You are on page 1of 8

ComboFix 10-12-04.06 - Claudio 06/12/2010 16:59:04.1.

1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.894.549 [GMT -2:00
]
Executando de: D:\Download\ComboFix.exe
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3B128-1A293FD8233D}
.
[i] ADS - system32: deleted 4 bytes in 2 streams. [/i]
[i] ADS - drivers: deleted 216 bytes in 2 streams. [/i]
(((((((((((((((((((((((((((((((((((((
))))))))))))))))))))))))))))
.

Outras Exclusões

)))))))))))))))))))))))

C:\Arquivos de programas\Dealio Toolbar
C:\Arquivos de programas\Dealio Toolbar\IE\4.0.2\config.ini
C:\Arquivos de programas\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
C:\Arquivos de programas\Dealio Toolbar\Res\amazon.gif
C:\Arquivos de programas\Dealio Toolbar\Res\apple.gif
C:\Arquivos de programas\Dealio Toolbar\Res\barnes.gif
C:\Arquivos de programas\Dealio Toolbar\Res\bestbuy.gif
C:\Arquivos de programas\Dealio Toolbar\Res\dealio_logo.gif
C:\Arquivos de programas\Dealio Toolbar\Res\dealio_logo_hover.gif
C:\Arquivos de programas\Dealio Toolbar\Res\ebay.gif
C:\Arquivos de programas\Dealio Toolbar\Res\icon_settings.gif
C:\Arquivos de programas\Dealio Toolbar\Res\macys.gif
C:\Arquivos de programas\Dealio Toolbar\Res\newegg.gif
C:\Arquivos de programas\Dealio Toolbar\Res\overstock.gif
C:\Arquivos de programas\Dealio Toolbar\Res\search-button-hover.gif
C:\Arquivos de programas\Dealio Toolbar\Res\search-button.gif
C:\Arquivos de programas\Dealio Toolbar\Res\search-chevron-hover.gif
C:\Arquivos de programas\Dealio Toolbar\Res\search-chevron.gif
C:\Arquivos de programas\Dealio Toolbar\Res\search_amazon.gif
C:\Arquivos de programas\Dealio Toolbar\Res\search_dealio.gif
C:\Arquivos de programas\Dealio Toolbar\Res\search_ebay.gif
C:\Arquivos de programas\Dealio Toolbar\Res\search_yahoo.gif
C:\Arquivos de programas\Dealio Toolbar\Res\target.gif
C:\Arquivos de programas\Dealio Toolbar\Res\walmart.gif
C:\Arquivos de programas\Dealio Toolbar\Res\widgets.xml
C:\Arquivos de programas\Dealio Toolbar\WidgiHelper.exe
C:\Arquivos de programas\Search Settings
C:\Arquivos de programas\Search Settings\SeARchsettings.dll
C:\Arquivos de programas\Search Settings\SearchSettings.exe
C:\Arquivos de programas\Search Settings\SearchSettingsRes409.dll
C:\Documents and Settings\Claudio\Dados de aplicativos\.#
C:\Documents and Settings\Claudio\Dados de aplicativos\Dealio
C:\Documents and Settings\Claudio\Dados de aplicativos\Dealio\res\widgets.xml
C:\Documents and Settings\Claudio\Dados de aplicativos\Dealio\temp\http___www_de
alio_com_rss_coupons-deals_dotd_.xml
C:\Documents and Settings\Claudio\Dados de aplicativos\inst.exe
C:\Documents and Settings\Monica\Dados de aplicativos\Dealio
C:\Documents and Settings\Monica\Dados de aplicativos\Dealio\res\widgets.xml
C:\Documents and Settings\Monica\Dados de aplicativos\Dealio\temp\http___www_dea
lio_com_rss_coupons-deals_dotd_.xml
C:\Documents and Settings\Monica\Dados de aplicativos\Dealio\temp\WTIE-14847.log
C:\nIKalod
C:\nIKalod\Kanop\Desktop.ini
C:\restore
C:\restore\k-1-3542-4232123213-7676767-8888886\Desktop.ini
C:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

