Ruishiva
2008-03-08, 18:35
Good afternoon to you all at Spybot,
I read the procedure poster for this section of the forum. Any mistakes that I make, please forgive me, I don´t use forums much.
Some days ago my pc got infected by at least 3 trojans (MyDoom, win32.agent.bgy and Bagle.hi) throught a infected zip file, that, against all common sense, I openned.
When I openned the file, spybot warned me that it was a bad file and blocked the process, afterwords I did a scan with avast (didn´t detect anything) and spybot (detected 2 reg keys) but no trojan.
I managed to clean (or so it seems) 1 of them.
MyDoom I cleaned righ away with a proper tool provided by symanteck (fxmydoom), I erased the reg keys and the .exe file, (taskmon.exe), also closed the door that was opened in my firewall. All of this in safe mode. It seemed to work.
The win32.agent reg key was cleaned today by combofix after several attempts to clean it with other programs, but after a second reboot it came back. I never found any .exe infected with this malware, only the reg key. I even used a proper removal tool for win32.agents from kapersky and it didn´t detect anything.
Today, while I was downloading combofix, avast blocked 3 trojans and put then in quarantine (might this be a trojan dowloadind other malware files?). I also tried to remove the bagle.hi with a bagle removal tool from kapersky and it didn´t detect anything. Avast never detected the .exe file for this one either, but both of the reg keys keep showing up.
AVAST quarantined this today:
c:\\windows\temp\hd10.tmp win32.peed-o
c:\\windows\temp\hd10.tmp win32.peed-o
c:\\windows\temp\hd12.tmp win32.peed-o
c:\\windows\taskmon.exe win32.peed-o
CAN I ERASE THEM???
Spybot shows this:
WIN32.AGENT.BGY 1 ENTRY registry key
(SBI $ff5579E) configurations
HKEY_USERS\S-1-5-21-2000478354-1547161642-1801674531-1003\Software\FirstRRRun
Win32.bagle.hi FILE
(SBI $37536bc2) Pasta de programa (Program file)
c:\\WINDOWS\system32\down\
This is the log for combofix (I translated some parts from portuguese, it´s a literal translation, I just hope it makes sense):
ComboFix 08-03-07.4 - Rui Candeias 2008-03-08 15:14:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.1538 [GMT 0:00]
Executando de: C:\Documents and Settings\Rui Candeias\Ambiente de trabalho\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões (other exclusions) )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Rui Candeias\Application Data\inst.exe
C:\Programas\Hot internet offers
C:\Programas\Hot internet offers\offers.exe
C:\WINDOWS\system32\config\44176250.Evt
C:\WINDOWS\system32\drivers\down
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ASC3550P
((((((((((((((((((((((( Ficheiros criados (files created) de 2008-02-08 to 2008-03-08 ))))))))))))))))))))))))))))))))
.
2008-03-08 15:19 . 2008-03-08 15:19 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-03-06 09:09 . 2008-03-06 09:22 <DIR> d-------- C:\Programas\SPYWAREfighter
2008-03-05 20:23 . 2008-03-05 20:23 94 --a------ C:\WINDOWS\wininit.ini
2008-03-05 19:56 . 2007-04-20 18:10 <DIR> d-------- C:\Documents and Settings\Administrador\Os meus documentos
2008-03-05 19:56 . 2007-04-20 17:29 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos
2008-03-05 19:56 . 2007-04-20 18:10 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar
2008-03-05 19:56 . 2007-04-20 18:10 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos
2008-03-05 19:56 . 2008-03-08 15:15 <DIR> d--h----- C:\Documents and Settings\Administrador\Defini‡äes locais
2008-03-05 19:56 . 2007-04-20 18:10 <DIR> d-------- C:\Documents and Settings\Administrador\Ambiente de trabalho
2008-03-04 22:35 . 2008-03-04 22:35 <DIR> d-------- C:\Programas\Enigma Software Group
2008-03-04 22:35 . 2008-03-04 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-04 22:01 . 2008-03-04 22:01 <DIR> d-------- C:\Documents and Settings\Rui Candeias\Application Data\Uniblue
2008-02-18 20:57 . 2008-02-18 20:57 <DIR> d-------- C:\Programas\Ficheiros comuns\Adobe
2008-02-14 03:05 . 2008-02-14 03:05 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-02-11 09:25 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-11 09:25 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-11 09:25 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-11 09:25 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-11 09:25 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-11 09:25 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-11 09:25 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-11 09:25 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-10 21:15 . 2008-02-22 09:37 <DIR> d-------- C:\Programas\Yahoo!
