piter83
3 Grudzień 2007 23:45
#1
witam,
mam podobny problem z ‘carltonem’,
odpalilem SDFix i zrobilem jak bylo pisane wyzej w tym watku,
carlton wciaz sie pojawia w pasku start
Raport SD Fix: SDFix: Version 1.116 Run by Administrator on 2007-12-04 at 00:27 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: C:\WINDOWS\system32\Microsoft\backup.ftp Found C:\WINDOWS\system32\Microsoft\backup.tftp Found Checking files: Genuine: Dummy: C:\WINDOWS\system32\Microsoft\backup.ftp C:\WINDOWS\system32\Microsoft\backup.tftp C:\WINDOWS\system32\ftp.exe C:\WINDOWS\system32\tftp.exe C:\WINDOWS\system32\dllcache\ftp.exe C:\WINDOWS\system32\dllcache\tftp.exe Files copied to SDFix\Backups Restoring files if backups are found Final Check: Genuine: Dummy: C:\WINDOWS\system32\Microsoft\backup.ftp C:\WINDOWS\system32\Microsoft\backup.tftp C:\WINDOWS\system32\ftp.exe C:\WINDOWS\system32\tftp.exe C:\WINDOWS\system32\dllcache\ftp.exe C:\WINDOWS\system32\dllcache\tftp.exe Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\system32\CatRoot\TMP1E.tmp - Deleted C:\Program Files\Common Files\Carlson\carlton - Deleted C:\WINDOWS\system32\Microsoft\backup.ftp - Deleted C:\WINDOWS\system32\Microsoft\backup.tftp - Deleted Folder C:\Program Files\Common Files\Carlson - Removed Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-04 00:28:51 Windows 5.1.2600 FAT NTAPI scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Mon 3 Dec 2007 569,856 …SHR — “C:\WINDOWS\Mrshield.exe” Finished!
a tu Log Report
ComboFix 07-12-02.6 - Piotrek 2007-12-04 0:40:40.7 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.47 [GMT 1:00] Running from: C:\Documents and Settings\Piotrek\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 ))))))))))))))))))))))))))))))) . 2007-12-04 00:30 . 2007-12-04 00:30 2007-12-04 00:30 . 2007-12-04 00:30 45,632 --a------ C:\8e9w3l6u1g1.exe 2007-12-04 00:26 . 2007-12-04 00:26 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:08 . 2007-12-04 00:08 2007-12-04 00:07 . 2007-12-04 00:07 2007-12-04 00:07 . 2007-12-04 00:07 2007-12-03 23:49 . 2007-12-03 23:49 2007-12-03 23:24 . 2007-12-03 23:28 569,856 --a------ C:\WINDOWS\system32\ctk.exe 2007-12-03 19:59 . 2007-12-03 19:59 2007-12-03 19:59 . 2007-12-03 19:59 2007-12-03 19:27 . 2001-08-18 06:24 135,040 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-12-03 19:27 . 2001-08-18 06:24 134,144 --a------ C:\WINDOWS\system32\drivers\ks.sys 2007-12-03 19:27 . 2001-10-26 17:30 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax 2007-12-03 19:27 . 2001-08-17 22:01 57,344 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-12-03 19:27 . 2001-08-17 22:01 42,752 --a------ C:\WINDOWS\system32\drivers\stream.sys 2007-12-03 19:27 . 2002-11-06 20:00 40,820 --a------ C:\WINDOWS\system32\Syncor11.dll 2007-12-03 19:27 . 2001-10-26 17:27 4,096 --a------ C:\WINDOWS\system32\ksuser.dll 2007-12-03 17:57 . 2001-08-17 22:00 159,232 --a------ C:\WINDOWS\system32\drivers\kmixer.sys 2007-12-03 17:57 . 2001-07-24 01:25 122,472 --a------ C:\WINDOWS\system32\drivers\aec.sys 2007-12-03 17:57 . 2001-08-18 06:24 79,616 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys 2007-12-03 17:57 . 2001-08-18 06:24 57,472 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys 2007-12-03 17:57 . 2001-08-17 22:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys 2007-12-03 17:57 . 