exe" [2010-09-04 18:16:02 487800] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre6\bin\jusched. . [5. . (((((((((((((((( Arquivos/Ficheiros criados de 2010-11-06 to 2010-12-06 ))))) ))))))))))))))))))))))) .2180 (xpsp_sp2_rtm. *Nota* entradas vazias e legítimas por defeito não são mostradas.040803-2158)] . ------. 2010-11-17 13:19:38 . (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))) ))))))))))))))))))))))))) .sys .inf C:\WINDOWS\wjviewdl.26 00. 2009-12-05 08:22:07 47008 ----a-wC:\WINDO WS\system32\drivers\gbpkm.exe" [20 04-05-12 18:18:56 241664] "LogMeIn Hamachi Ui"="C:\Arquivos de programas\LogMeIn Hamachi\hamachi-2-ui.dll . 2010-11-08 20:00:10 -------d-----wC:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\T emp .0"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Distillr\Acr otray. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Arquivos de programas\Windows Live\Messenger\msnmsgr. C:\WINDOWS\system32\sfcfiles. 2010-11-18 19:56:17 -------d-----wC:\Arquivos de programas\Ask Search Assistant 2010-11-08 19:59:21 . 2010-12-06 10:49:30 -------d-----wC:\Arquivos de programas\RealVNC 2010-12-03 10:13:55 .e . .exe" [2009-07 -26 18:44:26 3883840] "uTorrent"="C:\Arquivos de programas\uTorrent\uTorrent.exe" [2010-03-30 14:16:16 1820040] "TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe . 2010-12-03 10:14:01 -------d---a-wC:\CLIPPER5 2010-12-03 10:13:26 .exe C:\WINDOWS\system32\reg_0001.exe" [200901-17 13:48:37 136600] "Acrobat Assistant 7. 2010-12-06 10:49:30 . 85A395DF50E692503A47F4D9CB1DC356 .exe" [2008-04-23 05:08:13 483328] "HP Software Update"="C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.e xe" [2004-02-12 16:38:56 49152] "HP Component Manager"="C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.C:\WINDOWS\gendel32. 2010-12-03 10:13:53 -------d-----wC:\nfe 2010-11-18 19:56:16 .1.txt C:\WINDOWS\winload. ((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))) ))))))))))))))))))))))))))))) .Sigcheck ------[-] 2008-03-12 21:35:30 . 1548288 .

lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bluetoot hAuthenticationAgent] 2008-03-12 20:48:27 110592 ----a-wC:\WINDOWS\system32\bthprops.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.1.lnk backup=C:\WINDOWS\pss\Inicialização rápida do HP Image Zone.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas ^Inicializar^Inicialização rápida do HP Image Zone.lnk] path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Inic ialização rápida do HP Image Zone.EXE"="C:\WINDOWS\system32\CTFMON.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Con nection Agent] 2006-11-13 17:57:40 1289000 ----a-wC:\Arquivos de programas\Microso ft ActiveSync\wcescomm.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas ^Inicializar^HP Digital Imaging Monitor.cpl" [2008-03-12 20:48:27 110592] "avast5"="C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 15:12:02 2838912] [HKEY_USERS\.lnk .cpl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.C:\Arquivos de programas\Ralink\Common\RaUI.org 3.org 3.C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760 -000000000002}\SC_Acrobat.xe" [2010-07-22 17:42:10 202256] "BluetoothAuthenticationAgent"="bthprops.lnk .exe [2008-7-9 25214] Ralink Wireless Utility.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Claudio^Menu Iniciar^Programas^I nicializar^BrOffice.org 3.1.EXE] .lnk] path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\HP D igital Imaging Monitor.1.lnk backup=C:\WINDOWS\pss\BrOffice.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilt erCheck] 2001-07-09 14:50:42 155648 ----a-wC:\WINDOWS\system32\NeroCheck.EXE" [2008-03-12 20:48:31 15360] C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\ Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\Claudio\Menu Iniciar\Programas\Inicializar\BrOffi ce.exe [2 010-8-14 2297856] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify \ GbPluginBb] 2010-11-17 13:17:12 349472 ----a-wC:\Arquivos de programas\GbPlugi n\gbieh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamer a] 2007-01-30 20:50:56 20480 ----a-wC:\WINDOWS\FixCamera.E XE] 2008-03-12 20:48:31 15360 ----a-wC:\WINDOWS\system32\ctfmon.ex e [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM .

