Arcamicroscan wykryl Downloader.Agent.Bld a fsecurentde1ect

chyba zlapalem siakiegos syfa arcascan wykryl Downloader.Agent.Bld pliki skasowane a przy probie otwarcia na moj komp dysk d nic nie dzieje sie tylko wyskakuje okienko dosewe z przewijajacym sie lista komend w dosie poprzez exploratore dostane sie na dysk a przez moj komp nie i fsecure wykrywa ze ntde1ect.com chce sie laczyc z netem .Jak to usunac

oto logi z hijacka

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

Log jest czysty.

Ale to oznacza, że wpadłeś w niezłe bagno.

Podobny “śmieć” był omawiany w tym temacie:

http://forum.dobreprogramy.pl/viewtopic.php?t=182127

Do dzisiaj nie udało się go załatwić.

Możesz próbować metod stosowanych w podanym wyżej liinku, może Tobie się uda.

W każdym bądź razie: zapomnij o używaniu pendrive, bo jeśli będziesz używał pendrive, to nigdy nie uwolnisz się od tej zarazy!

Jak już wypróbujesz wszystkie sposoby usuwania, opisane w wyżej podanym linku, to daj tu log z ComboFix (na dole tej strony z linku) -

Log wklej na http://wklej.org/, a w poście daj tylko link.

jessi

hmm chyba usunalem dzidostwo ale troche pomieszalem w rejestrze i teraz gdy klikne na moj komp i chce otworzc (eksplorowac) dowolny dysk to explorer.exe sie nie otwiera tylko wywala mi liste programow ktorych ma uzyc wiec podaje mu explorera.exe i daje ok (opcja zasze uruchamiaj jest nie dostepna) i dziala ale gdy tylko ponownie chce wejsc na jakis dysk to musze te operacje powtarzac .Chyba usunalem jakis wpis w rejestrze czy co?

Nie, to nie Twoja wina, lecz infekcji - to ona powoduje taki skutek uboczny.

Możesz poczytać o tym -->TUTAJ.

A więc infekcja jest dalej czynna u Ciebie.

jessi

logi z CF

quote

ComboFix 07-08-30.3 - “Marek” 2007-09-07 9:25:10.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.250 [GMT 2:00]

* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Autorun.inf

D:\Autorun.inf

G:\Autorun.inf

H:\Autorun.inf

((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))

2007-09-07 09:22 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-09-07 08:09

2007-09-06 14:57

2007-09-06 14:29 962 --a------ C:\WINDOWS\unins000.dat

2007-09-05 13:03 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2007-09-05 13:03 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2007-09-05 13:03 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2007-09-05 13:03 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys

2007-09-05 13:03 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2007-09-05 13:03

2007-09-05 13:03

2007-09-05 13:02 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-08-31 11:55

2007-08-31 09:42

2007-08-31 08:45

2007-08-30 12:23

2007-08-30 12:23

2007-08-30 12:23

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 14:58 --------- d-------- C:\Program Files\Microsoft ActiveSync

2007-08-31 08:46 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Skype

2007-08-30 14:34 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\F-Secure

2007-08-27 11:17 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Nokia Multimedia Player

2007-08-24 15:03 --------- d-------- C:\Program Files\Opera Software

2007-08-16 10:25 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\PC Suite

2007-08-02 07:50 --------- d-------- C:\Program Files\F-Secure

2007-08-02 07:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\fssg

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-20 12:01 767280 --a------ C:\WINDOWS\system32\ArcaMicroScanUpdater.exe

2007-07-20 10:34 847872 --a------ C:\WINDOWS\system32\ArcaOnline.dll

2007-07-13 08:16 --------- d-------- C:\Program Files\BitLord

2007-07-13 07:58 12208 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-13 15:23 1034752 --a------ C:\WINDOWS\explorer.exe

2001-11-23 06:08 712704 -ra------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

2007-01-30 10:27:58 56 --sh–r C:\WINDOWS\system32\2791809BB4.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Cmaudio”=“cmicnfg.cpl” []

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-03-09 09:29]

“nwiz”=“nwiz.exe” [2006-03-09 09:29 C:\WINDOWS\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-03-09 09:29]

“F-Secure Manager”=“C:\Program Files\F-Secure\Common\FSM32.exe” [2007-06-20 15:31]

“F-Secure TNB”=“C:\Program Files\F-Secure\FSGUI\TNBUtil.exe” [2007-06-20 15:31]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50]

