[Resolvido!] Não consigo instalar antivirus e editar o registro

EGH · Julho 21, 2009

Olá pessoal

Estou com os seguintes problemas no computador:

1. Não consigo editar o registro, quando tendo acessar o regedit ele informa que o administrador desabilitou esta possibilidade. Tentei editar as permissões de usuário, mas após a alteração o problema volta;

2. Não consigo instalar antivirus, o programa de instalação inicia e logo em seguida fecha sozinho;

3. Quando tento rodar o windows xp no modo de segurança aparece a tela azul de erro;

Rodei o Hijackthis e o log vai abaixo.

Espero que alguém possa me ajudar. Agradeço desde já a atenção

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:07:30, on 21/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\IDrive\IDriveE Service.exe

C:\Arquivos de programas\IDrive\IDriveWebM.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Keyboard & Mouse Driver\KMWDSrv.exe

C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Keyboard & Mouse Driver\StartAutorun.exe

C:\DOCUME~1\RICO~1\CONFIG~1\Temp\360.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE

C:\Arquivos de programas\Keyboard & Mouse Driver\KMConfig.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Keyboard & Mouse Driver\KMProcess.exe

C:\Arquivos de programas\EDIMAX\Common\RaUI.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Arquivos de programas\IDrive\IDriveETray.exe

C:\Arquivos de programas\IDrive\IDriveEBackground.exe

C:\DOCUME~1\RICO~1\CONFIG~1\Temp\788.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\Documents and Settings\Érico\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\DOCUME~1\RICO~1\CONFIG~1\Temp\066.exe

C:\Documents and Settings\Érico\Desktop\Lixo\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [KMCONFIG] C:\Arquivos de programas\Keyboard & Mouse Driver\StartAutorun.exe KMConfig.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=080509 serial=DR12WES-3007622-euw lang=BP

O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\DOCUME~1\RICO~1\CONFIG~1\Temp\066.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [iDriveE Startup] "C:\Arquivos de programas\IDrive\IDrvieEStartup.exe" Hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Érico\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: IDrive Tray.lnk = C:\Arquivos de programas\IDrive\IDriveEReg2ini.exe

O4 - Global Startup: Wireless Utility.lnk = C:\Arquivos de programas\EDIMAX\Common\RaUI.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: http://gedpro.jfpr.gov.br

O15 - Trusted Zone: http://gedpro.jfrs.gov.br

O15 - Trusted Zone: http://gedpro.jfsc.gov.br

O16 - DPF: {126FCD7C-D12C-4C3A-8DE5-3A6D45135774} (Agente3.LogServer) - http://gedpro.jfpr.gov.br/Agente.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240878726125

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240890755750

O16 - DPF: {77656C8D-D88E-49BF-8B71-A7EE9716CC1B} (BiblioCAB.Bib) - http://gedpro.jfpr.gov.br/BiblioCAB.CAB

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehCef.dll

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Serviço Google Update (gupdate1c9c93c28d281f8) (gupdate1c9c93c28d281f8) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IDriveE Service - Pro Softnet Corporation - C:\Arquivos de programas\IDrive\IDriveE Service.exe

O23 - Service: IDrive WebManager (IDriveWebM) - Pro-Softnet - C:\Arquivos de programas\IDrive\IDriveWebM.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Arquivos de programas\Keyboard & Mouse Driver\KMWDSrv.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 9617 bytes

PedroN · Julho 21, 2009

Faça o download do ComboFix de um destes locais:

Link 1.

Link 2.

Link 3.

Importante!

Você não deve usar Combofix a menos que você tenha sido instruído a fazê-lo por um análista de segurança.

Destina-se pelo seu criador para ser utilizado sob orientação e supervisão de um especialista, e não para uso privado.

Utilizando esta ferramenta incorreto poderia levar a desastrosa problemas com o seu sistema operacional.

Certifique-se de que você salvou ComboFix.exe para o seu desktop.

• Desabilite o seu Antivírus e AntiSpyware , geralmente através de um clique direito sobre o ícone da bandeja do sistema. Eles podem interferir na execução da ferramenta.

