[Arquivado] Popup Abre Sozinho

[Diego Lima 0]

Olá, estou com um computador de uma cliente que a muito tempo abre popups indesejados em todos os navegadores. Já tentei de tudo, e nada. Bom instalei o combofix, rodei e gerou o relatório em TXT, porém daqui pra frente eu não sei o que fazer.

 

Segue o log geradopelo combofix:

____________________________________

 

ComboFix 13-01-14.01 - USER 15/01/2013 0:49.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2037.1399 [GMT -2:00]
Executando de: c:\documents and settings\USER\Desktop\ComboFix.exe
Comandos utilizados :: /u
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
ADS - drivers: deleted 412 bytes in 1 streams.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-12-15 to 2013-01-15 ))))))))))))))))))))))))))))
.
.
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-15 02:31 . 2010-06-30 02:39 17488 ----a-w- c:\windows\gdrv.sys
2013-01-09 15:43 . 2012-04-02 14:12 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 15:43 . 2011-08-22 15:01 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23 . 2008-04-14 06:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 11:56 . 2009-03-21 14:20 1875584 ----a-w- c:\windows\system32\win32k.sys
2012-11-08 11:40 . 2012-03-15 13:55 83912 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-11-08 11:40 . 2012-03-15 13:56 52648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-11-08 11:40 . 2012-03-15 13:56 31144 ----a-w- c:\windows\system32\LMIport.dll
2012-11-08 11:40 . 2012-03-15 13:55 92072 ----a-w- c:\windows\system32\LMIinit.dll
2012-11-06 02:00 . 2009-03-21 14:20 1446912 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:04 . 2008-04-14 06:59 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:12 . 2008-04-14 06:59 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:12 . 2008-04-14 06:59 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:12 . 2008-04-14 06:59 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2008-04-14 06:59 385024 ------w- c:\windows\system32\html.iec
2012-10-11 01:05 . 2012-10-23 01:33 261600 ----a-w- c:\arquivos de programas\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-07 . 1B35C639F5181537494902A72B817699 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"LogMeIn GUI"="c:\arquivos de programas\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2012-07-02 348664]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Service Manager.lnk - c:\mssql7\Binn\sqlmangr.exe [2010-10-20 110592]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]
2012-04-23 20:19 623560 ------w- c:\arquivos de programas\GbPlugin\gbiehabn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
2012-11-22 18:05 1585768 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]
2012-10-04 17:05 650088 ------w- c:\arquivos de programas\GbPlugin\gbiehcef.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-11-08 11:40 92072 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABBYY Screenshot Reader Retail]
2009-10-26 23:07 959752 ----a-w- c:\arquivos de programas\ABBYY Screenshot Reader\ScreenshotReader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-08-04 07:49 318096 ----a-w- c:\arquivos de programas\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-12-18 14:24 197928 ----a-w- c:\arquivos de programas\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 01:12 3872080 ----a-w- c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-01-21 03:18 134656 ----a-r- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-06-25 06:07 17887232 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 15:06 254696 ----a-w- c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"BBUpdate"=3 (0x3)
"BBSvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Arquivos de programas\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Abacus\\Abacus.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"1433:TCP"= 1433:TCP:gepro
.
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [02/07/2010 16:18 46440]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [22/10/2012 01:20 36000]
R2 ABBYY.Licensing.FineReader.ScreenshotReader.9.0;ABBYY.Licensing.FineReader.ScreenshotReader.9.0;c:\arquivos de programas\ABBYY Screenshot Reader\NetworkLicenseServer.exe [14/05/2009 12:07 759048]
R2 AntiVirSchedulerService;Avira Programador;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [22/10/2012 01:20 86224]
R2 ES lite Service;ES lite Service for program management.;c:\arquivos de programas\Gigabyte\EasySaver\essvr.exe [30/06/2010 00:27 68136]
R2 FreeAgentGoNext Service;Seagate Service;c:\arquivos de programas\Seagate\SeagateManager\Sync\FreeAgentService.exe [18/12/2009 12:25 189736]
R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [02/07/2010 16:18 280168]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\arquivos de programas\LogMeIn\x86\LMIGuardianSvc.exe [31/01/2012 22:30 374704]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\arquivos de programas\LogMeIn\x86\rainfo.sys [16/09/2011 15:10 12856]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [30/06/2010 00:32 44032]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\GbpNdisrd.sys [09/01/2012 16:30 29432]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [30/06/2010 00:29 1684736]
S3 Ndisrd;GAS Tecnologia Service;c:\windows\system32\drivers\GbpNdisrd.sys [09/01/2012 16:30 29432]
.
--- =Outros Serviços/Drivers Na Memória ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-14 13:02 1606760 ----a-w- c:\arquivos de programas\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2013-01-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 15:43]
.
2013-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-05-22 17:47]
.
2013-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-05-22 17:47]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bancobrasil.com.br\www
Trusted Zone: bancobrasil.com.br\www14
Trusted Zone: bancobrasil.com.br\www2
Trusted Zone: bancoreal.com.br\www
Trusted Zone: bancosantander.com.br\www
Trusted Zone: bb.com.br\www
Trusted Zone: caixa.gov.br
Trusted Zone: caixa.gov.br\internetbanking
Trusted Zone: realsecureweb.com.br\www
Trusted Zone: realsecureweb.com.br\www2
Trusted Zone: realsecureweb.com.br\wwws
Trusted Zone: santander.com.br\www
Trusted Zone: santanderempresarial.com.br\www
Trusted Zone: santandernet.com.br\www
Trusted Zone: santandernet.com.br\wwws
Trusted Zone: santandernet.com.br\wwws2
Trusted Zone: santandernetibe.com.br\www
Trusted Zone: secureweb.com.br\www
TCP: DhcpNameServer = 189.4.128.66 189.4.128.61
DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} - hxxp://monteirolobatosantos.no-ip.biz:8080/cab/Live.cab
DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} - hxxps://cpne.bradesco.com.br/certifexp.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-15 00:52
Windows 5.1.2600 Service Pack 3 NTFS
.
Procurando processos ocultos ...
.
Procurando entradas auto inicializáveis ocultas ...
.
Procurando ficheiros/arquivos ocultos ...
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
.
**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]
"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\arquivos de programas\GBPLUGIN\gbieh.dll
c:\arquivos de programas\GbPlugin\gbiehcef.dll
c:\arquivos de programas\GbPlugin\gbiehabn.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(180)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\arquivos de programas\GBPLUGIN\gbieh.dll
c:\arquivos de programas\GbPlugin\gbiehabn.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\arquivos de programas\Scpad\scpLIB.dll
c:\arquivos de programas\Scpad\scpMIB.dll
c:\arquivos de programas\GbPlugin\gbiehcef.dll
.
Tempo para conclusão: 2013-01-15 00:53:43
ComboFix-quarantined-files.txt 2013-01-15 02:53
ComboFix2.txt 2013-01-15 02:27
.
Pré-execução: 20 pasta(s) 119.674.744.832 bytes disponíveis
Pós execução: 21 pasta(s) 119.670.661.120 bytes disponíveis
.
- - End Of File - - 8B57F98CA69C89A3B7B87CC4A5593F6F
______________________________________

