Publicado em 15 de jan.

[Arquivado] Popup Abre Sozinho

Olá, estou com um computador de uma cliente que a muito tempo abre popups indesejados em todos os navegadores. Já tentei de tudo, e nada. Bom instalei o combofix, rodei e gerou o relatório em TXT, porém daqui pra frente eu não sei o que fazer.

Segue o log geradopelo combofix:

____________________________________

ComboFix 13-01-14.01 - USER 15/01/2013 0:49.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2037.1399 [GMT -2:00]
Executando de: c:\documents and settings\USER\Desktop\ComboFix.exe
Comandos utilizados :: /u
AV: Avira Desktop Disabled/Updated {AD166499-45F9-482A-A743-FDD3350758C7}
.
ADS - drivers: deleted 412 bytes in 1 streams.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-12-15 to 2013-01-15 ))))))))))))))))))))))))))))
.
.
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-15 02:31 . 2010-06-30 02:39 17488 ----a-w- c:\windows\gdrv.sys
2013-01-09 15:43 . 2012-04-02 14:12 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 15:43 . 2011-08-22 15:01 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23 . 2008-04-14 06:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 11:56 . 2009-03-21 14:20 1875584 ----a-w- c:\windows\system32\win32k.sys
2012-11-08 11:40 . 2012-03-15 13:55 83912 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-11-08 11:40 . 2012-03-15 13:56 52648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-11-08 11:40 . 2012-03-15 13:56 31144 ----a-w- c:\windows\system32\LMIport.dll
2012-11-08 11:40 . 2012-03-15 13:55 92072 ----a-w- c:\windows\system32\LMIinit.dll
2012-11-06 02:00 . 2009-03-21 14:20 1446912 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:04 . 2008-04-14 06:59 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:12 . 2008-04-14 06:59 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:12 . 2008-04-14 06:59 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:12 . 2008-04-14 06:59 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2008-04-14 06:59 385024 ------w- c:\windows\system32\html.iec
2012-10-11 01:05 . 2012-10-23 01:33 261600 ----a-w- c:\arquivos de programas\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-07 . 1B35C639F5181537494902A72B817699 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
Nota entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"LogMeIn GUI"="c:\arquivos de programas\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2012-07-02 348664]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Service Manager.lnk - c:\mssql7\Binn\sqlmangr.exe [2010-10-20 110592]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]
2012-04-23 20:19 623560 ------w- c:\arquivos de programas\GbPlugin\gbiehabn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
2012-11-22 18:05 1585768 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]
2012-10-04 17:05 650088 ------w- c:\arquivos de programas\GbPlugin\gbiehcef.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-11-08 11:40 92072 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABBYY Screenshot Reader Retail]
2009-10-26 23:07 959752 ----a-w- c:\arquivos de programas\ABBYY Screenshot Reader\ScreenshotReader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-08-04 07:49 318096 ----a-w- c:\arquivos de programas\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-12-18 14:24 197928 ----a-w- c:\arquivos de programas\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 01:12 3872080 ----a-w- c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-01-21 03:18 134656 ----a-r- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-06-25 06:07 17887232 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-06-09 15:06 254696 ----a-w- c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"BBUpdate"=3 (0x3)
"BBSvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Arquivos de programas\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Abacus\\Abacus.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"1433:TCP"= 1433:TCP:gepro
.
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [02/07/2010 16:18 46440]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [22/10/2012 01:20 36000]
R2 ABBYY.Licensing.FineReader.ScreenshotReader.9.0;ABBYY.Licensing.FineReader.ScreenshotReader.9.0;c:\arquivos de programas\ABBYY Screenshot Reader\NetworkLicenseServer.exe [14/05/2009 12:07 759048]
R2 AntiVirSchedulerService;Avira Programador;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [22/10/2012 01:20 86224]
R2 ES lite Service;ES lite Service for program management.;c:\arquivos de programas\Gigabyte\EasySaver\essvr.exe [30/06/2010 00:27 68136]
R2 FreeAgentGoNext Service;Seagate Service;c:\arquivos de programas\Seagate\SeagateManager\Sync\FreeAgentService.exe [18/12/2009 12:25 189736]
R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [02/07/2010 16:18 280168]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\arquivos de programas\LogMeIn\x86\LMIGuardianSvc.exe [31/01/2012 22:30 374704]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\arquivos de programas\LogMeIn\x86\rainfo.sys [16/09/2011 15:10 12856]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [30/06/2010 00:32 44032]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\GbpNdisrd.sys [09/01/2012 16:30 29432]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [30/06/2010 00:29 1684736]
S3 Ndisrd;GAS Tecnologia Service;c:\windows\system32\drivers\GbpNdisrd.sys [09/01/2012 16:30 29432]
.
--- =Outros Serviços/Drivers Na Memória ---
.
NewlyCreated - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-14 13:02 1606760 ----a-w- c:\arquivos de programas\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2013-01-15 c:\windows\Tasks\Adobe Flash Player Updater.job

