Jak usunąć Trojana "SpamTool.Win32.Agent.u" log

Dla specjalistów Bezpieczeństwo
#1

Mam problem wkradł mi sie Trojan “SpamTool.Win32.Agent.u” i nie moge go usunąć mój program antywirusowy Kaspersky Internet Security 6.0 wersja 30-dniowa niechce go usunąć

#2

Odpal LSP-Fix zaznacz “I know what I’m doing” następnie w okienku Keep zaznacz plik hgaidhk.dll i za pomocą strzałki (>>) przenieś go do okienka Remover i kliknij Finish

Daj log z Combofix

#3

zrobiłem tak jak kazałeś ale jak otwieram Combofix nic sie nie dzieje pokazuje sie niebieskie okienko i znika

#4

Poczytaj:

http://www.searchengines.pl/phpbb203/in … opic=86306

Ewentualnie zamiast loga z ComboFix’a pokaż log z narzędzia Deckard’s System Scanner (DSS), dawniej występujący pod nazwą ComboScan.

#5

niestety to też nie działa nie moge zrobić loga z tego

#6

W takim razie sprawdź czy możesz wykonać log numer 1 w narzędziu L2Mfix, a jeśli tak to go zrób i wklej tu. Opis:

http://cybertrash.pl/images/tata/L2MFIX.html

#7

prosze…

#8

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot oraz All Files i w polu Full Path of File to Delete wklejasz ścieżki

C:\WINDOWS\System32\acbfa7_s.dll

C:\WINDOWS\System32\hgaidhk.dll

i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz.

#9

prosze o to logi po wykonaniu tej operacji

#10

Już jest Ok

#11

Ponownie nie wiem co sie dzieje mój antywirus pokazuje że mam Malware: “SpamTool.Win32.Agent.u” Plik: C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS co mam z tym zrobić

#12

Wrzuć logi z HiJack This i Silent Runners.

Przeskanuj PC AVG Antispyware po update, następnie wklej raport na Forum.m razie.

#13

logi zrobione o to one:

1.HiJack This

Logfile of HijackThis v1.99.1

Scan saved at 12:54:22, on 2007-05-22

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\windows\System32\smss.exe

C:\windows\SYSTEM32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\Explorer.EXE

C:\windows\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\windows\system32\nvsvc32.exe

C:\windows\System32\svchost.exe

C:\windows\system32\wscntfy.exe

C:\windows\System32\svchost.exe

D:\gg8\Gadu-Gadu\gg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Documents and Settings\mm\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\G DATA\AntiVirus 2007\AVK\AVKWCtl.exe (file missing)

O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe (file missing)

O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe (file missing)

O23 - Service: Panda IManager Service (PSIMSVC) - Unknown owner - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe (file missing)

2.Silent Runners

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup" [MS]

"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"" ["Kaspersky Lab"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch5 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["FlashGet"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" = "WebCheck"

  -> {HKLM...CLSID} = "WebCheck"

                   \InProcServer32\(Default) = "%system%\webcheck.dll" [file not found]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\windows\system32\Audiodev.dll" [MS]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play"

  -> {HKLM...CLSID} = "Uniwersalne urządzenia Plug and Play"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Context Menu Shell Extension"

  -> {HKLM...CLSID} = "a-squared Free Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]

"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki ochrony WWW"

  -> {HKLM...CLSID} = "Statystyki ochrony WWW"

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

  -> {HKLM...CLSID} = "WebCheck"

                   \InProcServer32\(Default) = "%system%\webcheck.dll" [file not found]


HKLM\System\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "autocheck autochk *"|"aswBoot.exe /M:13067298" [file not found]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]

MyPhoneExplorer\(Default) = "{C63D6E57-FE9E-43D7-B7ED-900DEB695D3E}"

  -> {HKLM...CLSID} = "MyPhoneExplorer_ShellEx.ShellExt"

                   \InProcServer32\(Default) = "C:\Program Files\MyPhoneExplorer\DLL\ShellMgr.dll" ["F.J. Wechselberger"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"

  -> {HKLM...CLSID} = "a-squared Free Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"

  -> {HKLM...CLSID} = "a-squared Free Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\windows\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\mm\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 19

%SystemRoot%\system32\rsvpsp.dll [MS], 20 - 21



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {HKLM...CLSID} = "FlashGet Bar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\fgiebar.dll" ["Amaze Soft"]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statystyki ochrony WWW"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["FlashGet.com"]



Miscellaneous IE Hijack Points

------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):

(unwritable string)


Missing lines (compared with English-language version):

[Version]: 2 lines

[RestoreHomePage]: 1 line

[RestoreHomePage.reg]: 1 line

[RestoreBrowserSettings.reg]: 12 lines

[DeleteTemplates.reg]: 5 lines

[DeleteAutosearch.reg]: 1 line

[Strings]: 1 line

[RestoreBrowserSettings]: 2 lines

[Strings]: 3 lines



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Kaspersky Internet Security 6.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r" ["Kaspersky Lab"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

NVIDIA Display Driver Service, NVSvc, "C:\windows\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Monitor języka PJL\Driver = "PJLMON.DLL" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 131 seconds, including 18 seconds for message boxes)

3.AVG Anti-Spyware - Scan Report

Created at:13:46:08 2007-05-22


 + Scan result:	




C:\System Volume Information\_restore{525BA900-2957-47F5-950F-E0C80DFF4374}\RP589\A0724776.dll -> Backdoor.Ghost.34 : No action taken.