 

Aguardo Resposta,

 

Att,

Diego Lima

[DigRam 144]

Bom Dia! Diego Lima

|- Baixe: < MBRscan > ( ... by Eric_71 )
|- Salve-o no disco local ou desktop!



|- Clique "MbrScan.exe".



|- Clique "Report".
|- Poste o relatório! ( MbrScan.txt )

|- Baixe: < > ( ... by OldTimer Tools )

|- Salve-o no desktop!
|- Duplo clique em OTL.exe >> Executar ou

|- Ps: Tendo dificuldades ao executar OTL.exe,delete o arquivo e baixe-o daqui ou aqui.



|- Configure a ferramenta,segundo a screenshot!
|- Em "Exame Extra do Registro",assinale "Nenhum".

*crack* /s
*keygen* /s
*serial* /s
*AutoKMS* /s
*loader* /s
*netsvcs*
*msconfig*
%SYSTEMDRIVE%\*.*
%APPDATA%\Local\*.
%APPDATA%\*.exe /s
%APPDATA%\*.
%systemdrive%\drivers\*.exe
%USERPROFILE%\AppData\Local\*.*
%USERPROFILE%\AppData\Roaming\*.*
%systemroote%\*. /mp /s
%systemroot%\system32\drivers\*.* /90
%systemroot%\assembly\tmp\*.* /S /MD5
%systemroot%\assembly\temp\*.* /S /MD5
%systemroot%\assembly\GAC\*.* /S /MD5
%systemroot%\assembly\GAC_32\*.* /S /MD5
%systemroot%\assembly\GAC_64\*.* /S /MD5
%systemroot%\system32\config\systemprofile\AppData\Local\*.*
%windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.*
%windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
/md5start
services.exe
/md5stop
regedit /e c:\registrybackup.reg /c
%systemroot%\system32\tasks\*.* /s /64
%windir%\tasks\*.* /s

|- Copie estas informações que estão no Code,para o Bloco de Notas.
|- Salve-as em Meus Documentos ou desktop,com o nome scan. << Texto!
|- Clique na área "Exames Personalizados/Correções".