c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 15:43]

.
2013-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-05-22 17:47]
.

2013-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-05-22 17:47]
.
.

------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bancobrasil.com.br\www
Trusted Zone: bancobrasil.com.br\www14
Trusted Zone: bancobrasil.com.br\www2
Trusted Zone: bancoreal.com.br\www
Trusted Zone: bancosantander.com.br\www
Trusted Zone: bb.com.br\www
Trusted Zone: caixa.gov.br
Trusted Zone: caixa.gov.br\internetbanking
Trusted Zone: realsecureweb.com.br\www
Trusted Zone: realsecureweb.com.br\www2
Trusted Zone: realsecureweb.com.br\wwws
Trusted Zone: santander.com.br\www
Trusted Zone: santanderempresarial.com.br\www
Trusted Zone: santandernet.com.br\www
Trusted Zone: santandernet.com.br\wwws
Trusted Zone: santandernet.com.br\wwws2
Trusted Zone: santandernetibe.com.br\www
Trusted Zone: secureweb.com.br\www
TCP: DhcpNameServer = 189.4.128.66 189.4.128.61
DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} - hxxp://monteirolobatosantos.no-ip.biz:8080/cab/Live.cab
DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} - hxxps://cpne.bradesco.com.br/certifexp.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-15 00:52
Windows 5.1.2600 Service Pack 3 NTFS
.
Procurando processos ocultos ...
.
Procurando entradas auto inicializáveis ocultas ...
.
Procurando ficheiros/arquivos ocultos ...
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
.
**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]
"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
.

- - - - - - > 'winlogon.exe'(704)

c:\arquivos de programas\GBPLUGIN\gbieh.dll
c:\arquivos de programas\GbPlugin\gbiehcef.dll
c:\arquivos de programas\GbPlugin\gbiehabn.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.

- - - - - - > 'explorer.exe'(180)

c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\arquivos de programas\GBPLUGIN\gbieh.dll
c:\arquivos de programas\GbPlugin\gbiehabn.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\arquivos de programas\Scpad\scpLIB.dll
c:\arquivos de programas\Scpad\scpMIB.dll
c:\arquivos de programas\GbPlugin\gbiehcef.dll
.
Tempo para conclusão: 2013-01-15 00:53:43
ComboFix-quarantined-files.txt 2013-01-15 02:53
ComboFix2.txt 2013-01-15 02:27
.
Pré-execução: 20 pasta(s) 119.674.744.832 bytes disponíveis
Pós execução: 21 pasta(s) 119.670.661.120 bytes disponíveis
.

- End Of File - - 8B57F98CA69C89A3B7B87CC4A5593F6F

______________________________________

Aguardo Resposta,

Att,

Diego Lima

Discussão (21)

Entre ou cadastre-se para participar da discussão

Entrar Criar conta

Carregando comentários...