2001-08-17 21:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys 2007-12-03 17:57 . 2001-08-17 22:00 5,632 --a------ C:\WINDOWS\system32\drivers\splitter.sys 2007-12-03 17:57 . 2001-08-17 22:01 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys 2007-12-03 17:56 . 2007-12-03 17:56 2007-12-03 17:56 . 2007-12-03 17:56 2007-12-03 17:56 . 2007-12-03 17:56 2007-12-03 17:52 . 2001-10-26 16:47 36,224 --a------ C:\WINDOWS\system32\drivers\isapnp.sys 2007-12-03 17:45 . 2003-10-28 11:02 20,016 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys 2007-12-03 17:44 . 2007-12-03 17:44 2007-12-03 17:44 . 2007-12-03 20:30 192 --a------ C:\WINDOWS\winamp.ini 2007-12-03 16:58 . 2007-12-03 16:58 2007-12-03 16:53 . 2007-12-03 16:53 2007-12-03 16:52 . 2007-12-03 16:52 2007-12-03 16:52 . 2005-12-08 13:56 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2007-12-03 16:52 . 2005-12-08 13:56 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts 2007-12-03 16:51 . 2007-12-03 16:51 2007-12-03 16:45 . 2004-01-22 19:06 157,696 --a------ C:\WINDOWS\system32\unrar.dll 2007-12-03 16:28 . 2007-12-03 16:28 2007-12-03 16:28 . 2007-12-03 16:28 2007-12-03 16:09 . 2007-12-03 16:09 100,489 --a------ C:\WINDOWS\UninstallFirefox.exe 2007-12-03 16:09 . 2007-12-03 16:12 3,277 --a------ C:\WINDOWS\mozver.dat 2007-12-03 16:09 . 2007-12-03 16:09 0 --a------ C:\WINDOWS\nsreg.dat 2007-12-03 16:05 . 2007-12-03 16:05 2007-12-03 16:02 . 2007-12-03 16:02 2007-12-03 16:02 . 2007-12-03 16:16 569,856 -r-hs---- C:\WINDOWS\Mrshield.exe 2007-12-03 16:02 . 2003-06-18 16:48 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-12-03 16:02 . 2001-10-26 16:47 36,224 --a------ C:\WINDOWS\system32\dllcache\isapnp.sys 2007-12-03 16:01 . 2007-12-03 16:02 569,856 --a------ C:\WINDOWS\system32\jcq.exe 2007-12-03 16:01 . 2003-04-15 09:59 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS 2007-12-03 16:01 . 2007-12-03 17:56 3,287 --a------ C:\WINDOWS\Ascd_tmp.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-03 23:28 42,496 ----a-w C:\WINDOWS\system32\ftp.exe 2007-12-03 23:28 42,496 ----a-w C:\WINDOWS\system32\dllcache\ftp.exe 2007-12-03 23:28 16,896 ----a-w C:\WINDOWS\system32\tftp.exe 2007-12-03 23:28 16,896 ----a-w C:\WINDOWS\system32\dllcache\tftp.exe 2007-12-03 15:16 133,120 ----a-w C:\WINDOWS\system32\sfc_os.dll 2007-12-03 14:59 --------- d-----w C:\Program Files\Alwil Software 2007-12-03 14:54 --------- d-----w C:\Program Files\microsoft frontpage 2007-12-03 14:51 --------- d-----w C:\Program Files\Usługi online 2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-10-25 17:20] “NvCplDaemon”=“RUNDLL32.exe” [2001-10-26 17:30 C:\WINDOWS\system32\rundll32.exe] “Smapp”=“C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [2003-05-05 08:57] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2001-10-26 17:29] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2003-12-13 01:50 33792 --a------ C:\Program Files\Winamp\winampa.exe R2 Microsoft register shield;Microsoft register shield;“C:\WINDOWS\Mrshield.exe” . ************************************************************************** catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-04 00:41:14 Windows 5.1.2600 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-04 0:41:28 . — E O F —
dzieki za pomoc !