|- Clique em Ok para procurar um arquivo com exame personalizado.
|- Clique "Abrir". ( scan.txt )



|- Após colar as informações na área branca,clique em

|- Concluindo,poste o relatório: OTL.txt << Link ao relatório!



|- Para enviar,acesse: < MyFile.tk >

|- Ou acesse: < >

|- Maiores informações: < |Link| >

A+

 

[Diego Lima 0]

ok... vou executar os procedimentos.. logo mais eu posto o relatório aqui! Obrigado!

[Diego Lima 0]

Segue abaixo o relatório do MbrScan

_______________________________________________________

MBRScan v1.1.1
 
OS             : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR      : x86 Family 6 Model 23 Stepping 10, GenuineIntel
BOOT           : Normal Boot
DATE           : 2013/01/17 (ISO 8601) at 19:58:44
________________________________________________________________________________
 
DISK           : Device\Harddisk0\DR0 __WDC WD3200AAJS-00L7A0 (01.03E01)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________
 
DISK           : Device\Harddisk1\DR3 __Seagate FreeAgent Go (0148)
BUS_TYPE       : (0x07)  USB
USE_PIO        : NO
MAX_TRANSFER   : 64 Kb
ALIGNMENT_MASK : byte aligned
________________________________________________________________________________
 
Device\Harddisk0\DR0 298.1 Go  [Fixed] ==> XP MBR Code
 
MBR_MD5   : F80894C1E5F61E113886D366D1FDC5BC
MBR_SHA1  : D15B9E87EC1D781B984F9FA24C7BBE40D3930087
 
Device\Harddisk0\Partition1 156.2 Go   0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2 141.8 Go   0x07 NTFS / HPFS
________________________________________________________________________________
 
Device\Harddisk1\DR3 298.1 Go  [Fixed] ==> Unknown MBR Code ....
 
MBR_MD5   : EF40FDA18EB16B861F28D6E536039BD1
MBR_SHA1  : 6B63454B701E541F52C0D60B14F5E74C608B0DD1
 
Device\Harddisk1\Partition1 298.1 Go   0x07 NTFS / HPFS
________________________________________________________________________________
 
############################### Additional scan ################################
 
DRIVER  : C:\WINDOWS\System32\Drivers\dump_atapi.sys => Invisible on the disk
ADDRESS : 0xA8104000
SIZE    : 96.0 Ko
 
DRIVER  : C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS => Invisible on the disk
ADDRESS : 0xBA660000
SIZE    : 8.0 Ko
 
SystemStartOptions : NOEXECUTE=OPTIN  FASTDETECT
 
________________________________________________________________________________
 
_______MBR   \Device\Harddisk0\DR0  
 
0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3À.м.|ûP.P.ü¾.|
0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ¿..PW¹å.ó¤Ë½¾.±.
0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u..Å.âôÍ..õ
0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   .Æ.It.8,tö.µ.´..
0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   ð¬<.tü»..´.Í.ëò.
0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.èF.s*þF..~..t.
0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t..¶.uÒ.F...
0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..è!.s..¶.ë
0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   ¼.>þ}Uªt..~..tÈ.
0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ·.ë©.ü.W.õË¿...V
0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   .´.Í.r#.Á$?..Þ.ü
0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C÷ã.Ñ.Ö±.ÒîB÷â9V
0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s.¸..».|
0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V.Í.sQOtN2ä.
0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V.Í.ëä.V.`»ªU´AÍ
0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.ûUªu0öÁ.t+a`
0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j
0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.´B.ôÍ.aas.Ot.
0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 54 61 62 65   2ä.V.Í.ëÖaùÃTabe
0x00000130   6C 61 20 64 65 20 70 61 72 74 69 87 E4 65 73 20   la de parti.äes 
0x00000140   69 6E 76 A0 6C 69 64 61 00 45 72 72 6F 20 61 6F   inv.lida.Erro ao
0x00000150   20 63 61 72 72 65 67 61 72 20 6F 20 73 69 73 74    carregar o sist
0x00000160   65 6D 61 20 6F 70 65 72 61 63 69 6F 6E 61 6C 00   ema operacional.
0x00000170   53 69 73 74 65 6D 61 20 6F 70 65 72 61 63 69 6F   Sistema operacio
0x00000180   6E 61 6C 20 61 75 73 65 6E 74 65 00 00 00 00 00   nal ausente.....
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 2C 49 70 F8 8A 9F 68 CF C9 80 01   .....,Ipø..hÏÉ..
0x000001C0   01 00 07 FE FF FF 3F 00 00 00 2E F7 87 13 00 FE   ...þ..?....÷...þ
0x000001D0   FF FF 07 FE FF FF 6D F7 87 13 54 DF BA 11 00 00   ...þ..m÷..Tߺ...
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª
 