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 15:08 --------- d-----w C:\Programas\Bowlfish
2008-03-07 19:42 --------- d-----w C:\Documents and Settings\Rui Candeias\Application Data\Vso
2008-03-04 19:56 --------- d-----w C:\Programas\PeerGuardian2
2008-03-03 08:48 --------- d-----w C:\Documents and Settings\Rui Candeias\Application Data\Image Zone Express
2008-02-08 11:32 --------- d-----w C:\Programas\Blitzkrieg Anthology
2008-02-07 09:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 17:58 --------- d-----w C:\Programas\Spybot - Search & Destroy
2008-02-06 14:10 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-01-28 10:59 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-01-24 11:29 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-14 18:36 --------- d-----w C:\Programas\SystemRequirementsLab
2008-01-14 18:36 --------- d-----w C:\Documents and Settings\Rui Candeias\Application Data\SystemRequirementsLab
2008-01-14 17:46 22,328 ----a-w C:\Documents and Settings\Rui Candeias\Application Data\PnkBstrK.sys
2008-01-14 17:35 --------- d-----w C:\Programas\Electronic Arts
2007-09-17 16:53 47,360 ----a-w C:\Documents and Settings\Rui Candeias\Application Data\pcouffin.sys
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-21 11:00 15360]
"MsnMsgr"="C:\Programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"MSMSGS"="C:\Programas\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 12:32 94208]
"BlackFooX 3"="C:\Programas\SlySoft\AnyDVD\BlackFooX3.exe" [2004-09-21 10:06 643072]
"PeerGuardian"="C:\Programas\PeerGuardian2\pg2.exe" [2005-09-18 17:40 1421824]
"SpybotSD TeaTimer"="C:\Programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"SoundMAXPnP"="C:\Programas\Analog Devices\Core\smax4pnp.exe" [2006-07-20 05:04 847872]
"SoundMAX"="C:\Programas\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12 729088]
"RemoteControl"="C:\Programas\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 17:37 69216]
"LanguageShortcut"="C:\Programas\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 21:55 54832]
"AsusServiceProvider"="C:\Programas\ASUS\AASP\1.00.05\aaCenter.exe" [2006-08-03 09:25 591360]
"Ai Nap"="C:\Programas\ASUS\AI Suite\AiNap\AiNap.exe" [2006-08-31 15:01 1422848]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"DAEMON Tools-1033"="C:\Programas\D-Tools\daemon.exe" [2004-08-22 16:05 81920]
"HP Software Update"="C:\Programas\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"NeroFilterCheck"="C:\Programas\Ficheiros comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"Adobe Reader Speed Launcher"="C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Winpower"="C:\Program Files\UpsPilot\Winpower.exe" [2007-04-23 19:29 112640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-21 11:00 15360]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
ASUS WiFi-AP Solo.lnk - C:\Programas\ASUS WiFi-AP Solo\RtWLan.exe [2007-06-26 12:25:39 987136]
HP Digital Imaging Monitor.lnk - C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22 288472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programas\\MSN Messenger\\livecall.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Programas\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Programas\\Bowlfish\\eMule.exe"=
"C:\\Programas\\ASUS WiFi-AP Solo\\RtWLan.exe"=
"C:\\Programas\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Programas\\Skype\\Phone\\Skype.exe"=
"C:\\Programas\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Programas\\Spybot - Search & Destroy\\SpybotSD.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11050:UDP"= 11050:UDP:UDP Blowfish
"25650:TCP"= 25650:TCP:TCP Blowfish
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Programas\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-06-16 07:30]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-03-31 03:39]
S3 SpyFighter;SpyFighter Guard Device;C:\Programas\SPYWAREfighter\spyfighter.sys []
S3 SPYWAREfighterRP;SPYWAREfighterRP;"C:\Programas\SPYWAREfighter\spfprc.exe" []
*Newly Created Service* - PGFILTER
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 15:19:28
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos (looking for hidden processes)...
Procurando entradas auto inicializáveis ocultas ...
(looking for hidden auto-run entrys)
Procurando ficheiros ocultos ...
(looking for hidden files)
Varredura completada com sucesso (sweep completed with success)
Ficheiros ocultos (hidden files): 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Programas\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programas\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~2\UpsPilot\Winpower.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~2\UpsPilot\monitor.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\PROGRA~2\UpsPilot\wpRMI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Tempo para conclusão: 2008-03-08 15:20:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 15:20:40
.
2008-02-14 03:05:11 --- E O F ---
I didn´t run kapersky online scanner, because I need to have the net on, and I need your advice on that. Can I leave avast running while kapersky is running, and if not won´t that leave my pc completely unprotected????
If you answer me, please be patient, my knowledge of computers is limited.
Thanks in advance for your time and sorry for my english....
