Walka z opgde.exe


(Lao1) #1

witam od dwóch dni walczę z opgde.exe

po usunięciu

c:\opgde.exe

c:\autorun.inf

d:\opgde.exe

d:\autorun.inf

e:\opgde.exe

e:\autorun.inf

c:\windows\system32\nmdfgds1.dll

c:\windows\system32\olhrmwert.exe

nie mogłem usunąć

c:\windows\system32\nmdfgds0.dll

uruchomiłem combofix

oyo poniższy log

co mam zrobić ratunku

[ComboFix 09-02-12.03 - leszek 2009-02-13 20:41:54.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.2047.1584 [GMT 1:00]

Uruchomiony z: C:\ComboFix.exe

AV: BitDefender Antywirus *On-access scanning disabled* (Outdated)

FW: BitDefender Zapora Sieciowa *disabled*

* Utworzono nowy punkt przywracania

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\nmdfgds0.dll

.

((((((((((((((((((((((((( Pliki utworzone od 2009-01-13 do 2009-02-13 )))))))))))))))))))))))))))))))

.

2009-02-13 20:16 . 2009-02-13 20:16 2,921,379 -ra------ C:\ComboFix.exe

2009-02-12 21:56 . 2009-02-12 21:56

2009-02-12 21:56 . 2009-02-13 19:38

2009-02-12 21:56 . 2009-02-12 21:56 21,512 --a------ c:\windows\system32\drivers\pxscan.sys

2009-02-12 21:56 . 2009-02-13 19:36 64 --a------ c:\windows\wininit.ini

2009-02-12 21:55 . 2009-02-12 21:55 22,331,384 --a------ C:\drweb-500-win.exe

2009-02-12 21:55 . 2009-02-12 21:55 848,440 --a------ C:\3CA08EDC279E41B8A28D.EXE

2009-02-12 21:52 . 2009-02-12 21:52 12,505,488 --a------ C:\launch.exe

2009-02-12 20:05 . 2009-02-12 19:28 50,688 --a------ C:\ATF-Cleaner.exe

2009-02-12 18:25 . 2009-02-12 18:25

2009-02-12 17:24 . 2009-02-12 17:24

2009-02-12 17:24 . 2009-02-12 17:24

2009-02-12 17:24 . 2009-02-12 17:24

2009-02-12 17:22 . 2009-02-12 17:24

2009-02-12 17:17 . 2009-02-12 17:17

2009-02-12 16:31 . 2008-12-11 11:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys

2009-02-12 16:29 . 2004-08-04 00:35 701,440 --------- c:\windows\system32\drivers\ati2mtag.sys

2009-02-12 16:18 . 2008-08-14 14:26 2,190,464 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2009-02-12 16:18 . 2008-08-14 14:26 2,146,816 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-02-12 16:18 . 2008-08-14 14:26 2,067,328 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-02-12 16:18 . 2008-08-14 14:26 2,025,472 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2009-02-12 16:18 . 2008-10-24 12:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2009-02-12 16:18 . 2008-10-15 17:36 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

2009-02-12 16:17 . 2008-09-15 16:27 1,846,656 -----c--- c:\windows\system32\dllcache\win32k.sys

2009-02-12 16:16 . 2008-04-11 20:06 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll

2009-02-12 16:15 . 2008-06-14 18:36 273,024 --------- c:\windows\system32\drivers\bthport.sys

2009-02-12 16:15 . 2008-06-14 18:36 273,024 -----c--- c:\windows\system32\dllcache\bthport.sys

2009-02-12 16:15 . 2008-05-08 15:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys

2009-02-12 16:09 . 2009-02-12 16:09 850 --a------ c:\windows\system32\ProductTweaks.xml

2009-02-12 16:09 . 2009-02-12 16:09 385 --a------ c:\windows\system32\user_gensett.xml

2009-02-12 15:42 . 2009-02-12 17:24

2009-02-12 15:42 . 2008-12-21 00:03 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll

2009-02-12 15:42 . 2007-04-17 10:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat

2009-02-12 15:42 . 2007-03-08 06:11 1,036,288 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui

2009-02-12 15:42 . 2008-12-21 00:03 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll

2009-02-12 15:42 . 2008-12-21 00:03 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll

2009-02-12 15:42 . 2008-12-21 00:03 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll

2009-02-12 15:42 . 2008-12-21 00:03 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll

2009-02-12 15:42 . 2008-12-21 00:03 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll

2009-02-12 15:42 . 2008-12-19 10:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe

2009-02-12 15:31 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll

2009-02-12 14:48 . 2009-02-12 14:48 334 --a------ c:\windows\system32\BDUpdateV1.xml