_______MBR   \Device\Harddisk1\DR3  
 
0x00000000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000010   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000C0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000100   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000110   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000120   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000130   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000140   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000150   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000160   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000170   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 00 00 00 00 73 B5 A4 00 00 00 01   .........sµ¤....
0x000001C0   01 00 07 FE FF FF 3F 00 00 00 82 D6 42 25 00 00   ...þ..?....ÖB%..
0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

 

 

Segue o link abaixo com o relatório do OTL.txt.... espero ter seguido certo com as orientações!

 

 

 

 

 

http://cjoint.com/13jv/CArxxxT0phV.htm

[DigRam 144]

Boa Noite! Diego Lima

Device\Harddisk1\DR3 298.1 Go [Fixed] ==> Unknown MBR Code ....

|- A MBR apresenta código desconhecido,onde a restauração pode ser realizada por MbrScan.
|- Abra a ferramenta e clique Report.
|- Ao concluir,clique FixMBR,caso fique ativo esse botão.
|- Reinicie e execute,novamente,MbrScan.
|- Clique em Report e poste o relatório.

-/-

|- Execute o OTL.exe.
|- Copie estas informações que estão no Code,para o campo clipboard da ferramenta. ( "Exames Personalizados Correções" )

:OTL
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\rt73.sys -- (RT73)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\USER\CONFIG~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | System | Stopped] --  -- (aswTdi)
DRV - File not found [Kernel | System | Stopped] --  -- (aswSP)
DRV - File not found [File_System | System | Stopped] --  -- (aswSnx)
DRV - File not found [Kernel | System | Stopped] --  -- (AswRdr)
DRV - File not found [File_System | Auto | Stopped] --  -- (aswMon2)
DRV - File not found [File_System | Auto | Stopped] --  -- (aswFsBlk)
DRV - File not found [Kernel | System | Stopped] --  -- (Aavmker4)
IE - HKCU\..\SearchScopes\{A5BC1D25-F52A-445A-AA8A-95AA38043781}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=crm&q={searchTerms}&locale=pt_BR&apn_ptnrs=U3&apn_dtid=OSJ000YYBR&apn_uid=9B3C40E5-73C7-492E-9078-7AA8C1B13E55&apn_sauid=ADA483A9-06E0-4E02-9C48-948004E14EA3
FF - user.js - File not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O16 - DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} https://cpne.bradesco.com.br/certifexp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\msdaipp - No CLSID value found
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Arquivos de programas\Avira\AntiVir Desktop\*.tmp files -> \Arquivos de programas\Avira\AntiVir Desktop\*.tmp -> ]
[2012/01/09 16:43:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\Ask
[2012/10/21 22:30:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\AVAST Software

:Files
ipconfig /flushdns /c

:reg
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A5BC1D25-F52A-445A-AA8A-95AA38043781}]

:Commands
[CLEARALLRESTOREPOINTS]
[purity]
[emptytemp]
[Reboot]

|- Clique no botão Consertar -> Aguarde a conclusão!
|- O computador vai reiniciar! -> Clique em "Executar".



|- Para versões em Inglês,clique em Run Fix que é o mesmo que Consertar.
|- Poste o relatório: C:\_OTL\MovedFiles\*.log

A+

[Diego Lima 0]

Segue abaixo o Relatório MBRscan (O botão FIXmbr não ficou ativo)

____________________________________________________________

 

 

MBRScan v1.1.1
 
OS             : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR      : x86 Family 6 Model 23 Stepping 10, GenuineIntel
BOOT           : Normal Boot
DATE           : 2013/01/21 (ISO 8601) at 20:57:36
________________________________________________________________________________
 
DISK           : Device\Harddisk0\DR0 __WDC WD3200AAJS-00L7A0 (01.03E01)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________
 
