next reply.
You can find the logfile at C:\AdwCleaner[S1].txt as well.
Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
Once installed, Malwarebytes will ask if you want to Launch Now. Please select to do so and then Malwarebytes will open and update on its own. Please allow this to complete.
If an update is found, it will download and install the latest version.
Let's be sure to run a Hyper Scan. Press the Scan tab and then select Hyper Scan.
Press Scan Now then Skip Update (since we just updated it).
When the scan is complete, click View Detailed Log, then Export to save the log to your Desktop (name the log MBAM Scan).
Copy and Paste all of the information in that file to your next reply.
Hi,
ADW saved 2 log files. I'm posting both.
I couldn't update Mbam since the desktop is without internet connection. It allowed me to perform only the complete scan ("Threat Scan"), i couldn't do only the requested hyperscan, it was disabled. And more, it detected some 3 or 4 threats and asked me what i do with them. I did nothing. Also, I didn't know if the history .xml log is equal to the exported .txt, so i'm posting both too.
Thank you for the assistance.
# AdwCleaner v3.205 - Relatório criado 01/05/2014 às 11:31:02
# Atualizado 28/04/2014 por Xplode
# Sistema Operacional : Microsoft Windows XP Service Pack 3 (32 bits)
# Usuário : Administrador - HOME
# Executando de : C:\Documents and Settings\Administrador\Desktop\AdwCleaner.exe
# Opção : Examinar
***** [ Serviços ] *****
***** [ Arquivos / Pastas ] *****
Arquivo Encontrado : C:\Documents and Settings\JOELMA\Dados de aplicativos\Mozilla\Firefox\Profiles\iodhr47x.default\.autoreg
Pasta Encontrado : C:\Documents and Settings\All Users\Dados de aplicativos\Trymedia
***** [ Atalhos ] *****
***** [ Registro ] *****
Chave Encontrada : HKLM\Software\Trymedia Systems
***** [ Navegadores ] *****
-\\ Internet Explorer v8.0.6001.18702
-\\ Google Chrome v34.0.1847.116
[ Arquivo : C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\User Data\Default\preferences ]
[ Arquivo : C:\Documents and Settings\JOELMA\Configurações locais\Dados de aplicativos\Google\Chrome\User Data\Default\preferences ]
# AdwCleaner v3.205 - Relatório criado 01/05/2014 às 11:31:51
# Atualizado 28/04/2014 por Xplode
# Sistema Operacional : Microsoft Windows XP Service Pack 3 (32 bits)
# Usuário : Administrador - HOME
# Executando de : C:\Documents and Settings\Administrador\Desktop\AdwCleaner.exe
# Opção : Limpar
***** [ Serviços ] *****
***** [ Arquivos / Pastas ] *****
Pasta Deletada : C:\Documents and Settings\All Users\Dados de aplicativos\Trymedia
Arquivo Deletada : C:\Documents and Settings\JOELMA\Dados de aplicativos\Mozilla\Firefox\Profiles\iodhr47x.default\.autoreg
***** [ Atalhos ] *****
***** [ Registro ] *****
Chave Deletedo : HKLM\Software\Trymedia Systems
***** [ Navegadores ] *****
-\\ Internet Explorer v8.0.6001.18702
-\\ Google Chrome v34.0.1847.116
[ Arquivo : C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\User Data\Default\preferences ]
[ Arquivo : C:\Documents and Settings\JOELMA\Configurações locais\Dados de aplicativos\Google\Chrome\User Data\Default\preferences ]
This is what your up against, your computer is considered Compromised, what that means is that its not to be trusted to do any online banking or shopping with a credit card, if you have done online banking you need to use a known clean computer and log into your bank and shopping sites you use and change all your passwords, I would also keep and eye on your credit card bills and banking statements for any unauthorized entries
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Is there any way to access the internet in safe mode? Because my pc still show a black screen with only the mouse pointer in it after the "welcome" windows xp screen.
Remember that the e:\ drive, if it appears, is the pen drive i'm using to exchange the files between computers.
Posting logs.