“CloneCDTray”=“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” [2005-05-19 15:47]

“TPPOLL”=“C:\Program Files\Topro\tppoll.exe” [2005-03-02 18:12]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-16 10:54]

“PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2007-03-23 13:20]

“PrevxOne”=“C:\Program Files\Prevx2\PXConsole.exe” [2007-08-29 11:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 14:00]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24]

“H/PC Connection Agent”=“C:\PROGRA~1\MI3AA1~1\wcescomm.exe” [2005-11-15 19:44]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]

“Nokia.PCSync”=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys

R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys

R1 F-Secure HIPS;F-Secure HIPS;??\C:\Program Files\F-Secure\HIPS\fshs.sys

R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys

R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys

S3 DCamUSBIntel;USB Video Camera;C:\WINDOWS\system32\Drivers\TP6800.sys

S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys

S3 NTSIM;NTSIM;??\C:\WINDOWS\system32\ntsim.sys

S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE

S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys

S4 F-Secure Filter;F-Secure File System Filter;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys

S4 F-Secure Recognizer;F-Secure File System Recognizer;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e4e5918c-85bd-11db-9f1f-00138f2addb2}]

AutoRun\command- I:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - CATCHME

Contents of the ‘Scheduled Tasks’ folder

2007-09-03 13:09:21 C:\WINDOWS\Tasks\Scheduled task.job - C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-07 09:27:00

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-09-07 9:27:55

C:\ComboFix-quarantined-files.txt … 2007-09-07 09:27

— E O F —

quote

Złączono Posta : 07.09.2007 (Pią) 9:40

logi z CF

quote

ComboFix 07-08-30.3 - “Marek” 2007-09-07 9:25:10.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.250 [GMT 2:00]

* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Autorun.inf

D:\Autorun.inf

G:\Autorun.inf

H:\Autorun.inf

((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))

2007-09-07 09:22 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-09-07 08:09

2007-09-06 14:57

2007-09-06 14:29 962 --a------ C:\WINDOWS\unins000.dat

2007-09-05 13:03 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2007-09-05 13:03 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2007-09-05 13:03 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2007-09-05 13:03 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys

2007-09-05 13:03 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2007-09-05 13:03

2007-09-05 13:03

2007-09-05 13:02 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-08-31 11:55

2007-08-31 09:42

2007-08-31 08:45

2007-08-30 12:23

2007-08-30 12:23

2007-08-30 12:23

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 14:58 --------- d-------- C:\Program Files\Microsoft ActiveSync

2007-08-31 08:46 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Skype

2007-08-30 14:34 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\F-Secure

2007-08-27 11:17 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Nokia Multimedia Player

2007-08-24 15:03 --------- d-------- C:\Program Files\Opera Software

2007-08-16 10:25 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\PC Suite

2007-08-02 07:50 --------- d-------- C:\Program Files\F-Secure

2007-08-02 07:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\fssg

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-20 12:01 767280 --a------ C:\WINDOWS\system32\ArcaMicroScanUpdater.exe

2007-07-20 10:34 847872 --a------ C:\WINDOWS\system32\ArcaOnline.dll

2007-07-13 08:16 --------- d-------- C:\Program Files\BitLord

2007-07-13 07:58 12208 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-13 15:23 1034752 --a------ C:\WINDOWS\explorer.exe

2001-11-23 06:08 712704 -ra------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

2007-01-30 10:27:58 56 --sh–r C:\WINDOWS\system32\2791809BB4.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Cmaudio”=“cmicnfg.cpl” []

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-03-09 09:29]

“nwiz”=“nwiz.exe” [2006-03-09 09:29 C:\WINDOWS\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-03-09 09:29]

“F-Secure Manager”=“C:\Program Files\F-Secure\Common\FSM32.exe” [2007-06-20 15:31]

“F-Secure TNB”=“C:\Program Files\F-Secure\FSGUI\TNBUtil.exe” [2007-06-20 15:31]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50]

“CloneCDTray”=“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” [2005-05-19 15:47]

“TPPOLL”=“C:\Program Files\Topro\tppoll.exe” [2005-03-02 18:12]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-16 10:54]

“PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2007-03-23 13:20]

“PrevxOne”=“C:\Program Files\Prevx2\PXConsole.exe” [2007-08-29 11:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 14:00]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24]