DISK           : Device\Harddisk1\DR3 __Seagate FreeAgent Go (0148)
BUS_TYPE       : (0x07)  USB
USE_PIO        : NO
MAX_TRANSFER   : 64 Kb
ALIGNMENT_MASK : byte aligned
________________________________________________________________________________
 
Device\Harddisk0\DR0 298.1 Go  [Fixed] ==> XP MBR Code
 
MBR_MD5   : F80894C1E5F61E113886D366D1FDC5BC
MBR_SHA1  : D15B9E87EC1D781B984F9FA24C7BBE40D3930087
 
Device\Harddisk0\Partition1 156.2 Go   0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2 141.8 Go   0x07 NTFS / HPFS
________________________________________________________________________________
 
Device\Harddisk1\DR3 298.1 Go  [Fixed] ==> Unknown MBR Code ....
 
MBR_MD5   : EF40FDA18EB16B861F28D6E536039BD1
MBR_SHA1  : 6B63454B701E541F52C0D60B14F5E74C608B0DD1
 
Device\Harddisk1\Partition1 298.1 Go   0x07 NTFS / HPFS
________________________________________________________________________________
 
############################### Additional scan ################################
 
DRIVER  : C:\WINDOWS\System32\Drivers\dump_atapi.sys => Invisible on the disk
ADDRESS : 0xA8447000
SIZE    : 96.0 Ko
 
DRIVER  : C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS => Invisible on the disk
ADDRESS : 0xBA638000
SIZE    : 8.0 Ko
 
SystemStartOptions : NOEXECUTE=OPTIN  FASTDETECT
 
________________________________________________________________________________
 
_______MBR   \Device\Harddisk0\DR0  
 
0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3À.м.|ûP.P.ü¾.|
0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ¿..PW¹å.ó¤Ë½¾.±.
0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u..Å.âôÍ..õ
0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   .Æ.It.8,tö.µ.´..
0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   ð¬<.tü»..´.Í.ëò.
0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.èF.s*þF..~..t.
0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t..¶.uÒ.F...
0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..è!.s..¶.ë
0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   ¼.>þ}Uªt..~..tÈ.
0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ·.ë©.ü.W.õË¿...V
0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   .´.Í.r#.Á$?..Þ.ü
0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C÷ã.Ñ.Ö±.ÒîB÷â9V
0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s.¸..».|
0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V.Í.sQOtN2ä.
0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V.Í.ëä.V.`»ªU´AÍ
0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.ûUªu0öÁ.t+a`
0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j
0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.´B.ôÍ.aas.Ot.
0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 54 61 62 65   2ä.V.Í.ëÖaùÃTabe
0x00000130   6C 61 20 64 65 20 70 61 72 74 69 87 E4 65 73 20   la de parti.äes 
0x00000140   69 6E 76 A0 6C 69 64 61 00 45 72 72 6F 20 61 6F   inv.lida.Erro ao
0x00000150   20 63 61 72 72 65 67 61 72 20 6F 20 73 69 73 74    carregar o sist
0x00000160   65 6D 61 20 6F 70 65 72 61 63 69 6F 6E 61 6C 00   ema operacional.
0x00000170   53 69 73 74 65 6D 61 20 6F 70 65 72 61 63 69 6F   Sistema operacio
0x00000180   6E 61 6C 20 61 75 73 65 6E 74 65 00 00 00 00 00   nal ausente.....
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 2C 49 70 F8 8A 9F 68 CF C9 80 01   .....,Ipø..hÏÉ..
0x000001C0   01 00 07 FE FF FF 3F 00 00 00 2E F7 87 13 00 FE   ...þ..?....÷...þ
0x000001D0   FF FF 07 FE FF FF 6D F7 87 13 54 DF BA 11 00 00   ...þ..m÷..Tߺ...
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª
 
_______MBR   \Device\Harddisk1\DR3  
 
0x00000000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000010   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000030   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000C0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000100   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000110   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000120   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000130   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000140   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000150   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000160   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000170   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 00 00 00 00 73 B5 A4 00 00 00 01   .........sµ¤....
0x000001C0   01 00 07 FE FF FF 3F 00 00 00 82 D6 42 25 00 00   ...þ..?....ÖB%..
0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

O computador do cliente acabou de ficar offline pelo eu acesso remoto... amanhã eu posto o relatório do OTL,

 

Att,

Diego Lima

[DigRam 144]

Olá!

 

|- Vc já tentou utilizar o Console de recuperação,digitando comando "fixmbr"?

|- Ps: O ComboFix costuma instalar esse recurso.

 

A+

[Diego Lima 0]

Relatório OTL

 

 

All processes killed

========== OTL ==========

Error: No service named WDICA was found to stop!