0:Enabled:Activ eSync Connection Manager "C:\Arquivos de programas\Microsoft ActiveSync\WCESMgr.2.sys [9/7/2008 00:00:27 17744] .exe"= "C:\\Arquivos de programas\\Puxa Rápido\\PuxaRapido.255.exe"= "C:\\Arquivos de programas\\RealVNC\\VNC4\\vncviewer.sys [6/12/2005 13:11:18 35328] R0 sptd.C:\WINDOWS \system32\drivers\sfsync03.exe"= C:\Arquivos de prog ramas\Microsoft ActiveSync\rapimgr.exe"= "C:\\Documents and Settings\\Claudio\\Desktop\\winbox.exe"= "C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.255.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Authoriz edApplications\List] "%windir%\\system32\\sessmgr.255.Application Updater.exe:169.0/255.exe"= "C:\\Arquivos de programas\\D-Link\\AP Manager for DWL-2100AP\\APMGR7XXX.254.exe"= C:\Arquivos de prog ramas\Microsoft ActiveSync\WCESMgr.exe"= "C:\\Arquivos de programas\\gta2gh\\gta2gh.C:\WINDOWS\system32\drivers\gbpkm.exe"= C:\Arquivos de pro gramas\Microsoft ActiveSync\wcescomm.C:\WINDOWS\system32\drivers\sptd.0:Enabled:ActiveS ync Application "C:\\Valve\\hl.sptd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent ] 2010-09-04 18:16:02 487800 ----a-wC:\Arquivos de programas\uTorren t\uTorrent.0:Enabled:ActiveSync Service R0 GbpKm.EXE 180224 ----a-w- C:\Arquivos de programas\PowerIS [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std] 2007-02-02 15:07:32 675840 ----a-wC:\WINDOWS\vsnp2std.exe"= "C:\\Documents and Settings\\Claudio\\Desktop\\GTA2\\gta2.0/255.exe"= "C:\\Arquivos de programas\\Java\\jre6\\bin\\java.exe"= "C:\\WINDOWS\\system32\\dplaysvr.0:Enabled:ActiveS ync RAPI Manager "C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.x).2009-11-09 03:17:50 O\PWRISOVM.2.C:\WINDOWS\system32\drivers\aswSP.255.255.exe"= "C:\\Arquivos de programas\\uTorrent\\uTorrent.StarForce Protection Synchronization Driver (version 3.exe:169.0/255.254.Gbp KernelMode.exe"= "C:\\Arquivos de programas\\KONAMI\\Pro Evolution Soccer 2010\\pes2010.exe"= "C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"= "C:\\Arquivos de programas\\Java\\jre6\\bin\\javaw.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Globally OpenPorts\List] "26675:TCP"= 26675:TCP:169.exe"= "C:\\Arquivos de programas\\Messenger\\msmsgs.254.sys [5/12/2009 06:22:0 7 47008] R0 sfsync03.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std ] 2007-02-02 13:23:40 258048 ----a-wC:\WINDOWS\tsnp2std.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.255.0/255.sys [9/7/2008 00:00:27 165584] R2 Application Updater.254.255.exe"= "C:\\Documents and Settings\\Claudio\\Dados de aplicativos\\PowerChallenge\\Powe rSoccer\\PowerSoccer.C:\WINDOWS\system32\drivers\aswFsBlk.exe"= "C:\Arquivos de programas\Microsoft ActiveSync\rapimgr.aswSP.2.exe [8/1/2010 01:51:02 380928] R2 aswFsBlk.255.C:\Arquivos de programas\Application Updater\ApplicationUpdater.exe:169.sys [6/11/2009 22:53:09 642560] R1 aswSP.aswFsBlk.2.