OTL Extras logfile created on: 6/5/2014 14:22:51 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrador\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: d/M/yyyy
1015,48 Mb Total Physical Memory | 794,62 Mb Available Physical Memory | 78,25% Memory free
2,39 Gb Paging File | 2,27 Gb Available in Paging File | 95,13% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Arquivos de programas
Drive C: | 149,04 Gb Total Space | 126,07 Gb Free Space | 84,58% Space Free | Partition Type: NTFS
Drive E: | 3,65 Gb Total Space | 3,46 Gb Free Space | 94,94% Space Free | Partition Type: FAT32
Computer Name: HOME | User Name: Administrador | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" = C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Arquivos de programas\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Arquivos de programas\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Arquivos de programas\Microsoft Office\Office12\GROOVE.EXE" = C:\Arquivos de programas\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Arquivos de programas\Microsoft Office\Office12\ONENOTE.EXE" = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" = C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Arquivos de programas\Skype\Phone\Skype.exe" = C:\Arquivos de programas\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{0FFEA8EE-7BC7-4C9D-8CC6-5B8C891BA3F2}" = Windows Live Essentials
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Ferramenta de Carregamento do Windows Live
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C9416-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{51A9E3DD-37B8-47BB-8E67-5B76B3EFBC48}" = Assistente de Conexão do Windows Live
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{590035D9-BFA0-406A-A7F0-479C72C0DDB2}" = Windows Live Call
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{66EBD70F-A42C-475F-AEDF-277378151046}" = Nero 7 Essentials
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{859B9BCA-5376-4566-9F88-C6C9DAA7A925}" = Microsoft Security Client PT-BR Language Pack
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0416-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (Portuguese (Brazil)) 12
"{90120000-0015-0416-0000-0000000FF1CE}" = Microsoft Office Access MUI (Portuguese (Brazil)) 2007
"{90120000-0016-0416-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Portuguese (Brazil)) 2007
"{90120000-0018-0416-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2007
"{90120000-0019-0416-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Portuguese (Brazil)) 2007
"{90120000-001A-0416-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Portuguese (Brazil)) 2007
"{90120000-001B-0416-0000-0000000FF1CE}" = Microsoft Office Word MUI (Portuguese (Brazil)) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0416-0000-0000000FF1CE}" = Microsoft Office Proof (Portuguese (Brazil)) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0416-0000-0000000FF1CE}" = Microsoft Office Proofing (Portuguese (Brazil)) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0416-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2007
"{90120000-006E-0416-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Portuguese (Brazil)) 2007
"{90120000-00A1-0416-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Portuguese (Brazil)) 2007
"{90120000-00BA-0416-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Portuguese (Brazil)) 2007
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9ADC3E4F-34DA-48CD-8727-BB26D90257BD}" = Windows Live Messenger
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1046-7B44-AB0000000001}" = Adobe Reader XI (11.0.02) - Português
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{D40C0608-033D-43A7-B4D7-B0EE493F938C}" = Microsoft Antimalware Service PT-BR Language Pack
"{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}" = Alcatel SpeedTouch USB Software
"{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}" = Skype™ 5.3
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"7-Zip" = 7-Zip 4.42
"Adobe Flash Player ActiveX" = Adobe Flash Player 12 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 12 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"Google Chrome" = Google Chrome
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"Malwarebytes Anti-Malware_is1" = Malwarebytes Anti-Malware version 2.0.1.1004
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 9.0.1 (x86 pt-BR)" = Mozilla Firefox 9.0.1 (x86 pt-BR)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Programador de Modem_is1" = SModem 1.0
"Receitanet Java 2010.02d" = Receitanet Java 2010.02d
"TurboADSL_is1" = TurboADSL 0.98
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = Arquivo do WinRAR
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 1/5/2014 10:37:17 | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Falha na recuperação de atualização automática do número de seqüência
de lista raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com erro: The server name or address could not be resolved
Error - 1/5/2014 10:37:17 | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Falha na recuperação de atualização automática do número de seqüência
de lista raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com erro: Esta conexão de rede não existe.
Error - 4/5/2014 10:27:07 | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Falha na recuperação de atualização automática do número de seqüência
de lista raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com erro: The server name or address could not be resolved
Error - 4/5/2014 10:27:08 | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Falha na recuperação de atualização automática do número de seqüência
de lista raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com erro: Esta conexão de rede não existe.
Error - 5/5/2014 14:45:36 | Computer Name = HOME | Source = Application Error | ID = 1004
Description = Aplicativo com falha MsMpEng.exe, versão 3.0.8107.0, módulo com falha
mpengine.dll, versão 1.1.10501.0, endereço com falha 0x003d684d.
Error - 5/5/2014 14:45:52 | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Aplicativo com falha MsMpEng.exe, versão 3.0.8107.0, módulo com falha
mpengine.dll, versão 1.1.10501.0, endereço com falha 0x003d684d.
Error - 6/5/2014 13:17:54 | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Falha na recuperação de atualização automática do número de seqüência
de lista raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com erro: The server name or address could not be resolved
Error - 6/5/2014 13:17:54 | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Falha na recuperação de atualização automática do número de seqüência
de lista raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com erro: Esta conexão de rede não existe.
[ Application Events ]
Error - 1/5/2014 10:37:17 | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Falha na recuperação de atualização automática do número de seqüência
de lista raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com erro: The server name or address could not be resolved
Error - 1/5/2014 10:37:17 | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Falha na recuperação de atualização automática do número de seqüência
de lista raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com erro: Esta conexão de rede não existe.
Error - 4/5/2014 10:27:07 | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Falha na recuperação de atualização automática do número de seqüência
de lista raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com erro: The server name or address could not be resolved
Error - 4/5/2014 10:27:08 | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Falha na recuperação de atualização automática do número de seqüência
de lista raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com erro: Esta conexão de rede não existe.