“H/PC Connection Agent”=“C:\PROGRA~1\MI3AA1~1\wcescomm.exe” [2005-11-15 19:44]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]

“Nokia.PCSync”=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys

R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys

R1 F-Secure HIPS;F-Secure HIPS;??\C:\Program Files\F-Secure\HIPS\fshs.sys

R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys

R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys

S3 DCamUSBIntel;USB Video Camera;C:\WINDOWS\system32\Drivers\TP6800.sys

S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys

S3 NTSIM;NTSIM;??\C:\WINDOWS\system32\ntsim.sys

S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE

S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys

S4 F-Secure Filter;F-Secure File System Filter;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys

S4 F-Secure Recognizer;F-Secure File System Recognizer;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e4e5918c-85bd-11db-9f1f-00138f2addb2}]

AutoRun\command- I:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - CATCHME

Contents of the ‘Scheduled Tasks’ folder

2007-09-03 13:09:21 C:\WINDOWS\Tasks\Scheduled task.job - C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-07 09:27:00

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-09-07 9:27:55

C:\ComboFix-quarantined-files.txt … 2007-09-07 09:27

— E O F —

quote

Złączono Posta : 07.09.2007 (Pią) 9:40

logi z CF

quote

ComboFix 07-08-30.3 - “Marek” 2007-09-07 9:25:10.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.250 [GMT 2:00]

* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Autorun.inf

D:\Autorun.inf

G:\Autorun.inf

H:\Autorun.inf

((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))

2007-09-07 09:22 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-09-07 08:09

2007-09-06 14:57

2007-09-06 14:29 962 --a------ C:\WINDOWS\unins000.dat

2007-09-05 13:03 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2007-09-05 13:03 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2007-09-05 13:03 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2007-09-05 13:03 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys

2007-09-05 13:03 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2007-09-05 13:03

2007-09-05 13:03

2007-09-05 13:02 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-08-31 11:55

2007-08-31 09:42

2007-08-31 08:45

2007-08-30 12:23

2007-08-30 12:23

2007-08-30 12:23

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 14:58 --------- d-------- C:\Program Files\Microsoft ActiveSync

2007-08-31 08:46 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Skype

2007-08-30 14:34 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\F-Secure

2007-08-27 11:17 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Nokia Multimedia Player

2007-08-24 15:03 --------- d-------- C:\Program Files\Opera Software

2007-08-16 10:25 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\PC Suite

2007-08-02 07:50 --------- d-------- C:\Program Files\F-Secure

2007-08-02 07:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\fssg

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-20 12:01 767280 --a------ C:\WINDOWS\system32\ArcaMicroScanUpdater.exe

2007-07-20 10:34 847872 --a------ C:\WINDOWS\system32\ArcaOnline.dll

2007-07-13 08:16 --------- d-------- C:\Program Files\BitLord

2007-07-13 07:58 12208 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-13 15:23 1034752 --a------ C:\WINDOWS\explorer.exe

2001-11-23 06:08 712704 -ra------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

2007-01-30 10:27:58 56 --sh–r C:\WINDOWS\system32\2791809BB4.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Cmaudio”=“cmicnfg.cpl” []

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-03-09 09:29]

“nwiz”=“nwiz.exe” [2006-03-09 09:29 C:\WINDOWS\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-03-09 09:29]

“F-Secure Manager”=“C:\Program Files\F-Secure\Common\FSM32.exe” [2007-06-20 15:31]

“F-Secure TNB”=“C:\Program Files\F-Secure\FSGUI\TNBUtil.exe” [2007-06-20 15:31]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50]

“CloneCDTray”=“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” [2005-05-19 15:47]

“TPPOLL”=“C:\Program Files\Topro\tppoll.exe” [2005-03-02 18:12]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-16 10:54]

“PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2007-03-23 13:20]

“PrevxOne”=“C:\Program Files\Prevx2\PXConsole.exe” [2007-08-29 11:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 14:00]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24]

“H/PC Connection Agent”=“C:\PROGRA~1\MI3AA1~1\wcescomm.exe” [2005-11-15 19:44]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]