Best wishes...
Rui Candeias
I read the procedure poster for this section of the forum. Any mistakes that I make, please forgive me, I don´t use forums much.
Some days ago my pc got infected by at least 3 trojans (MyDoom, win32.agent.bgy and Bagle.hi) throught a infected zip file, that, against all common sense, I openned.
When I openned the file, spybot warned me that it was a bad file and blocked the process, afterwords I did a scan with avast (didn´t detect anything) and spybot (detected 2 reg keys) but no trojan.
I managed to clean (or so it seems) 1 of them.
MyDoom I cleaned righ away with a proper tool provided by symanteck (fxmydoom), I erased the reg keys and the .exe file, (taskmon.exe), also closed the door that was opened in my firewall. All of this in safe mode. It seemed to work.
The win32.agent reg key was cleaned today by combofix after several attempts to clean it with other programs, but after a second reboot it came back. I never found any .exe infected with this malware, only the reg key. I even used a proper removal tool for win32.agents from kapersky and it didn´t detect anything.
Today, while I was downloading combofix, avast blocked 3 trojans and put then in quarantine (might this be a trojan dowloadind other malware files?). I also tried to remove the bagle.hi with a bagle removal tool from kapersky and it didn´t detect anything. Avast never detected the .exe file for this one either, but both of the reg keys keep showing up.
AVAST quarantined this today:
c:\\windows\temp\hd10.tmp win32.peed-o
c:\\windows\temp\hd10.tmp win32.peed-o
c:\\windows\temp\hd12.tmp win32.peed-o
c:\\windows\taskmon.exe win32.peed-o
CAN I ERASE THEM???
Spybot shows this:
WIN32.AGENT.BGY 1 ENTRY registry key
(SBI $ff5579E) configurations
HKEY_USERS\S-1-5-21-2000478354-1547161642-1801674531-1003\Software\FirstRRRun
Win32.bagle.hi FILE
(SBI $37536bc2) Pasta de programa (Program file)
c:\\WINDOWS\system32\down\
This is the log for combofix (I translated some parts from portuguese, it´s a literal translation, I just hope it makes sense):
ComboFix 08-03-07.4 - Rui Candeias 2008-03-08 15:14:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.1538 [GMT 0:00]
Executando de: C:\Documents and Settings\Rui Candeias\Ambiente de trabalho\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões (other exclusions) )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Rui Candeias\Application Data\inst.exe
C:\Programas\Hot internet offers
C:\Programas\Hot internet offers\offers.exe
C:\WINDOWS\system32\config\44176250.Evt
C:\WINDOWS\system32\drivers\down
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ASC3550P
((((((((((((((((((((((( Ficheiros criados (files created) de 2008-02-08 to 2008-03-08 ))))))))))))))))))))))))))))))))
.
2008-03-08 15:19 . 2008-03-08 15:19 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-03-06 09:09 . 2008-03-06 09:22 <DIR> d-------- C:\Programas\SPYWAREfighter
2008-03-05 20:23 . 2008-03-05 20:23 94 --a------ C:\WINDOWS\wininit.ini
2008-03-05 19:56 . 2007-04-20 18:10 <DIR> d-------- C:\Documents and Settings\Administrador\Os meus documentos
2008-03-05 19:56 . 2007-04-20 17:29 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos
2008-03-05 19:56 . 2007-04-20 18:10 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar
2008-03-05 19:56 . 2007-04-20 18:10 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos
2008-03-05 19:56 . 2008-03-08 15:15 <DIR> d--h----- C:\Documents and Settings\Administrador\Defini‡äes locais
2008-03-05 19:56 . 2007-04-20 18:10 <DIR> d-------- C:\Documents and Settings\Administrador\Ambiente de trabalho
2008-03-04 22:35 . 2008-03-04 22:35 <DIR> d-------- C:\Programas\Enigma Software Group
2008-03-04 22:35 . 2008-03-04 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-04 22:01 . 2008-03-04 22:01 <DIR> d-------- C:\Documents and Settings\Rui Candeias\Application Data\Uniblue
2008-02-18 20:57 . 2008-02-18 20:57 <DIR> d-------- C:\Programas\Ficheiros comuns\Adobe
2008-02-14 03:05 . 2008-02-14 03:05 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-02-11 09:25 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-11 09:25 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-11 09:25 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-11 09:25 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-11 09:25 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-11 09:25 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-11 09:25 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-11 09:25 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-10 21:15 . 2008-02-22 09:37 <DIR> d-------- C:\Programas\Yahoo!