Service\Driver key WDICA not found.

Error: No service named RT73 was found to stop!

Service\Driver key RT73 not found.

File system32\DRIVERS\rt73.sys not found.

Error: No service named PDRFRAME was found to stop!

Service\Driver key PDRFRAME not found.

Error: No service named PDRELI was found to stop!

Service\Driver key PDRELI not found.

Error: No service named PDFRAME was found to stop!

Service\Driver key PDFRAME not found.

Error: No service named PDCOMP was found to stop!

Service\Driver key PDCOMP not found.

Error: No service named PCIDump was found to stop!

Service\Driver key PCIDump not found.

Error: No service named lbrtfdc was found to stop!

Service\Driver key lbrtfdc not found.

Error: No service named i2omgmt was found to stop!

Service\Driver key i2omgmt not found.

Error: No service named Changer was found to stop!

Service\Driver key Changer not found.

Error: No service named catchme was found to stop!

Service\Driver key catchme not found.

File C:\DOCUME~1\USER\CONFIG~1\Temp\catchme.sys not found.

Error: No service named aswTdi was found to stop!

Service\Driver key aswTdi not found.

Error: No service named aswSP was found to stop!

Service\Driver key aswSP not found.

Error: No service named aswSnx was found to stop!

Service\Driver key aswSnx not found.

Error: No service named AswRdr was found to stop!

Service\Driver key AswRdr not found.

Error: No service named aswMon2 was found to stop!

Service\Driver key aswMon2 not found.

Error: No service named aswFsBlk was found to stop!

Service\Driver key aswFsBlk not found.

Error: No service named Aavmker4 was found to stop!

Service\Driver key Aavmker4 not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A5BC1D25-F52A-445A-AA8A-95AA38043781}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5BC1D25-F52A-445A-AA8A-95AA38043781}\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

Starting removal of ActiveX control {9EC30204-384D-11D3-9CA3-00A024F0AF03}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9EC30204-384D-11D3-9CA3-00A024F0AF03}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9EC30204-384D-11D3-9CA3-00A024F0AF03}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9EC30204-384D-11D3-9CA3-00A024F0AF03}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9EC30204-384D-11D3-9CA3-00A024F0AF03}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ not found.

File Protocol\Handler\msdaipp - No CLSID value found not found.

File/Folder C:\WINDOWS\*.tmp not found.

File/Folder C:\WINDOWS\System32\*.tmp not found.

File/Folder \Arquivos de programas\Avira\AntiVir Desktop\*.tmp not found.

Folder C:\Documents and Settings\All Users\Dados de aplicativos\Ask\ not found.

Folder C:\Documents and Settings\All Users\Dados de aplicativos\AVAST Software\ not found.

========== FILES ==========

< ipconfig /flushdns /c >

Configuração de IP do Windows

Liberação do cache do DNS Resolver bem-sucedida.

C:\Documents and Settings\USER\Desktop\Otl\cmd.bat deleted successfully.

C:\Documents and Settings\USER\Desktop\Otl\cmd.txt deleted successfully.

========== REGISTRY ==========

Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A5BC1D25-F52A-445A-AA8A-95AA38043781}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5BC1D25-F52A-445A-AA8A-95AA38043781}\ not found.

========== COMMANDS ==========

Unable to stop System Restore Service. Error code 1722. Restore points not cleared.

Error creating restore point.

[EMPTYTEMP]

User: Administrador

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: LogMeInRemoteUser

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: USER

->Temp folder emptied: 2278 bytes

->Temporary Internet Files folder emptied: 33300 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Google Chrome cache emptied: 6932199 bytes

->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 12395 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 7,00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 01232013_110035

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Bom, o problema ainda continua!

[DigRam 144]

Boa Noite! Diego Lima

|- Abra o Gerenciador de disco.
|- Digite no "Executar": diskmgmt.msc
|- Dê PrintScreen e poste a imagem gerada.

|- Baixe: < > ( ... de Przemyslaw Gmerek )
|- Salve-o no desktop!



|- Para Windows 7,recomendo executar aswMBR.exe em Modo de Compatibilidade. Clique direito no arquivo e selecione "Propriedades".
|- Clique na guia "Compatibilidade e escolha Windows XP ( SP3 ).



|- Abra a ferramenta,com um duplo clique em aswMBR.exe.
|- Para Windows Vista ou 7,dê clique direito em "aswMBR.exe" e execute-o como



|- Clique "Sim",para atualizar a ferramenta com as últimas definições da Avast.
|- Clique em "Scan" e,ao concluir,clique em "Save log".
|- Salve-o em local adequado! <- Poste esse relatório!
|- Ps: Será criado ao desktop,o dump MBR.dat que é backup da MBR e deve ser reservado.

A+

[Diego Lima 0]

Imagem do Gerenciador de disco.

 

 

____________________________________________________________________

 

Relatório aswMBR abaixo.

 

 

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software

Run date: 2013-02-03 17:18:01

-----------------------------

17:18:01.656 OS Version: Windows 5.1.2600 Service Pack 3

17:18:01.656 Number of processors: 2 586 0x170A

17:18:01.656 ComputerName: CLAUDIA UserName: USER

17:18:02.125 Initialize success

17:18:09.421 AVAST engine defs: 13020300

17:18:15.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

17:18:15.078 Disk 0 Vendor: Size: 0MB BusType: 0

17:18:15.093 Disk 0 MBR read successfully

17:18:15.093 Disk 0 MBR scan

17:18:15.109 Disk 0 Windows XP default MBR code

17:18:15.109 Disk 0 MBR hidden

17:18:15.109 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 159998 MB offset 63

17:18:15.140 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 145243 MB offset 327677805

17:18:15.171 Disk 0 scanning C:\WINDOWS\system32\drivers

17:18:22.078 Service scanning

17:18:22.796 Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32

17:18:25.578 Service GbpKm C:\WINDOWS\system32\drivers\gbpkm.sys **LOCKED** 32

17:18:35.968 Modules scanning

17:18:44.968 Disk 0 trace - called modules:

17:18:44.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x89af42d9]<<

17:18:44.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89e3eab8]

17:18:44.984 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000064[0x89ddf9e8]

17:18:44.984 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x89d76940]

17:18:45.531 AVAST engine scan C:\

18:16:35.718 Scan finished successfully

23:04:53.171 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\USER\Desktop\MBR.dat"

23:04:53.171 The log file has been saved successfully to "C:\Documents and Settings\USER\Desktop\aswMBR.txt"

 

 

Att,

[DigRam 144]

Bom Dia! Diego Lima

 

 

|- Não consegui acessar a imagem que postou.

|- Printei uma amostra,como exemplo,de sua parte relevante que vc fará o mesmo em seu PC,utilizando o Paint. Upe a imagem em um host e cole aqui sua URL.

|- O relatório da ferramenta aswMBR não expõe o setor fake,encontrado por MBRscan. Ps: Vc realizou alguma correção?

|- Resetou o Modem e/ou Roteador e efetuou nova configuração,segundo instruções do fabricante?

 

-/-

 

|- Desabilite a janela pop-up do Avira.

|- Vá em Iniciar >> Executar >> Digite: secpol.msc >> OK

|- Expanda "diretivas de restrição de software" >> Clique direito em "regras adicionais".

|- Escolha: "nova regra de caminho"

|- Clique em pesquisar.

|- Busque a pasta: C:\Arquivos de programas\Avira\Antivir PersonalEdition Classic\avnotify

|- Clique OK,e deixe como "não permitido" em "nível de segurança".

|- Clique: Aplicar >> OK.

|- Verifique se o problema foi solucionado.

 

A+

[Diego Lima 0]

Segue abaixo a imagem novamente do Gerenciador de Arquivos

 

Não, não mexi não..... quer q faça algo novamente?

 

[DigRam 144]

Boa Noite! Diego Lima

Diego Lima, em 04/02/2013, disse:
Não, não mexi não..... quer q faça algo novamente?

|- Apenas executar novo Fix com a OTL.
|- Ps: Desabilitou a pop-up do Avira?
|- A imagem não mostrou partição maliciosa,imposta por bootkit.

-/-

|- Clique em OTL.exe >> Executar ou
|- Copie estas informações que estão no Code,para o campo clipboard da ferramenta. ( "Exames Personalizados Correções" )

:reg
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1433:TCP"= -
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{60973e1d-3660-4012-856a-97a92f467003}]
"LastModified"=hex(b):b7,94,f1,01,52,26,ca,01
"Description"="Disable Avira PopUp"
"SaferFlags"=dword:00000000
"ItemData"="C:\Arquivos de programas\Avira\AntiVir Desktop\avnotify.exe"

:Commands
[CLEARALLRESTOREPOINTS]
[emptytemp]
[Reboot]

|- Clique no botão Consertar -> Aguarde a conclusão!
|- O computador vai reiniciar! -> Clique em "Executar".



|- Para versões em Inglês,clique em Run Fix que é o mesmo que Consertar.
|- Poste o relatório: C:\_OTL\MovedFiles\*.log
|- Informe se o problema permanece!