“Nokia.PCSync”=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys

R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys

R1 F-Secure HIPS;F-Secure HIPS;??\C:\Program Files\F-Secure\HIPS\fshs.sys

R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys

R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys

S3 DCamUSBIntel;USB Video Camera;C:\WINDOWS\system32\Drivers\TP6800.sys

S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys

S3 NTSIM;NTSIM;??\C:\WINDOWS\system32\ntsim.sys

S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE

S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys

S4 F-Secure Filter;F-Secure File System Filter;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys

S4 F-Secure Recognizer;F-Secure File System Recognizer;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e4e5918c-85bd-11db-9f1f-00138f2addb2}]

AutoRun\command- I:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - CATCHME

Contents of the ‘Scheduled Tasks’ folder

2007-09-03 13:09:21 C:\WINDOWS\Tasks\Scheduled task.job - C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-07 09:27:00

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-09-07 9:27:55

C:\ComboFix-quarantined-files.txt … 2007-09-07 09:27

— E O F —

quote

Złączono Posta : 07.09.2007 (Pią) 9:42

logi z CF

quote

ComboFix 07-08-30.3 - “Marek” 2007-09-07 9:25:10.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.250 [GMT 2:00]

* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Autorun.inf

D:\Autorun.inf

G:\Autorun.inf

H:\Autorun.inf

((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))

2007-09-07 09:22 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-09-07 08:09

2007-09-06 14:57

2007-09-06 14:29 962 --a------ C:\WINDOWS\unins000.dat

2007-09-05 13:03 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2007-09-05 13:03 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2007-09-05 13:03 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2007-09-05 13:03 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys

2007-09-05 13:03 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2007-09-05 13:03

2007-09-05 13:03

2007-09-05 13:02 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-08-31 11:55

2007-08-31 09:42

2007-08-31 08:45

2007-08-30 12:23

2007-08-30 12:23

2007-08-30 12:23

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 14:58 --------- d-------- C:\Program Files\Microsoft ActiveSync

2007-08-31 08:46 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Skype

2007-08-30 14:34 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\F-Secure

2007-08-27 11:17 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Nokia Multimedia Player

2007-08-24 15:03 --------- d-------- C:\Program Files\Opera Software

2007-08-16 10:25 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\PC Suite

2007-08-02 07:50 --------- d-------- C:\Program Files\F-Secure

2007-08-02 07:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\fssg

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-20 12:01 767280 --a------ C:\WINDOWS\system32\ArcaMicroScanUpdater.exe

2007-07-20 10:34 847872 --a------ C:\WINDOWS\system32\ArcaOnline.dll

2007-07-13 08:16 --------- d-------- C:\Program Files\BitLord

2007-07-13 07:58 12208 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-13 15:23 1034752 --a------ C:\WINDOWS\explorer.exe

2001-11-23 06:08 712704 -ra------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

2007-01-30 10:27:58 56 --sh–r C:\WINDOWS\system32\2791809BB4.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Cmaudio”=“cmicnfg.cpl” []

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-03-09 09:29]

“nwiz”=“nwiz.exe” [2006-03-09 09:29 C:\WINDOWS\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-03-09 09:29]

“F-Secure Manager”=“C:\Program Files\F-Secure\Common\FSM32.exe” [2007-06-20 15:31]

“F-Secure TNB”=“C:\Program Files\F-Secure\FSGUI\TNBUtil.exe” [2007-06-20 15:31]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50]

“CloneCDTray”=“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” [2005-05-19 15:47]

“TPPOLL”=“C:\Program Files\Topro\tppoll.exe” [2005-03-02 18:12]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-16 10:54]

“PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2007-03-23 13:20]

“PrevxOne”=“C:\Program Files\Prevx2\PXConsole.exe” [2007-08-29 11:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 14:00]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24]

“H/PC Connection Agent”=“C:\PROGRA~1\MI3AA1~1\wcescomm.exe” [2005-11-15 19:44]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]

“Nokia.PCSync”=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys

R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys

R1 F-Secure HIPS;F-Secure HIPS;??\C:\Program Files\F-Secure\HIPS\fshs.sys

R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys

R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys

S3 DCamUSBIntel;USB Video Camera;C:\WINDOWS\system32\Drivers\TP6800.sys

S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys

S3 NTSIM;NTSIM;??\C:\WINDOWS\system32\ntsim.sys

S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE

S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys

S4 F-Secure Filter;F-Secure File System Filter;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys

S4 F-Secure Recognizer;F-Secure File System Recognizer;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e4e5918c-85bd-11db-9f1f-00138f2addb2}]