Nokia 1508 Modem Driver.Gbp Service.job .0 Tunneling Engine. 2010-10-30 15:53:51] 2010-12-06 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.dll/AcroIECapture.C:\Arquivos de programas\Log MeIn Hamachi\hamachi-2.C:\WINDOWS\system32\drivers\ViaUsbM odem.html IE: Convert selected links to Adobe PDF .C:\Arquivos de programas\Real\RealUpgrade\realupgrade.dll/AcroIEAppend.job .exe [2010-06-03 06:02:42 .exe [30/3/2010 12:16:12 1107336] R3 HSFHWATI.dll/AcroIECaptureSelLinks.exe [2010-06-03 06:02:42 .C:\Arquivos de programas\Adobe\Acro .C:\Arquivos de programas\Real\RealUpgrade\realupgrade.C:\Arquivos de programas\Google\Update\GoogleUpdate.13. 2010-06-03 06:02:42] .HSFHWATI.WINVNC4 .sys [8/7/2008 22:25:20 211200] R3 VCSVADHWSer.job .LogMeIn Hamachi 2.br/ uInternet Settings.job .=Outros Serviços/Drivers Na Memória --*NewlyCreated* .ProxyServer = 10. 2010-06-03 06:02:42] 2010-12-06 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-2000478354-17579812 66-682003330-1003.C:\WINDOWS\system32\drivers\vcsv ad. 2010-06-03 06:02:42] 2010-12-06 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-2000478354-1757981266-6 82003330-1004.job .C:\WINDOWS\system32\drivers\HSFHWATI.Google Update Service (gupdate).sys --> C:\WINDOWS\system32\drivers\ViaUsbEts.html IE: Convert selected links to existing PDF .C:\Arquivos de programas\Real\RealUpgrade\realupgrade.C:\Arquivos de programas\Adobe\Acrobat 7.1.sys [?] S3 ViaUsbModemDriver.google.R2 GbpSv. .0\Acrobat\AcroIEFavClient.exe [2010-06-03 06:02:42 .0\Acrobat\AcroIEFavClient. 0\Acrobat\AcroIEFavClient. 2010-10-30 15:53:51] 2010-12-06 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-2000478354-1757981266-6 82003330-1003. 2010-06-03 06:02:42] 2010-11-18 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-2000478354-17579812 66-682003330-1004.exe [5/12/2009 06:22:06 52824] R2 Hamachi2Svc.C:\Arquivos de programas\Adobe\Acrobat 7.C:\ARQUIV~1\GbPlugin\GbpSv.sys [26/8/2010 21:12:17 17792] S2 gupdate.1:3128 IE: Convert link target to Adobe PDF . Conteúdo da pasta 'Tarefas Agendadas' 2010-12-06 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.C:\Arquivos de programas\Google\Update\GoogleUpdate. ------.sys --> C:\WINDOWS\system32\drivers\ViaUsbModem.C:\Arquivos de programas\Adobe\Acrobat 7.Avnex Virtual Audio Device (WDM).Scan Suplementar ------.C:\Arquivos de programas\Google\Updat e\GoogleUpdate. uStart Page = hxxp://www.html IE: Convert link target to existing PDF .job .sys [?] --.exe [2010-10-30 15:54:21 .exe [30/10/2010 13:54:21 136176] S3 ViaUsbEtsDriver.C:\Arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-10-30 15:54:21 .com.C:\WINDOWS\system32\drivers\ViaU sbEts.Nokia 1508 USB Device Driver.exe [2010-06-03 06:02:42 .