• Dê um duplo clique no ComboFix.exe & siga as instruções.

• Como parte de seu processo, ComboFix irá verificar se o Microsoft Windows Recovery Console está instalado. Como as infecções de malware são hoje, é fortemente recomendado que esteja pré-instalado em sua máquina antes de fazer qualquer remoção de malware. Ela permitirá que você arrancar em especial uma recuperação / reparação modo a permitir-nos-á mais fácil ajudá-lo a seu computador deve ter um problema após uma tentativa de remoção de malware.

• Siga as instruções para permitir ComboFix para baixar e instalar o Microsoft Windows Recovery Console e, quando for solicitado, concordar com o End-User License Agreement para instalar o Microsoft Windows Recovery Console.

-- Atenção: Se a consola de recuperação do Microsoft Windows já estiver instalado, ComboFix irá continuar a sua remoção malware procedimentos.

Uma vez que o Microsoft Windows Recovery Console é instalado usando o ComboFix, você deverá ver a seguinte mensagem:

Clique em Sim, para continuar a varredura de malware.

Quando terminar, ela deve produzir um log para você. Poste o relatorio do combofix que estar em C: \ ComboFix.txt junto com um log do hijackthis.

EGH · Julho 21, 2009

Olá PedroN

Muito obrigado pela rápida resposta.

Rodei o Combofix. O log dele vai abaixo. O log do hijackthis postarei na próxima resposta.

ComboFix 09-07-20.05 - Érico 21/07/2009 16:40.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1023.633 [GMT -3:00]

Executando de: c:\documents and settings\Érico\Desktop\Lixo\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-7433984258-3010980491-202365397-9447

c:\recycler\S-1-5-21-7433984258-3010980491-202365397-9447\Desktop.ini

c:\recycler\S-1-5-21-7433984258-3010980491-202365397-9447\wingn.exe

c:\windows\Installer\53469fb.msi

c:\windows\system32\Data

c:\windows\system32\sqlite3.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_DAC970NT

-------\Legacy_PROTECT

-------\Service_dac970nt

-------\Service_protect

(((((((((((((((( Arquivos/Ficheiros criados de 2009-06-21 to 2009-07-21 ))))))))))))))))))))))))))))

.

2009-07-19 17:49 . 2009-07-19 17:49 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-07-15 21:13 . 2009-07-15 21:13 -------- d-----w- c:\arquivos de programas\CDBurnerXP

2009-07-15 15:25 . 2009-07-15 15:25 217664 ----a-w- c:\windows\system32\drivers\truecrypt.sys

2009-07-15 15:25 . 2009-07-15 15:25 -------- d-----w- c:\arquivos de programas\TrueCrypt

2009-07-10 18:06 . 2009-07-10 22:23 -------- d-----w- c:\windows\BDOSCAN8

2009-07-09 18:55 . 2009-07-09 18:57 -------- d-----w- c:\arquivos de programas\GmailBackup

2009-07-06 21:34 . 2009-07-06 21:37 -------- d-----w- C:\CorelDraw12

2009-07-06 21:07 . 2009-07-06 21:07 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Corel

2009-07-06 21:07 . 2009-07-06 21:07 -------- d-----w- c:\arquivos de programas\Corel

2009-07-01 17:45 . 2009-07-01 17:45 -------- d-----w- c:\documents and settings\RICO~2\Meus documentos

2009-07-01 17:45 . 2009-07-01 17:45 -------- d-----w- c:\documents and settings\?rico

2009-06-25 20:14 . 2009-06-25 20:27 -------- d-----w- c:\windows\SxsCaPendDel

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-21 19:44 . 2009-04-28 02:56 -------- d-----w- c:\arquivos de programas\IDrive

2009-07-06 21:08 . 2009-04-28 00:28 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2009-07-06 21:07 . 2009-04-28 02:47 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield

2009-06-26 23:07 . 2009-06-26 23:07 -------- d-----w- c:\arquivos de programas\K-Lite Codec Pack