AutoRun\command- I:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - CATCHME

Contents of the ‘Scheduled Tasks’ folder

2007-09-03 13:09:21 C:\WINDOWS\Tasks\Scheduled task.job - C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-07 09:27:00

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-09-07 9:27:55

C:\ComboFix-quarantined-files.txt … 2007-09-07 09:27

— E O F —

quote

Złączono Posta : 07.09.2007 (Pią) 9:44

logi z ComboFixa:

quote

ComboFix 07-08-30.3 - “Marek” 2007-09-07 9:25:10.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.250 [GMT 2:00]

* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Autorun.inf

D:\Autorun.inf

G:\Autorun.inf

H:\Autorun.inf

((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))

2007-09-07 09:22 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-09-07 08:09

2007-09-06 14:57

2007-09-06 14:29 962 --a------ C:\WINDOWS\unins000.dat

2007-09-05 13:03 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2007-09-05 13:03 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2007-09-05 13:03 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2007-09-05 13:03 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys

2007-09-05 13:03 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2007-09-05 13:03

2007-09-05 13:03

2007-09-05 13:02 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-08-31 11:55

2007-08-31 09:42

2007-08-31 08:45

2007-08-30 12:23

2007-08-30 12:23

2007-08-30 12:23

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 14:58 --------- d-------- C:\Program Files\Microsoft ActiveSync

2007-08-31 08:46 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Skype

2007-08-30 14:34 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\F-Secure

2007-08-27 11:17 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Nokia Multimedia Player

2007-08-24 15:03 --------- d-------- C:\Program Files\Opera Software

2007-08-16 10:25 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\PC Suite

2007-08-02 07:50 --------- d-------- C:\Program Files\F-Secure

2007-08-02 07:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\fssg

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-20 12:01 767280 --a------ C:\WINDOWS\system32\ArcaMicroScanUpdater.exe

2007-07-20 10:34 847872 --a------ C:\WINDOWS\system32\ArcaOnline.dll

2007-07-13 08:16 --------- d-------- C:\Program Files\BitLord

2007-07-13 07:58 12208 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-13 15:23 1034752 --a------ C:\WINDOWS\explorer.exe

2001-11-23 06:08 712704 -ra------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

2007-01-30 10:27:58 56 --sh–r C:\WINDOWS\system32\2791809BB4.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Cmaudio”=“cmicnfg.cpl” []

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-03-09 09:29]

“nwiz”=“nwiz.exe” [2006-03-09 09:29 C:\WINDOWS\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-03-09 09:29]

“F-Secure Manager”=“C:\Program Files\F-Secure\Common\FSM32.exe” [2007-06-20 15:31]

“F-Secure TNB”=“C:\Program Files\F-Secure\FSGUI\TNBUtil.exe” [2007-06-20 15:31]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50]

“CloneCDTray”=“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” [2005-05-19 15:47]

“TPPOLL”=“C:\Program Files\Topro\tppoll.exe” [2005-03-02 18:12]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-16 10:54]

“PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2007-03-23 13:20]

“PrevxOne”=“C:\Program Files\Prevx2\PXConsole.exe” [2007-08-29 11:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 14:00]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24]

“H/PC Connection Agent”=“C:\PROGRA~1\MI3AA1~1\wcescomm.exe” [2005-11-15 19:44]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]

“Nokia.PCSync”=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys

R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys

R1 F-Secure HIPS;F-Secure HIPS;??\C:\Program Files\F-Secure\HIPS\fshs.sys

R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys

R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys

S3 DCamUSBIntel;USB Video Camera;C:\WINDOWS\system32\Drivers\TP6800.sys

S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys

S3 NTSIM;NTSIM;??\C:\WINDOWS\system32\ntsim.sys

S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE

S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys

S4 F-Secure Filter;F-Secure File System Filter;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys

S4 F-Secure Recognizer;F-Secure File System Recognizer;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e4e5918c-85bd-11db-9f1f-00138f2addb2}]

AutoRun\command- I:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - CATCHME

Contents of the ‘Scheduled Tasks’ folder

2007-09-03 13:09:21 C:\WINDOWS\Tasks\Scheduled task.job - C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-07 09:27:00

