UrBaN
(Mop Daniokloc)
17 Styczeń 2007 22:47
#1
Czasem gwałtownie zwalnia mi internet i ogólnie cały komputer, i jestem pewien że na moim kompie znajduje się jakiś szkodnik. O to logo HT:
Logfile of HijackThis v1.99.1 Scan saved at 23:56:18, on 2007-01-17 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dcomcfg.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\system32\atmclk.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\ja\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp664B.tmp O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: UCmore Toolbar - {53CBEE82-D747-11d3-9ED0-005004189684} - C:\Program Files\UCmore\UCMIE.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL (file missing) O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w O4 - HKLM…\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [AQQ] E:\AQQ\AQQ.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: The Matrix_ Path of Neo Registration.lnk = C:\Documents and Settings\ja\Ustawienia lokalne\Temp{CC0E4F85-34FA-4FE2-93B7-8B9694484EA5}{E571E8B1-9771-465D-9DE0-3BA2D1BDAE99}\ATR1.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O17 - HKLM\System\CCS\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CCS\Services\Tcpip…{46B99464-7F15-48E3-9683-03DA19E9A346}: NameServer = 83.238.255.76 213.241.79.37 O17 - HKLM\System\CCS\Services\Tcpip…{4EA9B0B6-4E50-4672-96AF-B300E0405FFB}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.70 85.255.112.182 O17 - HKLM\System\CS1\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.70 85.255.112.182 O17 - HKLM\System\CS2\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.70 85.255.112.182 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
Joan
(Joan Sunshine)
17 Styczeń 2007 23:02
#2
Użyj narzędzia FixWareOut
Wchodzisz w Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługe Windows Log
Wpisy fixujesz, to co na czerwono ręcznie z dysku w awaryjnym:
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp664B.tmp O3 - Toolbar: UCmore Toolbar - {53CBEE82-D747-11d3-9ED0-005004189684} - C:\Program Files\UCmore\UCMIE.dll O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w O4 - Startup: The Matrix_ Path of Neo Registration.lnk = C:\Documents and Settings\ja\Ustawienia lokalne\Temp{CC0E4F85-34FA-4FE2-93B7-8B9694484EA5}{E571E8B1-9771-465D-9DE0-3BA2D1BDAE99}\ATR1.exe O17 - HKLM\System\CCS\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CCS\Services\Tcpip…{4EA9B0B6-4E50-4672-96AF-B300E0405FFB}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.70 85.255.112.182 O17 - HKLM\System\CS1\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.70 85.255.112.182 O17 - HKLM\System\CS2\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.70 85.255.112.182 O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
Użyj ATF-Cleaner – wyczyści tempy.
Po zabiegach nowe logi z HiJacka oraz Silent Runners (zaznaczasz No i czekasz aż skończy pracować w tle) + C:\Fixwareout\report.txt
UrBaN
(Mop Daniokloc)
18 Styczeń 2007 01:31
#3
HT:
Logfile of HijackThis v1.99.1 Scan saved at 02:36:26, on 2007-01-18 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\system32\UAService7.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\DOCUME~1\ja\USTAWI~1\Temp\Rar$EX00.703\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp7E28.tmp O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: UCmore Toolbar - {53CBEE82-D747-11d3-9ED0-005004189684} - C:\Program Files\UCmore\UCMIE.dll (file missing) O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL (file missing) O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w O4 - HKLM…\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [AQQ] E:\AQQ\AQQ.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: The Matrix_ Path of Neo Registration.lnk = C:\Documents and Settings\ja\Ustawienia lokalne\Temp{CC0E4F85-34FA-4FE2-93B7-8B9694484EA5}{E571E8B1-9771-465D-9DE0-3BA2D1BDAE99}\ATR1.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O17 - HKLM\System\CCS\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CCS\Services\Tcpip…{46B99464-7F15-48E3-9683-03DA19E9A346}: NameServer = 83.238.255.76 213.241.79.37 O17 - HKLM\System\CCS\Services\Tcpip…{4EA9B0B6-4E50-4672-96AF-B300E0405FFB}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.70 85.255.112.182 O17 - HKLM\System\CS1\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.70 85.255.112.182 O17 - HKLM\System\CS2\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.70 85.255.112.182 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)
Silent Runners
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “AQQ” = “E:\AQQ\AQQ.exe” [“AQQ Sp. z o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [file not found] “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime” [file not found] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” “.nvsvc” = “C:\WINDOWS\system\smss.exe /w” [file not found] “AGEIA PhysX SysTray” = “C:\Program Files\AGEIA Technologies\TrayIcon.exe” [null data] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {b0398eca-0bcd-4645-8261-5e9dc70248d0}(Default) = (no title provided) -> {HKLM…CLSID} = “Nothing” \InProcServer32(Default) = “C:\WINDOWS\system32\hp7E28.tmp” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ “System” = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]
I Fixwareout:
Fixwareout Last edited 1/14/2006 Post this report in the forums please … Prerun check »»»»» HKLM run and Winlogon System values »»»»» System restarted … Reg Entries that were deleted … Random Runs removed from HKLM … PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names… »»»»» Search five digit cs, dm kd and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal Other suspects. »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool. »»»»» Postrun check »»»»» HKLM run »»»»» Winlogon System value “system”="" »»»»»
Wszytko zrobione tylko tego wpisu niebyło!
Złączono Posty : 18.01.2007 (Czw) 2:33
Jak coś źle zrobiłem to mnie popraw
adam9870
(adam9870)
18 Styczeń 2007 13:20
#4
Nie trzymaj hijacka w TEMPie. Umieść go np. na pulpicie.
W logu dodatkowo:
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp7E28.tmp O3 - Toolbar: UCmore Toolbar - {53CBEE82-D747-11d3-9ED0-005004189684} - C:\Program Files\UCmore\UCMIE.dll (file missing) O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL (file missing) O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w O4 - Startup: The Matrix_ Path of Neo Registration.lnk = C:\Documents and Settings\ja\Ustawienia lokalne\Temp{CC0E4F85-34FA-4FE2-93B7-8B9694484EA5}{E571E8B1-9771-465D-9DE0-3BA 2D1BDAE99}\ATR1.exe O17 - HKLM\System\CCS\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CCS\Services\Tcpip…{46B99464-7F15-48E3-9683-03DA19E9A346}: NameServer = 83.238.255.76 213.241.79.37 O17 - HKLM\System\CCS\Services\Tcpip…{4EA9B0B6-4E50-4672-96AF-B300E0405FFB}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.70 85.255.112.182 O17 - HKLM\System\CS1\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.70 85.255.112.182 O17 - HKLM\System\CS2\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: NameServer = 85.255.114.70,85.255.112.182 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.70 85.255.112.182 O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)
Plik FIX.BAT powinien wyglądać następująco:
Wyżej wymienione wpisy usuń w hjt.
Dla pewności puść w ruch SmitRem
adam9870
(adam9870)
18 Styczeń 2007 16:18
#6
W logu nowy syf:
Foldery usuń ręcznie w trybie awaryjnym, a wpisy w HJT.
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners .
adam9870:
link niedziała
U mnie działa.
http://www.downloads.subratam.org/smitRem.exe