2009-02-12 14:17 . 2009-02-12 14:17

2009-02-12 14:17 . 2009-02-12 14:17

2009-02-12 14:17 . 2009-02-12 14:18

2009-02-12 14:16 . 2009-02-12 14:17

2009-02-11 18:48 . 2009-02-11 18:48 54,156 --ah----- c:\windows\QTFont.qfn

2009-02-11 18:48 . 2009-02-11 18:48 1,409 --a------ c:\windows\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-12 12:44 --------- d-----w c:\program files\Common Files\G DATA

2009-02-12 12:43 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\G DATA

2008-12-20 23:03 826,368 ----a-w c:\windows\system32\wininet.dll

2008-12-19 11:31 --------- d-----w c:\program files\DOSBox-0.72

2008-12-19 10:42 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-16 13:41 --------- d-----w c:\program files\softxpansion

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{09941640-d3fa-4943-8e5c-8f838e4b058b}"= "c:\program files\softxpansion\tbsoft.dll" [2007-08-28 1440792]

[HKEY_CLASSES_ROOT\clsid{09941640-d3fa-4943-8e5c-8f838e4b058b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{09941640-d3fa-4943-8e5c-8f838e4b058b}]

2007-08-28 14:19 1440792 --a------ c:\program files\softxpansion\tbsoft.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{09941640-d3fa-4943-8e5c-8f838e4b058b}"= "c:\program files\softxpansion\tbsoft.dll" [2007-08-28 1440792]

[HKEY_CLASSES_ROOT\clsid{09941640-d3fa-4943-8e5c-8f838e4b058b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{09941640-D3FA-4943-8E5C-8F838E4B058B}"= "c:\program files\softxpansion\tbsoft.dll" [2007-08-28 1440792]

[HKEY_CLASSES_ROOT\clsid{09941640-d3fa-4943-8e5c-8f838e4b058b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2008-10-30 741376]

"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-10-17 69632]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"EasyTuneV"="c:\program files\Gigabyte\ET5\ETcall.exe" [2006-12-15 31552]

"DT PHL"="c:\program files\Philips Display\SmartControl II\DTHtml.exe" [2007-07-27 292352]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"QuickTime Task"="d:\q\qttask.exe" [2007-08-29 155648]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.exe]

"nwiz"="nwiz.exe" [2007-04-19 c:\windows\system32\nwiz.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"SENTINEL"= snti386.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe"=

"d:\Program Files\ArchiCAD 8\ArchiCAD.exe"=

"d:\Program Files\Diablo II\Diablo II.exe"=

"e:\Diablo\diablo.exe"=

"d:\7-Zip\7zFMn.exe"=

"c:\Program Files\Gadu-Gadu\gg.exe"=

"%windir%\Network Diagnostic\xpnetdiag.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-12 21512]

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-09-04 82440]

R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-02-12 4107832]

R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-09-18 111112]

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-10-17 104328]

S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3c0a1ba2-c778-11dd-a163-001a4d2e1a93}]

\Shell\AutoRun\command - G:\bo1dhu.bat

\Shell\explore\Command - G:\bo1dhu.bat

\Shell\open\Command - G:\bo1dhu.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4cc916f2-5bbb-11dc-9f5e-001a4d2e1a93}]

\Shell\AutoRun\command - EXPLORER.EXE

\Shell\explore\Command - EXPLORER.EXE

\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4e1ba3ec-59e2-11dc-9f54-001a4d2e1a93}]

\Shell\AutoRun\command - G:\bo1dhu.bat

\Shell\explore\Command - G:\bo1dhu.bat

\Shell\open\Command - G:\bo1dhu.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6bc25d30-7ea0-11dd-a0fe-001a4d2e1a93}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

.

  • USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe

MSConfigStartUp-kamsoft - c:\windows\system32\ckvo.exe

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.google.pl/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-13 20:42:58

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

Czas ukończenia: 2009-02-13 20:43:57

ComboFix-quarantined-files.txt 2009-02-13 19:43:55

Przed: 23 691 206 656 bajtów wolnych

Po: 23,776,083,968 bajtów wolnych

WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

180 --- E O F --- 2007-08-30 08:18:20

][album][/album]


(huber2t) #2

Do wyleczenia pendrive z wirusów użyj tych programów

otwórz notatnik i wklej

Z menu Notatnika -> Plik -> Zapisz jako -> Zmień rozszerzenie z .txt na wszystkie pliki -> zapisz pod nazwą Fix.reg

Uruchom ten plik, uruchom ponownie komputer

usuń ręcznie folder C:\Qoobox oraz Combofix , usuń instalkę Combofix z dysku.

Przeczyść system Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar całego komputera http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum