Resetowanie się systemu

Dla specjalistów Bezpieczeństwo
#1

Wklejam tu loga kolegi. Zainstalowałem mu bitdefender 8 i nic nie wykrywał(robił pełne skanowania) a gdy dałem mu szczepionke drWeb to wykrył mu 70 wirusów(resety,pady systemu). Sam w logu widzę pełno syfu dll (sprawdzałem na stronce, która sprawdza logi). Chcę przejść do trybu awaryjnego usunąć wpisy i pliki. Dla spokoju zapytam się rady specjalistów.

Logfile of HijackThis v1.99.1

Scan saved at 20:21:05, on 2007-05-15

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\PROGRA~1\COMMON~1\MBOLS~1\nopdb.exe

C:\Documents and Settings\RaFoŁeK\Dane aplikacji\W?nSxS\n?lookup.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

D:\Nowy folder\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink?linkid=193

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: (no name) - {6FE732D5-666F-4331-94BF-5AA3DA9C0B4B} - C:\WINDOWS\system32\khfeffc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [Tapa] "C:\PROGRA~1\COMMON~1\MBOLS~1\nopdb.exe" -vt yazb

O4 - HKCU\..\Run: [Ubvuv] "C:\Documents and Settings\RaFoŁeK\Dane aplikacji\W?nSxS\n?lookup.exe"

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{114C051B-D5EC-4595-A41C-B98BA44C8932}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS1\Services\Tcpip\..\{114C051B-D5EC-4595-A41C-B98BA44C8932}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS2\Services\Tcpip\..\{114C051B-D5EC-4595-A41C-B98BA44C8932}: NameServer = 194.204.159.1,194.204.152.34

O20 - Winlogon Notify: khfeffc - C:\WINDOWS\SYSTEM32\khfeffc.dll

O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)

O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing)

O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi108755.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
#2

Start > uruchom > cmd > wpisz

sc stop aspi113210

sc delete aspi113210

Pliki i folder na czerwono usuń w trybie awaryjnym ręcznie, a wpisy w HJT.

W awaryjnym użyj VundoFix, FixVundo, VirtmundoBeGone

Nowe logi z HJT i SilentRunners

#3 
Logfile of HijackThis v1.99.1

Scan saved at 21:42:34, on 2007-05-15

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\PROGRA~1\COMMON~1\MBOLS~1\nopdb.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

D:\Instalki 2 na Kacper\Bajery\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink?linkid=193

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [Tapa] "C:\PROGRA~1\COMMON~1\MBOLS~1\nopdb.exe" -vt yazb

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{114C051B-D5EC-4595-A41C-B98BA44C8932}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS1\Services\Tcpip\..\{114C051B-D5EC-4595-A41C-B98BA44C8932}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS2\Services\Tcpip\..\{114C051B-D5EC-4595-A41C-B98BA44C8932}: NameServer = 194.204.159.1,194.204.152.34

O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi108755.exe (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[05/15/2007, 21:11:49] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\RaFoŁeK\Pulpit\VirtumundoBeGone.exe" )

[05/15/2007, 21:11:50] - Detected System Information:

[05/15/2007, 21:11:50] - Windows Version: 5.1.2600, Dodatek Service Pack 2

[05/15/2007, 21:11:50] - Current Username: RaFoŁeK (Admin)

[05/15/2007, 21:11:50] - Windows is in SAFE mode with Networking.

[05/15/2007, 21:11:50] - Searching for Browser Helper Objects:

[05/15/2007, 21:11:50] - BHO 1: {6FE732D5-666F-4331-94BF-5AA3DA9C0B4B} ()

[05/15/2007, 21:11:50] - WARNING: BHO has no default name. Checking for Winlogon reference.

[05/15/2007, 21:11:50] - Checking for HKLM\...\Winlogon\Notify\khfeffc

[05/15/2007, 21:11:50] - Found: HKLM\...\Winlogon\Notify\khfeffc - This is probably Virtumundo.