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 15:08 --------- d-----w C:\Programas\Bowlfish
2008-03-07 19:42 --------- d-----w C:\Documents and Settings\Rui Candeias\Application Data\Vso
2008-03-04 19:56 --------- d-----w C:\Programas\PeerGuardian2
2008-03-03 08:48 --------- d-----w C:\Documents and Settings\Rui Candeias\Application Data\Image Zone Express
2008-02-08 11:32 --------- d-----w C:\Programas\Blitzkrieg Anthology
2008-02-07 09:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 17:58 --------- d-----w C:\Programas\Spybot - Search & Destroy
2008-02-06 14:10 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-01-28 10:59 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-01-24 11:29 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-14 18:36 --------- d-----w C:\Programas\SystemRequirementsLab
2008-01-14 18:36 --------- d-----w C:\Documents and Settings\Rui Candeias\Application Data\SystemRequirementsLab
2008-01-14 17:46 22,328 ----a-w C:\Documents and Settings\Rui Candeias\Application Data\PnkBstrK.sys
2008-01-14 17:35 --------- d-----w C:\Programas\Electronic Arts
2007-09-17 16:53 47,360 ----a-w C:\Documents and Settings\Rui Candeias\Application Data\pcouffin.sys
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-21 11:00 15360]
"MsnMsgr"="C:\Programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"MSMSGS"="C:\Programas\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 12:32 94208]
"BlackFooX 3"="C:\Programas\SlySoft\AnyDVD\BlackFooX3.exe" [2004-09-21 10:06 643072]
"PeerGuardian"="C:\Programas\PeerGuardian2\pg2.exe" [2005-09-18 17:40 1421824]
"SpybotSD TeaTimer"="C:\Programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"SoundMAXPnP"="C:\Programas\Analog Devices\Core\smax4pnp.exe" [2006-07-20 05:04 847872]
"SoundMAX"="C:\Programas\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12 729088]
"RemoteControl"="C:\Programas\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 17:37 69216]
"LanguageShortcut"="C:\Programas\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 21:55 54832]
"AsusServiceProvider"="C:\Programas\ASUS\AASP\1.00.05\aaCenter.exe" [2006-08-03 09:25 591360]
"Ai Nap"="C:\Programas\ASUS\AI Suite\AiNap\AiNap.exe" [2006-08-31 15:01 1422848]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"DAEMON Tools-1033"="C:\Programas\D-Tools\daemon.exe" [2004-08-22 16:05 81920]
"HP Software Update"="C:\Programas\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"NeroFilterCheck"="C:\Programas\Ficheiros comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"Adobe Reader Speed Launcher"="C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Winpower"="C:\Program Files\UpsPilot\Winpower.exe" [2007-04-23 19:29 112640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-21 11:00 15360]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
ASUS WiFi-AP Solo.lnk - C:\Programas\ASUS WiFi-AP Solo\RtWLan.exe [2007-06-26 12:25:39 987136]
HP Digital Imaging Monitor.lnk - C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22 288472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programas\\MSN Messenger\\livecall.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Programas\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Programas\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Programas\\Bowlfish\\eMule.exe"=
"C:\\Programas\\ASUS WiFi-AP Solo\\RtWLan.exe"=
"C:\\Programas\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Programas\\Skype\\Phone\\Skype.exe"=
"C:\\Programas\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Programas\\Spybot - Search & Destroy\\SpybotSD.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11050:UDP"= 11050:UDP:UDP Blowfish
"25650:TCP"= 25650:TCP:TCP Blowfish
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Programas\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-06-16 07:30]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-03-31 03:39]
S3 SpyFighter;SpyFighter Guard Device;C:\Programas\SPYWAREfighter\spyfighter.sys []
S3 SPYWAREfighterRP;SPYWAREfighterRP;"C:\Programas\SPYWAREfighter\spfprc.exe" []
*Newly Created Service* - PGFILTER
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 15:19:28
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos (looking for hidden processes)...
Procurando entradas auto inicializáveis ocultas ...
(looking for hidden auto-run entrys)
Procurando ficheiros ocultos ...
(looking for hidden files)
Varredura completada com sucesso (sweep completed with success)
Ficheiros ocultos (hidden files): 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Programas\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programas\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~2\UpsPilot\Winpower.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~2\UpsPilot\monitor.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\PROGRA~2\UpsPilot\wpRMI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Tempo para conclusão: 2008-03-08 15:20:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 15:20:40
.
2008-02-14 03:05:11 --- E O F ---
I didn´t run kapersky online scanner, because I need to have the net on, and I need your advice on that. Can I leave avast running while kapersky is running, and if not won´t that leave my pc completely unprotected????
If you answer me, please be patient, my knowledge of computers is limited.
Thanks in advance for your time and sorry for my english....
Best wishes...
Rui Candeias