C:\System Volume Information\_restore{525BA900-2957-47F5-950F-E0C80DFF4374}\RP588\A0721205.exe -> Downloader.Small.cyn : No action taken.

C:\System Volume Information\_restore{525BA900-2957-47F5-950F-E0C80DFF4374}\RP589\A0724472.exe/Setup.exe -> Dropper.Agent.asf : No action taken.

C:\cp2650.nls -> Not-A-Virus.SpamTool.Win32.Agent.u : No action taken.

C:\Documents and Settings\mm\Cookies\mm@3.adbrite[1].txt -> TrackingCookie.Adbrite : No action taken.

C:\Documents and Settings\mm\Cookies\mm@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.

C:\Documents and Settings\mm\Cookies\mm@ad.adocean[2].txt -> TrackingCookie.Adocean : No action taken.

C:\Documents and Settings\mm\Cookies\mm@gde.adocean[1].txt -> TrackingCookie.Adocean : No action taken.

C:\Documents and Settings\mm\Cookies\mm@gg.adocean[2].txt -> TrackingCookie.Adocean : No action taken.

C:\Documents and Settings\mm\Cookies\mm@my.adocean[1].txt -> TrackingCookie.Adocean : No action taken.

C:\Program Files\jv16 PowerTools\Backups\001B53\mm@idg.adocean[1].txt -> TrackingCookie.Adocean : No action taken.

C:\Program Files\jv16 PowerTools\Backups\002147\mm@www.etracker[1].txt -> TrackingCookie.Etracker : No action taken.

C:\Documents and Settings\mm\Cookies\mm@hit.gemius[1].txt -> TrackingCookie.Gemius : No action taken.

C:\Documents and Settings\mm\Cookies\mm@search.live[1].txt -> TrackingCookie.Live : No action taken.

C:\Documents and Settings\mm\Cookies\mm@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken.

C:\Documents and Settings\mm\Cookies\mm@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.

C:\Program Files\jv16 PowerTools\Backups\001C21\mm@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.

C:\System Volume Information\_restore{525BA900-2957-47F5-950F-E0C80DFF4374}\RP591\A0726050.dll -> Trojan.Vqten : No action taken.

C:\Documents and Settings\mm\Ustawienia lokalne\Temporary Internet Files\Content.IE5\ATC12PMJ\flash_detector[1].js -> Worm.Graz : No action taken.

C:\Documents and Settings\mm\Ustawienia lokalne\Temporary Internet Files\Content.IE5\EQ25P98Q\flash_detector[1].js -> Worm.Graz : No action taken.

C:\Documents and Settings\mm\Ustawienia lokalne\Temporary Internet Files\Content.IE5\EQ25P98Q\flash_detector[2].js -> Worm.Graz : No action taken.

C:\Documents and Settings\mm\Ustawienia lokalne\Temporary Internet Files\Content.IE5\G9S9MN0H\flash_detector[1].js -> Worm.Graz : No action taken.
#14

marcin777 wyłącz i włącz przywracanie systemu, a z resztą AVG powinien sobie poradzić. :wink:

#15

Otwórz notatnik i wklej w nim to:

Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG

Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa :slight_smile:

Przeczyść rejestr – użyj do tego jv16 PowerTools 2006 1.5.2.344.

Zdecyduj się na jeden program antywirusowy, resztę należy usunąć

#16

nie da sie odpalić notatnika bo całe menu start znikneło są puste foldery

i tak cały czas mi wykrywa “SpamTool.Win32.Agent.u”

zostanie usunięty podczas uruchamiania komputera: szkodliwe oprogramowanie SpamTool.Win32.Agent.u Plik: C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS DOM\DOM100$ localhost

usunięto: szkodliwe oprogramowanie SpamTool.Win32.Agent.u Plik: C:\cp1388.nls//PE_Patch.UPX//UPX DOM\DOM100$ localhost

#17

Daj log z Combofix

#18 
"mm" - 2007-05-22 18:48:26 Dodatek Service Pack 2
#19

Już jest Ok możesz

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa

#20

Niestety to nic nie pomaga z kazdym uruchomieniem kompa robi sie to samo