2009-06-26 13:21 . 2009-04-30 02:34 -------- d-----w- c:\arquivos de programas\Google

2009-06-25 20:27 . 2009-04-28 02:39 -------- d-----w- c:\arquivos de programas\DNA

2009-06-25 20:25 . 2009-05-08 22:14 -------- d-----w- c:\arquivos de programas\Windows Live

2009-06-25 20:25 . 2009-06-03 23:42 -------- d-----w- c:\arquivos de programas\Paint.NET

2009-06-25 20:20 . 2009-05-19 18:28 -------- d-----w- c:\arquivos de programas\Microsoft Visual Studio 9.0

2009-06-25 20:20 . 2009-04-28 02:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2009-06-25 20:15 . 2009-05-19 18:31 -------- d-----w- c:\arquivos de programas\Microsoft SQL Server

2009-06-25 20:13 . 2009-05-16 20:19 -------- d-----w- c:\arquivos de programas\Microsoft.NET

2009-06-25 20:12 . 2001-10-28 17:07 80636 ----a-w- c:\windows\system32\perfc016.dat

2009-06-25 20:12 . 2001-10-28 17:07 474024 ----a-w- c:\windows\system32\perfh016.dat

2009-06-25 20:06 . 2009-04-28 16:27 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2009-06-12 18:27 . 2009-06-12 18:26 -------- d-----w- c:\arquivos de programas\Microsoft Money

2009-06-06 01:06 . 2009-04-28 17:00 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-06-06 01:06 . 2009-04-28 17:00 -------- d-----w- c:\arquivos de programas\GbPlugin

2009-06-04 15:53 . 2009-06-04 15:53 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\FLEXnet

2009-06-03 23:38 . 2009-06-01 17:20 -------- d-----w- c:\arquivos de programas\SRP

2009-06-03 23:37 . 2009-05-29 18:48 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Corel

2009-06-03 23:23 . 2009-06-03 23:16 2516 --sha-w- c:\documents and settings\All Users\Dados de aplicativos\KGyGaAvL.sys

2009-06-03 23:16 . 2009-06-03 23:16 8 --sh--r- c:\documents and settings\All Users\Dados de aplicativos\6983215838.sys

2009-06-03 22:31 . 2009-05-29 18:49 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-06-02 16:11 . 2009-06-26 23:07 85504 ----a-w- c:\windows\system32\ff_vfw.dll

2009-05-29 21:37 . 2009-06-26 23:07 205824 ----a-w- c:\windows\system32\xvidvfw.dll

2009-05-29 21:31 . 2009-06-26 23:07 881664 ----a-w- c:\windows\system32\xvidcore.dll

2009-05-29 18:49 . 2009-05-29 18:49 88 --sh--r- c:\windows\system32\4C3BEE0D41.sys

2009-05-19 18:30 . 2009-05-19 18:30 488576 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft\VWDExpress\9.0\1033\ResourceCache.dll

2009-05-19 18:30 . 2009-05-19 18:30 416 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft\MSDN\9.0\1033\ResourceCache.dll

2009-05-13 12:13 . 2009-04-28 17:00 26568 ----a-w- c:\windows\system32\drivers\gbpkm.sys

2009-05-12 16:50 . 2009-05-12 16:50 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-05-09 03:45 . 2009-05-09 03:45 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-05-05 01:25 . 2009-05-05 01:25 90112 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe

2009-05-05 01:25 . 2009-05-05 01:25 79872 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe

2009-05-05 01:25 . 2009-05-05 01:25 131072 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe

2009-05-05 01:25 . 2009-05-05 01:26 34584768 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_por_br.exe

2009-05-02 04:17 . 2009-05-02 04:17 3429636 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{EF4F620F-F295-41D7-92C0-6B635709C850}\Installer\CommonCustomActions\msxml6Exec.exe

2009-05-02 04:17 . 2009-05-02 04:17 3251244 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{EF4F620F-F295-41D7-92C0-6B635709C850}\Installer\CommonCustomActions\vcredistExec.exe

2009-05-02 04:17 . 2009-05-02 04:17 106496 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{EF4F620F-F295-41D7-92C0-6B635709C850}\Installer\CommonCustomActions\Sleep.exe

2009-05-02 03:33 . 2009-05-02 04:18 24601816 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{EF4F620F-F295-41D7-92C0-6B635709C850}\NokiaSoftwareUpdaterSetup_pt_br.exe

2009-05-01 21:02 . 2009-06-26 23:07 90112 ----a-w- c:\windows\system32\dpl100.dll

2009-05-01 21:02 . 2009-06-26 23:07 685056 ----a-w- c:\windows\system32\divx.dll

2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr

2009-04-29 20:59 . 2009-04-29 20:50 96 ----a-w- c:\windows\system32\pdfl.dat

2009-04-29 20:52 . 2009-04-29 20:50 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2009-04-29 20:50 . 2009-04-29 20:50 80 ----a-w- c:\windows\system32\ibfl.dat

2009-04-29 20:50 . 2009-04-29 20:50 144 ----a-w- c:\windows\system32\lkfl.dat

2009-04-29 19:17 . 2009-04-29 19:17 516 ----a-w- c:\windows\system32\SYSINFO.DAT

2009-04-28 19:41 . 2009-04-28 19:41 0 ----a-w- c:\windows\nsreg.dat

2009-04-28 02:50 . 2009-04-28 02:50 413696 ----a-w- c:\windows\system32\wrap_oal.dll

2009-04-28 02:50 . 2009-04-28 02:50 102400 ----a-w- c:\windows\system32\OpenAL32.dll

2009-04-28 01:00 . 2009-04-28 00:16 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-04-28 00:28 . 2009-04-28 00:28 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-04-28 00:14 . 2009-04-28 00:14 21844 ----a-w- c:\windows\system32\emptyregdb.dat

2009-06-24 18:03 . 2009-04-28 19:41 137208 ----a-w- c:\arquivos de programas\mozilla firefox\components\brwsrcmp.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5806104]

"IDriveE Startup"="c:\arquivos de programas\IDrive\IDrvieEStartup.exe" [2009-03-05 147456]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Google Update"="c:\documents and settings\Érico\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2009-04-28 202736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"KMCONFIG"="c:\arquivos de programas\Keyboard & Mouse Driver\StartAutorun.exe" [2007-03-06 286720]

"CorelDRAW Graphics Suite 11b"="c:\arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe" [2003-11-28 802816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\rico\Menu Iniciar\Programas\Inicializar\

IDrive Tray.lnk - c:\arquivos de programas\IDrive\IDriveEReg2ini.exe [2009-4-27 348160]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Wireless Utility.lnk - c:\arquivos de programas\EDIMAX\Common\RaUI.exe [2009-4-27 786432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "c:\arquivos de programas\GbPlugin\gbiehcef.dll" [2009-05-13 286792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

2009-05-13 12:19 286792 ----a-w- c:\arquivos de programas\GbPlugin\gbiehcef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Arquivos de programas\\DNA\\btdna.exe"=

"c:\\Arquivos de programas\\BitTorrent\\bittorrent.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"= c:\\Arquivos de programas\\Windows Live\\Messenger\\MsnMsgr.Exe

"c:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\Arquivos de programas\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Arquivos de programas\\IDrive\\IDriveETray.exe"=

"c:\\Arquivos de programas\\IDrive\\IDriveEClsClient.exe"=

"c:\\Documents and Settings\\Érico\\Configurações locais\\Dados de aplicativos\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\Arquivos de programas\\Keyboard & Mouse Driver\\StartAutorun.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\usnsvc.exe"=

"c:\\Arquivos de programas\\Keyboard & Mouse Driver\\KMProcess.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8764:TCP"= 8764:TCP:BitComet 8764 TCP

"8764:UDP"= 8764:UDP:BitComet 8764 UDP

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [28/4/2009 14:00 26568]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [28/4/2009 14:00 53320]

R2 IDriveE Service;IDriveE Service;c:\arquivos de programas\IDrive\IDriveE Service.exe [27/4/2009 23:56 143360]

R2 IDriveWebM;IDrive WebManager;c:\arquivos de programas\IDrive\IDriveWebM.exe [27/4/2009 23:56 106496]

R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\arquivos de programas\Keyboard & Mouse Driver\KMWDSrv.exe [5/4/2007 10:29 208896]

S2 gupdate1c9c93c28d281f8;Serviço Google Update (gupdate1c9c93c28d281f8);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [29/4/2009 23:34 210928]

--- =Outros Serviços/Drivers Na Memória ---

*NewlyCreated* - DAC970NT

.

Conteúdo da pasta 'Tarefas Agendadas'

2009-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-04-30 02:34]

2009-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-04-30 02:34]

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.uol.com.br/

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: jfpr.gov.br\gedpro

Trusted Zone: jfrs.gov.br\gedpro

Trusted Zone: jfsc.gov.br\gedpro

DPF: {126FCD7C-D12C-4C3A-8DE5-3A6D45135774} - hxxp://gedpro.jfpr.gov.br/Agente.CAB

DPF: {77656C8D-D88E-49BF-8B71-A7EE9716CC1B} - hxxp://gedpro.jfpr.gov.br/BiblioCAB.CAB

DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://imagem.caixa.gov.br/cab/gbpdist.cab

FF - ProfilePath - c:\documents and settings\Érico\Dados de aplicativos\Mozilla\Firefox\Profiles\l3iqy8rx.default\

FF - component: c:\documents and settings\Érico\Dados de aplicativos\Mozilla\Firefox\Profiles\l3iqy8rx.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll

FF - plugin: c:\arquivos de programas\Google\Google Earth Plugin\npgeplugin.dll

FF - plugin: c:\arquivos de programas\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\arquivos de programas\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-21 16:44

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F1EA6A56-D04E-285D-E8FD-FA6D79FE10DD}\InProcServer32*]

"jaelekplkjepijmlmabk"=hex:69,61,69,61,61,6d,64,6e,61,6f,6c,62,6b,6e,64,6c,6f,

68,00,00

"iaelkiajngclafpiai"=hex:6a,61,6c,61,6d,69,65,69,65,61,6f,69,68,66,66,62,6b,62,

68,62,00,f7

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(628)

c:\arquivos de programas\GbPlugin\gbiehcef.dll

- - - - - - - > 'explorer.exe'(1868)

c:\windows\system32\msi.dll

c:\arquivos de programas\GbPlugin\gbiehcef.dll

c:\windows\system32\WPDShServiceObj.dll

c:\arquivos de programas\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

c:\arquivos de programas\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\arquivos de programas\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_por-br.nlr

c:\arquivos de programas\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\CDBurnerXP\NMSAccessU.exe

c:\windows\system32\PSIService.exe

c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE

c:\windows\system32\wbem\wmiapsrv.exe

c:\arquivos de programas\Keyboard & Mouse Driver\KMCONFIG.exe

c:\arquivos de programas\Keyboard & Mouse Driver\KMProcess.exe

c:\arquivos de programas\IDrive\IDriveETray.exe

c:\arquivos de programas\IDrive\IDriveEBackground.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-07-21 16:46 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-07-21 19:46

Pré-execução: 12 pasta(s) 857.229.467.648 bytes disponíveis

Pós execução: 12 pasta(s) 857.433.972.736 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

303

EGH · Julho 21, 2009

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:52:25, on 21/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\IDrive\IDriveE Service.exe

C:\Arquivos de programas\IDrive\IDriveWebM.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Keyboard & Mouse Driver\KMWDSrv.exe

C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Arquivos de programas\Keyboard & Mouse Driver\StartAutorun.exe

C:\Arquivos de programas\Keyboard & Mouse Driver\KMConfig.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Keyboard & Mouse Driver\KMProcess.exe

C:\Arquivos de programas\IDrive\IDriveETray.exe

C:\Arquivos de programas\IDrive\IDriveEBackground.exe

C:\WINDOWS\explorer.exe