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-09-07 9:27:55

C:\ComboFix-quarantined-files.txt … 2007-09-07 09:27

— E O F —

quote

Złączono Posta : 07.09.2007 (Pią) 9:45

logi z ComboFixa:

quote

ComboFix 07-08-30.3 - “Marek” 2007-09-07 9:25:10.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.250 [GMT 2:00]

* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Autorun.inf

D:\Autorun.inf

G:\Autorun.inf

H:\Autorun.inf

((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))

2007-09-07 09:22 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-09-07 08:09

2007-09-06 14:57

2007-09-06 14:29 962 --a------ C:\WINDOWS\unins000.dat

2007-09-05 13:03 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2007-09-05 13:03 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2007-09-05 13:03 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2007-09-05 13:03 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys

2007-09-05 13:03 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2007-09-05 13:03

2007-09-05 13:03

2007-09-05 13:02 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-08-31 11:55

2007-08-31 09:42

2007-08-31 08:45

2007-08-30 12:23

2007-08-30 12:23

2007-08-30 12:23

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 14:58 --------- d-------- C:\Program Files\Microsoft ActiveSync

2007-08-31 08:46 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Skype

2007-08-30 14:34 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\F-Secure

2007-08-27 11:17 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Nokia Multimedia Player

2007-08-24 15:03 --------- d-------- C:\Program Files\Opera Software

2007-08-16 10:25 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\PC Suite

2007-08-02 07:50 --------- d-------- C:\Program Files\F-Secure

2007-08-02 07:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\fssg

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-20 12:01 767280 --a------ C:\WINDOWS\system32\ArcaMicroScanUpdater.exe

2007-07-20 10:34 847872 --a------ C:\WINDOWS\system32\ArcaOnline.dll

2007-07-13 08:16 --------- d-------- C:\Program Files\BitLord

2007-07-13 07:58 12208 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-13 15:23 1034752 --a------ C:\WINDOWS\explorer.exe

2001-11-23 06:08 712704 -ra------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

2007-01-30 10:27:58 56 --sh–r C:\WINDOWS\system32\2791809BB4.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Cmaudio”=“cmicnfg.cpl” []

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-03-09 09:29]

“nwiz”=“nwiz.exe” [2006-03-09 09:29 C:\WINDOWS\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-03-09 09:29]

“F-Secure Manager”=“C:\Program Files\F-Secure\Common\FSM32.exe” [2007-06-20 15:31]

“F-Secure TNB”=“C:\Program Files\F-Secure\FSGUI\TNBUtil.exe” [2007-06-20 15:31]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50]

“CloneCDTray”=“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” [2005-05-19 15:47]

“TPPOLL”=“C:\Program Files\Topro\tppoll.exe” [2005-03-02 18:12]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-16 10:54]

“PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2007-03-23 13:20]

“PrevxOne”=“C:\Program Files\Prevx2\PXConsole.exe” [2007-08-29 11:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 14:00]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24]

“H/PC Connection Agent”=“C:\PROGRA~1\MI3AA1~1\wcescomm.exe” [2005-11-15 19:44]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]

“Nokia.PCSync”=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys

R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys

R1 F-Secure HIPS;F-Secure HIPS;??\C:\Program Files\F-Secure\HIPS\fshs.sys

R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys

R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys

S3 DCamUSBIntel;USB Video Camera;C:\WINDOWS\system32\Drivers\TP6800.sys

S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys

S3 NTSIM;NTSIM;??\C:\WINDOWS\system32\ntsim.sys

S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE

S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys

S4 F-Secure Filter;F-Secure File System Filter;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys

S4 F-Secure Recognizer;F-Secure File System Recognizer;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e4e5918c-85bd-11db-9f1f-00138f2addb2}]

AutoRun\command- I:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - CATCHME

Contents of the ‘Scheduled Tasks’ folder

2007-09-03 13:09:21 C:\WINDOWS\Tasks\Scheduled task.job - C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-07 09:27:00

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-09-07 9:27:55

C:\ComboFix-quarantined-files.txt … 2007-09-07 09:27

— E O F —

quote

Złączono Posta : 07.09.2007 (Pią) 9:46

logi z ComboFixa:

quote

ComboFix 07-08-30.3 - “Marek” 2007-09-07 9:25:10.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.250 [GMT 2:00]

* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Autorun.inf

D:\Autorun.inf

G:\Autorun.inf

H:\Autorun.inf

((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))

2007-09-07 09:22 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-09-07 08:09

