witam od dwóch dni walczę z opgde.exe
po usunięciu
c:\opgde.exe
c:\autorun.inf
d:\opgde.exe
d:\autorun.inf
e:\opgde.exe
e:\autorun.inf
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\olhrmwert.exe
nie mogłem usunąć
c:\windows\system32\nmdfgds0.dll
uruchomiłem combofix
oyo poniższy log
co mam zrobić ratunku
[ComboFix 09-02-12.03 - leszek 2009-02-13 20:41:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.2047.1584 [GMT 1:00]
Uruchomiony z: C:\ComboFix.exe
AV: BitDefender Antywirus *On-access scanning disabled* (Outdated)
FW: BitDefender Zapora Sieciowa *disabled*
* Utworzono nowy punkt przywracania
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\nmdfgds0.dll
.
((((((((((((((((((((((((( Pliki utworzone od 2009-01-13 do 2009-02-13 )))))))))))))))))))))))))))))))
.
2009-02-13 20:16 . 2009-02-13 20:16 2,921,379 -ra------ C:\ComboFix.exe
2009-02-12 21:56 . 2009-02-12 21:56
2009-02-12 21:56 . 2009-02-13 19:38
2009-02-12 21:56 . 2009-02-12 21:56 21,512 --a------ c:\windows\system32\drivers\pxscan.sys
2009-02-12 21:56 . 2009-02-13 19:36 64 --a------ c:\windows\wininit.ini
2009-02-12 21:55 . 2009-02-12 21:55 22,331,384 --a------ C:\drweb-500-win.exe
2009-02-12 21:55 . 2009-02-12 21:55 848,440 --a------ C:\3CA08EDC279E41B8A28D.EXE
2009-02-12 21:52 . 2009-02-12 21:52 12,505,488 --a------ C:\launch.exe
2009-02-12 20:05 . 2009-02-12 19:28 50,688 --a------ C:\ATF-Cleaner.exe
2009-02-12 18:25 . 2009-02-12 18:25
2009-02-12 17:24 . 2009-02-12 17:24
2009-02-12 17:24 . 2009-02-12 17:24
2009-02-12 17:24 . 2009-02-12 17:24
2009-02-12 17:22 . 2009-02-12 17:24
2009-02-12 17:17 . 2009-02-12 17:17
2009-02-12 16:31 . 2008-12-11 11:57 333,952 -----c— c:\windows\system32\dllcache\srv.sys
2009-02-12 16:29 . 2004-08-04 00:35 701,440 --------- c:\windows\system32\drivers\ati2mtag.sys
2009-02-12 16:18 . 2008-08-14 14:26 2,190,464 -----c— c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-12 16:18 . 2008-08-14 14:26 2,146,816 -----c— c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-12 16:18 . 2008-08-14 14:26 2,067,328 -----c— c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-12 16:18 . 2008-08-14 14:26 2,025,472 -----c— c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-12 16:18 . 2008-10-24 12:21 455,296 -----c— c:\windows\system32\dllcache\mrxsmb.sys
2009-02-12 16:18 . 2008-10-15 17:36 337,408 -----c— c:\windows\system32\dllcache\netapi32.dll
2009-02-12 16:17 . 2008-09-15 16:27 1,846,656 -----c— c:\windows\system32\dllcache\win32k.sys
2009-02-12 16:16 . 2008-04-11 20:06 691,712 -----c— c:\windows\system32\dllcache\inetcomm.dll
2009-02-12 16:15 . 2008-06-14 18:36 273,024 --------- c:\windows\system32\drivers\bthport.sys
2009-02-12 16:15 . 2008-06-14 18:36 273,024 -----c— c:\windows\system32\dllcache\bthport.sys
2009-02-12 16:15 . 2008-05-08 15:02 203,136 -----c— c:\windows\system32\dllcache\rmcast.sys
2009-02-12 16:09 . 2009-02-12 16:09 850 --a------ c:\windows\system32\ProductTweaks.xml
2009-02-12 16:09 . 2009-02-12 16:09 385 --a------ c:\windows\system32\user_gensett.xml
2009-02-12 15:42 . 2009-02-12 17:24
2009-02-12 15:42 . 2008-12-21 00:03 6,066,688 -----c— c:\windows\system32\dllcache\ieframe.dll
2009-02-12 15:42 . 2007-04-17 10:32 2,455,488 -----c— c:\windows\system32\dllcache\ieapfltr.dat
2009-02-12 15:42 . 2007-03-08 06:11 1,036,288 -----c— c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-12 15:42 . 2008-12-21 00:03 459,264 -----c— c:\windows\system32\dllcache\msfeeds.dll
2009-02-12 15:42 . 2008-12-21 00:03 383,488 -----c— c:\windows\system32\dllcache\ieapfltr.dll
2009-02-12 15:42 . 2008-12-21 00:03 267,776 -----c— c:\windows\system32\dllcache\iertutil.dll
2009-02-12 15:42 . 2008-12-21 00:03 63,488 -----c— c:\windows\system32\dllcache\icardie.dll
2009-02-12 15:42 . 2008-12-21 00:03 52,224 -----c— c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-12 15:42 . 2008-12-19 10:10 13,824 -----c— c:\windows\system32\dllcache\ieudinit.exe
2009-02-12 15:31 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2009-02-12 14:48 . 2009-02-12 14:48 334 --a------ c:\windows\system32\BDUpdateV1.xml
2009-02-12 14:17 . 2009-02-12 14:17
2009-02-12 14:17 . 2009-02-12 14:17
2009-02-12 14:17 . 2009-02-12 14:18
2009-02-12 14:16 . 2009-02-12 14:17
2009-02-11 18:48 . 2009-02-11 18:48 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-11 18:48 . 2009-02-11 18:48 1,409 --a------ c:\windows\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 12:44 --------- d-----w c:\program files\Common Files\G DATA