2600 Disk: TOSHIBA_MK6026GAX rev.4.C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.rootkit/stealth malware detector by Gmer.4..148 DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} .165.C:\Arquivos de programas\Search Settings\SearchSetting s.1.148.165. .C:\Arquivos de programas\Adobe\Acrobat 7.html IE: Convert to existing PDF .gmer ..2600 Service Pack 2 NTFS Procurando processos ocultos .C:\Arquivos de programas\Dealio Too lbar\IE\4.dll WebBrowser-{C3CD744D-2FAE-4640-8297-16B5DA423104} .132.com.EXE/3 000 IE: Google Sidewiki..10.179.5.C:\Arquivos de programas\Adobe\Acrobat 7 .dll/AcroIEAppend.168..dll/AcroIECapture.0\ Acrobat\AcroIEFavClient.132.BHO-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} .C:\Arquivos de programas\Adobe\Acrobat 7.200.0.net Windows 5..html IE: Convert selection to Adobe PDF .C:\Arquivos de programas\Adobe\Acrobat 7.. Procurando ficheiros/arquivos ocultos .148 TCP: {2B135558-B340-48D1-930A-9C799E812C10} = 200.3.bancobrasil.exe ************************************************************************** catchme 0. Varredura completada com sucesso arquivos/ficheiros ocultos: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.hxxps://www14..165.1 TCP: {2F787F03-5055-4E53-BC78-D2412BECCAB0} = 192.132.1..html IE: E&xportar para o Microsoft Excel .exe MSConfigStartUp-NokiaPCSuiteTray .2\dealioToolbarIE.html IE: Convert selection to existing PDF .0\Acrobat \AcroIEFavClient.165.PA200U -> Harddisk0\DR0 -> \Device\ Ide\IdeDeviceP0T0L0-3 device: opened successfully .200.0.10.net Rootkit scan 2010-12-06 17:05:46 Windows 5.dll Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} .1 3.bat 7.254 TCP: {69DDA374-7F5D-4EA6-8314-F431A32B1B1D} = 10.C:\Arquivos de programas\Nokia\Nokia PC Suite \LaunchApplication.html IE: Convert to Adobe PDF ..147.200.165.1398 W2K/XP/Vista .1.147.gmer.254.0\Acrobat\Ac roIEFavClient.148 TCP: {EAFC7C9B-A307-47F1-B69F-98350EFEFF22} = 200.179.2 by Gmer.dll/AcroIEAppendSelLinks.br/p lugin/GbpDist.html TCP: {2A574D9B-A02A-4E6F-BB90-E20056021669} = 200.dll/AcroIECapture..ORFÃOS REMOVIDOS . http:/ /www. Procurando entradas auto inicializáveis ocultas .cab .0\Acrobat\AcroIEFavClient..87.200..dll/cmsidewiki.dll/AcroIEAppend.C:\Arquivos de programas\Dealio Toolbar\IE\4.0\Acrobat\AcroIEFavClient.179. ..C:\Arquivos de programas\Google\Google Toolbar\Componen t\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.179.132.2\dealioToolbarIE.132.(no file) HKLM-Run-SearchSettings . http://www.

MOV CL. PUSH DI. ADD [EA X]. ADD [EAX]. XCHG [ESP].sys _asm { MOV EAX.user: MBR read successfully Disk trace: called modules: ntoskrnl. AL.exe.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E }\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6A F30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6A F30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6A F30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1. PUSH AX. AX. RET . PUSH 0x853d9eb4.-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E }\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E }\LocalServer32] @="C:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX. AL.exe catchme. JNZ 0x3a. AL. MOV SI.CHAVES DO REGISTRO BLOQUEADAS --------------------[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E }] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@C:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX . AD D [EAX]. MOV CX. MOV SP. STI . } detected disk devices: detected hooks: \Driver\Disk -> 0x8538b0e8 user & kernel MBR OK Warning: possible MBR rootkit infection ! ************************************************************************** . --------------------. JL 0x2e. ADD [EAX]. AL. MOV DI. ADD [EAX]. MOV BP.DLLs Carregadas Sob os Processos em Execução -------------------- . P OP DS. 0x7c00. ADD [EAX]. --------------------. MOV SS. ADD [EAX]. POP ES. ADD [EAX]. EAX.sys >>UNKNOWN [0x8538B0E8]<< C:\DOCUME~1\Claudio\CONFIG~1\Temp\catchme. 0x61b. 0x1e5. 0x7c1b. CLD . PUSH EAX. AL. PUSH AX. CH. AX. AL. 0x4.0" . CMP [BP+0x0]. } 1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x85366AB8] \Driver\Disk[0x85367EF8] -> IRP_MJ_CREATE -> 0x8538B0E8 kernel: MBR read successfully _asm { XOR AX. PUSH AX. AL. RETF . 0x7be. REP MOVSB . 0x8538b008. AL.

exe'(832) C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh..895.. Tempo para conclusão: 2010-12-06 17:09:08 ComboFix-quarantined-files.BDAF1268082F6C59929DB8D57CE17CE9 .> 'winlogon.dll C:\WINDOWS\system32\Ati2evxx.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT...678.312 bytes disponíveis WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.dll ...DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect .552 bytes disponíveis Pós execução: 1..End Of File ..txt 2010-12-06 19:09:06 Pré-execução: 543.221..