Error - 5/5/2014 14:45:36 | Computer Name = HOME | Source = Application Error | ID = 1004
Description = Aplicativo com falha MsMpEng.exe, versão 3.0.8107.0, módulo com falha
mpengine.dll, versão 1.1.10501.0, endereço com falha 0x003d684d.
Error - 5/5/2014 14:45:52 | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Aplicativo com falha MsMpEng.exe, versão 3.0.8107.0, módulo com falha
mpengine.dll, versão 1.1.10501.0, endereço com falha 0x003d684d.
Error - 6/5/2014 13:17:54 | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Falha na recuperação de atualização automática do número de seqüência
de lista raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com erro: The server name or address could not be resolved
Error - 6/5/2014 13:17:54 | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Falha na recuperação de atualização automática do número de seqüência
de lista raiz de terceiros de: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
com erro: Esta conexão de rede não existe.
[ OSession Events ]
Error - 19/3/2012 18:04:41 | Computer Name = HOME | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 2631
seconds with 120 seconds of active time. This session ended with a crash.
[ System Events ]
Error - 7/3/2014 15:30:13 | Computer Name = HOME | Source = sr | ID = 1
Description = O filtro da restauração do sistema encontrou o erro inesperado '0xC0000001'
ao processar o arquivo '' no volume 'HarddiskVolume1'. O monitoramento do volume
foi interrompido.
Error - 7/3/2014 18:17:26 | Computer Name = HOME | Source = sr | ID = 1
Description = O filtro da restauração do sistema encontrou o erro inesperado '0xC0000001'
ao processar o arquivo '' no volume 'HarddiskVolume1'. O monitoramento do volume
foi interrompido.
Error - 8/3/2014 10:55:18 | Computer Name = HOME | Source = sr | ID = 1
Description = O filtro da restauração do sistema encontrou o erro inesperado '0xC0000001'
ao processar o arquivo '' no volume 'HarddiskVolume1'. O monitoramento do volume
foi interrompido.
Error - 8/3/2014 12:55:43 | Computer Name = HOME | Source = sr | ID = 1
Description = O filtro da restauração do sistema encontrou o erro inesperado '0xC0000001'
ao processar o arquivo '' no volume 'HarddiskVolume1'. O monitoramento do volume
foi interrompido.
Error - 8/3/2014 16:59:29 | Computer Name = HOME | Source = sr | ID = 1
Description = O filtro da restauração do sistema encontrou o erro inesperado '0xC0000001'
ao processar o arquivo '' no volume 'HarddiskVolume1'. O monitoramento do volume
foi interrompido.
Error - 9/3/2014 09:39:40 | Computer Name = HOME | Source = sr | ID = 1
Description = O filtro da restauração do sistema encontrou o erro inesperado '0xC0000001'
ao processar o arquivo '' no volume 'HarddiskVolume1'. O monitoramento do volume
foi interrompido.
Error - 9/3/2014 14:42:26 | Computer Name = HOME | Source = sr | ID = 1
Description = O filtro da restauração do sistema encontrou o erro inesperado '0xC0000001'
ao processar o arquivo '' no volume 'HarddiskVolume1'. O monitoramento do volume
foi interrompido.
Error - 9/3/2014 15:10:35 | Computer Name = HOME | Source = sr | ID = 1
Description = O filtro da restauração do sistema encontrou o erro inesperado '0xC0000001'
ao processar o arquivo '' no volume 'HarddiskVolume1'. O monitoramento do volume
foi interrompido.
Error - 9/3/2014 16:21:34 | Computer Name = HOME | Source = sr | ID = 1
Description = O filtro da restauração do sistema encontrou o erro inesperado '0xC0000001'
ao processar o arquivo '' no volume 'HarddiskVolume1'. O monitoramento do volume
foi interrompido.
Error - 9/3/2014 19:12:48 | Computer Name = HOME | Source = sr | ID = 1
Description = O filtro da restauração do sistema encontrou o erro inesperado '0xC0000001'
ao processar o arquivo '' no volume 'HarddiskVolume1'. O monitoramento do volume
foi interrompido.
< End of report >
Next.
OTL logfile created on: 6/5/2014 14:22:51 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrador\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: d/M/yyyy
1015,48 Mb Total Physical Memory | 794,62 Mb Available Physical Memory | 78,25% Memory free
2,39 Gb Paging File | 2,27 Gb Available in Paging File | 95,13% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Arquivos de programas
Drive C: | 149,04 Gb Total Space | 126,07 Gb Free Space | 84,58% Space Free | Partition Type: NTFS
Drive E: | 3,65 Gb Total Space | 3,46 Gb Free Space | 94,94% Space Free | Partition Type: FAT32
Computer Name: HOME | User Name: Administrador | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
I am seeing a lot bad on your OTL log, the reason for no internet is that your heavily infected . Lets see what Combofix removes and it it helps your connection
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.