2009-02-12 12:43 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\G DATA
2008-12-20 23:03 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-19 11:31 --------- d-----w c:\program files\DOSBox-0.72
2008-12-19 10:42 --------- d–h--w c:\program files\InstallShield Installation Information
2008-12-16 13:41 --------- d-----w c:\program files\softxpansion
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{09941640-d3fa-4943-8e5c-8f838e4b058b}”= “c:\program files\softxpansion\tbsoft.dll” [2007-08-28 1440792]
[HKEY_CLASSES_ROOT\clsid{09941640-d3fa-4943-8e5c-8f838e4b058b}]
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{09941640-d3fa-4943-8e5c-8f838e4b058b}]
2007-08-28 14:19 1440792 --a------ c:\program files\softxpansion\tbsoft.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{09941640-d3fa-4943-8e5c-8f838e4b058b}”= “c:\program files\softxpansion\tbsoft.dll” [2007-08-28 1440792]
[HKEY_CLASSES_ROOT\clsid{09941640-d3fa-4943-8e5c-8f838e4b058b}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{09941640-D3FA-4943-8E5C-8F838E4B058B}”= “c:\program files\softxpansion\tbsoft.dll” [2007-08-28 1440792]
[HKEY_CLASSES_ROOT\clsid{09941640-d3fa-4943-8e5c-8f838e4b058b}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-11-16 139264]
“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-11-06 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BDAgent”=“c:\program files\BitDefender\BitDefender 2009\bdagent.exe” [2008-10-30 741376]
“BitDefender Antiphishing Helper”=“c:\program files\BitDefender\BitDefender 2009\IEShow.exe” [2008-10-17 69632]
“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2007-04-19 7700480]
“NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2007-04-19 86016]
“ISUSScheduler”=“c:\program files\Common Files\InstallShield\UpdateService\issch.exe” [2005-08-11 81920]
“ISUSPM Startup”=“c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe” [2005-08-11 249856]
“EasyTuneV”=“c:\program files\Gigabyte\ET5\ETcall.exe” [2006-12-15 31552]
“DT PHL”=“c:\program files\Philips Display\SmartControl II\DTHtml.exe” [2007-07-27 292352]
“SunJavaUpdateSched”=“c:\program files\Java\jre1.5.0_06\bin\jusched.exe” [2005-11-10 36975]
“QuickTime Task”=“d:\q\qttask.exe” [2007-08-29 155648]
“NeroFilterCheck”=“c:\program files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 155648]
“SkyTel”=“SkyTel.EXE” [2006-05-16 c:\windows\SkyTel.exe]
“RTHDCPL”=“RTHDCPL.EXE” [2006-11-14 c:\windows\RTHDCPL.exe]
“nwiz”=“nwiz.exe” [2007-04-19 c:\windows\system32\nwiz.exe]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“SENTINEL”= snti386.dll
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“d:\Program Files\ArchiCAD 8\ArchiCAD.exe”=
“d:\Program Files\Diablo II\Diablo II.exe”=
“e:\Diablo\diablo.exe”=
“d:\7-Zip\7zFMn.exe”=
“c:\Program Files\Gadu-Gadu\gg.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-12 21512]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-09-04 82440]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-02-12 4107832]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-09-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-10-17 104328]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3c0a1ba2-c778-11dd-a163-001a4d2e1a93}]
\Shell\AutoRun\command - G:\bo1dhu.bat
\Shell\explore\Command - G:\bo1dhu.bat
\Shell\open\Command - G:\bo1dhu.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4cc916f2-5bbb-11dc-9f5e-001a4d2e1a93}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4e1ba3ec-59e2-11dc-9f54-001a4d2e1a93}]
\Shell\AutoRun\command - G:\bo1dhu.bat
\Shell\explore\Command - G:\bo1dhu.bat
\Shell\open\Command - G:\bo1dhu.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6bc25d30-7ea0-11dd-a0fe-001a4d2e1a93}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
-
-
-
- USUNIĘTO PUSTE WPISY - - - -
-
-
HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe
MSConfigStartUp-kamsoft - c:\windows\system32\ckvo.exe
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - hxxp://www.mks.com.pl/skaner/SkanerOnline.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 20:42:58
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
Czas ukończenia: 2009-02-13 20:43:57
ComboFix-quarantined-files.txt 2009-02-13 19:43:55
Przed: 23 691 206 656 bajtów wolnych
Po: 23,776,083,968 bajtów wolnych
WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Home Edition” /noexecute=optin /fastdetect
180 — E O F — 2007-08-30 08:18:20
][album][/album]