A+

[Diego Lima 0]

Olá, desabilitei o popup do AVIRA.

 

Segue abaixo o relatório OTL:

___________________________________________

 

 

All processes killed

========== REGISTRY ==========

Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{60973e1d-3660-4012-856a-97a92f467003}\\"LastModified"|hex(b):b7,94,f1,01,52,26,ca,01 /E :invalid edit format. Invalid data type.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{60973e1d-3660-4012-856a-97a92f467003}\\"Description"|"Disable Avira PopUp" /E : value set successfully!

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{60973e1d-3660-4012-856a-97a92f467003}\\"SaferFlags"|dword:00000000 /E : value set successfully!

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{60973e1d-3660-4012-856a-97a92f467003}\\"ItemData"|"C:\Arquivos de programas\Avira\AntiVir Desktop\avnotify.exe" /E : value set successfully!

========== COMMANDS ==========

Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: Administrador

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: LogMeInRemoteUser

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: USER

->Temp folder emptied: 73596110 bytes

->Temporary Internet Files folder emptied: 48558888 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 22467541 bytes

->Google Chrome cache emptied: 19220812 bytes

->Flash cache emptied: 506 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 12395 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 156,00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 02042013_212540

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

_______________________________________________________________________

Att,

OBS: Assim que reiniciei após o OTL, o problema permaneceu!!!

[DigRam 144]

Bom Dia! Diego Lima

 

|- Executou o fixmbr indo ao Console de Recuperação?

 

-/-

 

|- Baixe: < http://jpshortstuff.247fixes.com/Kenco.exe'>Kenco > ( ... by jpshortstuff )
|- Salve-o no desktop!
|- Para Windows 7,execute Kenco.exe como administrador.
|- Ps: Aparecerá uma tela preta e,à seguir,o relatório. <- Poste-o!

A+

[Diego Lima 0]

Não.. o botão fixMBR não habilitou!

 

segue abaixo o relatório Kenco:
________________________________

 

 

Kenco by jpshortstuff (31.12.09.1)

Log created at 15:12 on 05/02/2013 (USER)

========== Task Unlocker ==========

========== KencoScan ==========

========== C:\WINDOWS\Tasks ==========

Adobe Flash Player Updater.job -> [14:12 02/04/2012] 902 bytes

GoogleUpdateTaskMachineCore.job -> [17:47 22/05/2012] 1064 bytes

GoogleUpdateTaskMachineUA.job -> [17:47 22/05/2012] 1068 bytes

-=E.O.F=-

att,

[DigRam 144]

Boa Tarde! Diego Lima

 

|- Não há lops em sua máquina,segundo a ferramenta Kenco.

 

-/-

 

|- Baixe: < http://www2.gmer.net/mbr/mbr.exe'>mbr.exe v.0.3.7 > ( by Gmer )
|- Salve-o em C:\ <-- Disco local!
|- Vá em Iniciar >> Executar >> Digite: cmd >> OK.
|- No prompt,digite: cd \ >> Aperte Enter.

|- Digite: C:\>mbr.exe -f >> Aperte Enter.

|- Ps: Uma outra opção seria baixar mbr.exe,para o seu desktop.
|- Vá em Iniciar >> Executar >> Digite ou cole: "%userprofile%\desktop\mbr.exe" -f
|- Clique OK.
|- Poste: C:\mbr.txt

|- Informe a situação!

 

A+

[Diego Lima 0]

A situação continua com os popup's abrindo nos navegadores!

 

Relatório MBR.TXT abaixo.

___________________________

 

 

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD3200AAJS-00L7A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

a+

[DigRam 144]

Boa Tarde! Diego Lima

 

|- As ferramentas não detectaram problemas.

|- Delete os atalhos aos navegadores e estabeleça novos atalhos,indo aos seus executáveis.

|- Ps: O problema pode estar relacionado a javascript,contido em alguns sites. Isso ocorre quando os mesmos lançam propagandas e certas palavras,ao terem o mouse sobre elas,abrem imagens que podem ser confundidas com pop-ups.

|- Ps: Informe qual tipo de pop-up está ocorrendo e,se der,capture sua imagem quando ocorrer.

 

A+

[Diego Lima 0]

Troquei os atalhos.... os popup's apareceram inclusive aqui no fórum do IMASTERS..... Segue abaixo a imagem!