2007-09-06 14:57

2007-09-06 14:29 962 --a------ C:\WINDOWS\unins000.dat

2007-09-05 13:03 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2007-09-05 13:03 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2007-09-05 13:03 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2007-09-05 13:03 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys

2007-09-05 13:03 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2007-09-05 13:03

2007-09-05 13:03

2007-09-05 13:02 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

2007-08-31 11:55

2007-08-31 09:42

2007-08-31 08:45

2007-08-30 12:23

2007-08-30 12:23

2007-08-30 12:23

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 14:58 --------- d-------- C:\Program Files\Microsoft ActiveSync

2007-08-31 08:46 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Skype

2007-08-30 14:34 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\F-Secure

2007-08-27 11:17 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\Nokia Multimedia Player

2007-08-24 15:03 --------- d-------- C:\Program Files\Opera Software

2007-08-16 10:25 --------- d-------- C:\DOCUME~1\Marek\DANEAP~1\PC Suite

2007-08-02 07:50 --------- d-------- C:\Program Files\F-Secure

2007-08-02 07:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\fssg

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-20 12:01 767280 --a------ C:\WINDOWS\system32\ArcaMicroScanUpdater.exe

2007-07-20 10:34 847872 --a------ C:\WINDOWS\system32\ArcaOnline.dll

2007-07-13 08:16 --------- d-------- C:\Program Files\BitLord

2007-07-13 07:58 12208 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-13 15:23 1034752 --a------ C:\WINDOWS\explorer.exe

2001-11-23 06:08 712704 -ra------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

2007-01-30 10:27:58 56 --sh–r C:\WINDOWS\system32\2791809BB4.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Cmaudio”=“cmicnfg.cpl” []

“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-03-09 09:29]

“nwiz”=“nwiz.exe” [2006-03-09 09:29 C:\WINDOWS\system32\nwiz.exe]

“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-03-09 09:29]

“F-Secure Manager”=“C:\Program Files\F-Secure\Common\FSM32.exe” [2007-06-20 15:31]

“F-Secure TNB”=“C:\Program Files\F-Secure\FSGUI\TNBUtil.exe” [2007-06-20 15:31]

“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42]

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50]

“CloneCDTray”=“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” [2005-05-19 15:47]

“TPPOLL”=“C:\Program Files\Topro\tppoll.exe” [2005-03-02 18:12]

“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]

“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-02-16 10:54]

“PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2007-03-23 13:20]

“PrevxOne”=“C:\Program Files\Prevx2\PXConsole.exe” [2007-08-29 11:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 14:00]

“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24]

“H/PC Connection Agent”=“C:\PROGRA~1\MI3AA1~1\wcescomm.exe” [2005-11-15 19:44]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]

“Nokia.PCSync”=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys

R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys

R1 F-Secure HIPS;F-Secure HIPS;??\C:\Program Files\F-Secure\HIPS\fshs.sys

R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys

R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys

S3 DCamUSBIntel;USB Video Camera;C:\WINDOWS\system32\Drivers\TP6800.sys

S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys

S3 NTSIM;NTSIM;??\C:\WINDOWS\system32\ntsim.sys

S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE

S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys

S4 F-Secure Filter;F-Secure File System Filter;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys

S4 F-Secure Recognizer;F-Secure File System Recognizer;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e4e5918c-85bd-11db-9f1f-00138f2addb2}]

AutoRun\command- I:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - CATCHME

Contents of the ‘Scheduled Tasks’ folder

2007-09-03 13:09:21 C:\WINDOWS\Tasks\Scheduled task.job - C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-07 09:27:00

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-09-07 9:27:55

C:\ComboFix-quarantined-files.txt … 2007-09-07 09:27

— E O F —

quote

To chyba należy do “KGyGaAvL.sys”, więc raczej jest dobre.

Ale dla pewności możesz ten plik sprawdzić na http://virusscan.jotti.org/

Opis, jak korzystać z JOTTI --> http://otfans.pl/forums/showthread.php?tid=552

albo na http://www.virustotal.com/en/indexf.html

(korzysta się podobnie jak z JOTTI).

Nic tu więcej podejrzanego nie widzę.

Użyj jeszcze SDFix

Uwaga: Da się go uruchomić tylko w Trybie Awaryjnym.

Pokaż Report.txt znajdujący się w folderze SDFix.

I napisz, czy teraz sytuacja się polepszyła.

jessi