[05/15/2007, 21:11:50] - Assigning {6FE732D5-666F-4331-94BF-5AA3DA9C0B4B} MSEvents Object

[05/15/2007, 21:11:50] - BHO list has been changed! Starting over...

[05/15/2007, 21:11:50] - BHO 1: {6FE732D5-666F-4331-94BF-5AA3DA9C0B4B} (MSEvents Object)

[05/15/2007, 21:11:50] - ALERT: Found MSEvents Object!

[05/15/2007, 21:11:50] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[05/15/2007, 21:11:50] - Finished Searching Browser Helper Objects

[05/15/2007, 21:11:50] - *** Detected MSEvents Object

[05/15/2007, 21:11:50] - Trying to remove MSEvents Object...

[05/15/2007, 21:11:51] - Terminating Process: IEXPLORE.EXE

[05/15/2007, 21:11:52] - Terminating Process: RUNDLL32.EXE

[05/15/2007, 21:11:52] - Disabling Automatic Shell Restart

[05/15/2007, 21:11:52] - Terminating Process: EXPLORER.EXE

[05/15/2007, 21:11:52] - Suspending the NT Session Manager System Service

[05/15/2007, 21:11:52] - Terminating Windows NT Logon/Logoff Manager

[05/15/2007, 21:11:52] - Re-enabling Automatic Shell Restart

[05/15/2007, 21:11:52] - File to disable: C:\WINDOWS\system32\khfeffc.dll

[05/15/2007, 21:11:52] - Renaming C:\WINDOWS\system32\khfeffc.dll -> C:\WINDOWS\system32\khfeffc.dll.vir

[05/15/2007, 21:11:52] - File successfully renamed!

[05/15/2007, 21:11:52] - Removing HKLM\...\Browser Helper Objects\{6FE732D5-666F-4331-94BF-5AA3DA9C0B4B}

[05/15/2007, 21:11:52] - Removing HKCR\CLSID\{6FE732D5-666F-4331-94BF-5AA3DA9C0B4B}

[05/15/2007, 21:11:52] - Adding Kill Bit for ActiveX for GUID: {6FE732D5-666F-4331-94BF-5AA3DA9C0B4B}

[05/15/2007, 21:11:52] - Deleting ATLEvents/MSEvents Registry entries

[05/15/2007, 21:11:52] - Removing HKLM\...\Winlogon\Notify\khfeffc

[05/15/2007, 21:11:52] - Searching for Browser Helper Objects:

[05/15/2007, 21:11:52] - BHO 1: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[05/15/2007, 21:11:52] - Finished Searching Browser Helper Objects

[05/15/2007, 21:11:52] - Finishing up...

[05/15/2007, 21:11:52] - A restart is needed.

[05/15/2007, 21:11:58] - Attempting to Restart via STOP error (Blue Screen!)


[05/15/2007, 21:37:27] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\RaFoŁeK\Pulpit\VirtumundoBeGone.exe" )

[05/15/2007, 21:37:29] - Detected System Information:

[05/15/2007, 21:37:29] - Windows Version: 5.1.2600, Dodatek Service Pack 2

[05/15/2007, 21:37:29] - Current Username: RaFoŁeK (Admin)

[05/15/2007, 21:37:29] - Windows is in SAFE mode with Networking.

[05/15/2007, 21:37:29] - Searching for Browser Helper Objects:

[05/15/2007, 21:37:29] - BHO 1: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[05/15/2007, 21:37:29] - Finished Searching Browser Helper Objects

[05/15/2007, 21:37:29] - Finishing up...

[05/15/2007, 21:37:29] - Nothing found! Exiting...
#4

Daj log z Combofix - syf jest jeszcze

#5 
"RaFoťeK" - 2007-05-16 7:24:02 Dodatek Service Pack 2
#6

Log czysty :wink: