[Resolvido] PC reiniciando quando tento instalar o norton

fomatos · Maio 7, 2008

Bom dia,

Tudo começou há uma semana quando fui ligar o PC e ele reiniciava quando carregava a logo do win xp. Executei o verifier do windows, e percebi que havia um driver não assinado em conflito, desinstalei o mesmo, o pc passou a iniciar normalmente. Até que tentei reinstalar meu antivirus (estou sem antivirus há alguns meses após infecção do trojan vundo), quando estava concluindo a instalação do norton o mesmo reiniciou o pc e disse que o pc estava sendo atacado impedindo a instalação do antivirus.

Meu problema é: não consigo instalar o antivirus, pois o pc reinicia. segue o log do hijackthis:

Aguardo ajuda.

Matos.

Logfile of HijackThis v1.99.1

Scan saved at 22:20:24, on 6/5/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\WINDOWS\SYSTEM32\USRshutA.exe

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\devldr32.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jucheck.exe

C:\WINDOWS\explorer.exe

C:\ARQUIV~1\WINZIP\winzip32.exe

C:\Documents and Settings\Fabrini Matos\Configurações locais\Temp\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\System32\scpsssh2.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://wwwss.bradesco.com.br/ib2k1/scpsssh2.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{831C2BF6-7754-42B5-9231-3C914DDA6FED}: NameServer = 200.165.132.155,200.165.132.148

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

Silas Martins · Maio 8, 2008

Baixe o ComboFix e salve na área de trabalho.

Feche todos os programas.

Clique duas vezes sobre combofix.exe e tecle (1) logo após aperte Enter para continuar.

O ComboFix irá reiniciar seu computador automaticamente, isto faz parte do processo de remoção.

Ao se encerrar, será gerado um log, que vai estar em C:\ComboFix.txt.

Atenção:

Não clique em nada enquanto o Combofix estiver rodando, Do contrário seu desktop ficará em branco.

Para parar o processo ou sair do ComboFix, tecle "2" e Enter.

Aguardo um novo log do HijackThis juntamente com o ComboFix.txt

Aguardo Retorno

fomatos · Maio 9, 2008

Seguem os posts do combofix e hijackthis, respectivamente:

ComboFix 08-05-08.1 - Fabrini Matos 2008-05-09 13:01:06.7 - FAT32x86

Executando de: C:\Documents and Settings\Fabrini Matos\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASC3550P

-------\Service_asc3550p

((((((((((((((((((((((( Ficheiros criados de 2008-04-09 to 2008-05-09 ))))))))))))))))))))))))))))))))

.

2008-05-08 12:32 . 2008-05-08 12:32 <DIR> d--hs---- C:\FOUND.005

2008-05-08 12:25 . 2008-05-08 12:25 <DIR> d-------- C:\!KillBox

2008-05-08 10:30 . 2008-05-08 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Avira

2008-05-08 10:30 . 2008-05-08 10:30 <DIR> d-------- C:\Arquivos de programas\Avira

2008-05-08 10:26 . 2008-05-08 10:26 <DIR> d--hs---- C:\FOUND.004

2008-05-06 21:32 . 2008-05-06 21:32 <DIR> d-------- C:\WINDOWS\Sun

2008-05-06 21:09 . 2008-05-06 21:09 <DIR> d--hs---- C:\FOUND.003

2008-05-06 20:58 . 2008-05-06 20:58 32 --ahs---- C:\WINDOWS\system32\{AF018B67-8F4F-446A-8C69-E5625E7BCDF7}.dat

2008-05-06 20:58 . 2008-05-06 20:58 32 --ahs---- C:\WINDOWS\{1C1DFB1D-6EB0-4043-A139-7518A279634D}.dat

2008-05-06 20:58 . 2008-05-06 20:58 14 --a------ C:\WINDOWS\system32\SR2.dat

2008-05-06 20:57 . 2008-05-06 20:57 <DIR> d-------- C:\Documents and Settings\Fabrini Matos\Dados de aplicativos\Symantec

2008-05-06 20:56 . 2008-05-06 20:56 <DIR> d-------- C:\WINDOWS\F4C9398FB6C64A4B8B6D795CD86F915D.TMP

2008-05-06 20:56 . 2008-05-06 20:56 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Symantec Shared

2008-05-06 20:44 . 2008-05-06 20:44 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Lavasoft

2008-05-06 20:44 . 2008-05-06 20:44 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard

2008-04-26 17:03 . 2008-04-26 17:03 <DIR> d-------- C:\Arquivos de programas\RegCleaner

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-27 15:05 67,352 ----a-w C:\Documents and Settings\Fabrini Matos\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2006-03-07 21:58 747 ----a-w C:\Arquivos de programas\PTWIN.CFG

2005-11-02 01:25 6,144 ----a-w C:\Arquivos de programas\PEUSER.CDS

2005-11-02 01:25 6,144 ----a-w C:\Arquivos de programas\EPUSER.CDS

2005-11-02 01:25 1,906,834 ----a-w C:\Arquivos de programas\EPGEN.RUL

2005-11-02 01:25 1,494,294 ----a-w C:\Arquivos de programas\PEGEN.RUL

2005-11-02 01:24 16 ---ha-w C:\Arquivos de programas\GNKINFO

2004-10-01 18:00 40,960 ----a-w C:\Arquivos de programas\Uninstall_CDS.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="C:\Arquivos de programas\Skype\Phone\Skype.exe" [2007-07-02 17:10 23237416]

"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-14 17:23 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [2001-10-28 18:06 77891]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"avgnt"="C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-09 14:08 13312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [2008-04-15 09:37 378696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

C:\ARQUIV~1\GbPlugin\gbieh.dll 2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= ctwdm32.dll

"REELDRV"= IMPEG32.DLL

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-09 13:09:12

Windows 5.1.2600 Service Pack 1 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\ARQUIVOS DE PROGRAMAS\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE

C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\GBPSV.EXE

C:\ARQUIVOS DE PROGRAMAS\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\SCHED.EXE

C:\ARQUIVOS DE PROGRAMAS\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE

C:\WINDOWS\SYSTEM32\DRIVERS\CDAC11BA.EXE

C:\WINDOWS\SYSTEM32\USRSHUTA.EXE

C:\WINDOWS\SYSTEM32\LOCATOR.EXE

C:\WINDOWS\SYSTEM32\WDFMGR.EXE

C:\WINDOWS\SYSTEM32\DEVLDR32.EXE

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Tempo para conclusÆo: 2008-05-09 13:12:58 - machine was rebooted

ComboFix-quarantined-files.txt 2008-05-09 16:12:42

Pre-Run: 1,312,145,408 bytes disponíveis

Post-Run: 1,500,000,256 bytes dispon¡veis

94

Logfile of HijackThis v1.99.1

Scan saved at 13:15:49, on 9/5/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\SYSTEM32\USRshutA.exe

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\WINDOWS\System32\locator.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\WINDOWS\System32\devldr32.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\explorer.exe

C:\ARQUIV~1\WINZIP\winzip32.exe

C:\Documents and Settings\Fabrini Matos\Configurações locais\Temp\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896