Gutek
4 Grudzień 2007 00:16
#2
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
Przeskanuj plik C:\WINDOWS\Mrshield.exe na - http://virusscan.jotti.org/
piter83
5 Grudzień 2007 08:37
#3
witam
log po wrzuceniu CFScript…
ComboFix 07-12-02.6 - Piotrek 2007-12-05 9:31:38.9 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.90 [GMT 1:00] Running from: C:\Documents and Settings\Piotrek\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Piotrek\Pulpit\CFScript.txt * Created a new restore point FILE C:\8e9w3l6u1g1.exe C:\WINDOWS\system32\ctk.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\8e9w3l6u1g1.exe C:\Program Files\Common Files\Carlson C:\Program Files\Common Files\Carlson\carlton . ((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 ))))))))))))))))))))))))))))))) . 2007-12-05 09:25 . 2007-12-05 09:26 569,856 --a------ C:\WINDOWS\system32\rex.exe 2007-12-04 06:13 . 2007-12-04 06:20 569,856 --a------ C:\WINDOWS\system32\kfg.exe 2007-12-04 00:26 . 2007-12-04 00:26 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:08 . 2007-12-04 00:08 2007-12-04 00:07 . 2007-12-04 00:07 2007-12-04 00:07 . 2007-12-04 00:07 2007-12-03 23:49 . 2007-12-03 23:49 2007-12-03 19:59 . 2007-12-03 19:59 2007-12-03 19:59 . 2007-12-03 19:59 2007-12-03 19:27 . 2001-08-18 06:24 135,040 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-12-03 19:27 . 2001-08-18 06:24 134,144 --a------ C:\WINDOWS\system32\drivers\ks.sys 2007-12-03 19:27 . 2001-10-26 17:30 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax 2007-12-03 19:27 . 2001-08-17 22:01 57,344 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-12-03 19:27 . 2001-08-17 22:01 42,752 --a------ C:\WINDOWS\system32\drivers\stream.sys 2007-12-03 19:27 . 2002-11-06 20:00 40,820 --a------ C:\WINDOWS\system32\Syncor11.dll 2007-12-03 19:27 . 2001-10-26 17:27 4,096 --a------ C:\WINDOWS\system32\ksuser.dll 2007-12-03 17:57 . 2001-08-17 22:00 159,232 --a------ C:\WINDOWS\system32\drivers\kmixer.sys 2007-12-03 17:57 . 2001-07-24 01:25 122,472 --a------ C:\WINDOWS\system32\drivers\aec.sys 2007-12-03 17:57 . 2001-08-18 06:24 79,616 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys 2007-12-03 17:57 . 2001-08-18 06:24 57,472 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys 2007-12-03 17:57 . 2001-08-17 22:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys 2007-12-03 17:57 . 2001-08-17 21:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys 2007-12-03 17:57 . 2001-08-17 22:00 5,632 --a------ C:\WINDOWS\system32\drivers\splitter.sys 2007-12-03 17:57 . 2001-08-17 22:01 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys 2007-12-03 17:56 . 2007-12-03 17:56 2007-12-03 17:56 . 2007-12-03 17:56 2007-12-03 17:56 . 2007-12-03 17:56 2007-12-03 17:52 . 2001-10-26 16:47 36,224 --a------ C:\WINDOWS\system32\drivers\isapnp.sys 2007-12-03 17:45 . 2003-10-28 11:02 20,016 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys 2007-12-03 17:44 . 2007-12-03 17:44 2007-12-03 17:44 . 2007-12-03 20:30 192 --a------ C:\WINDOWS\winamp.ini 2007-12-03 16:58 . 2007-12-03 16:58 2007-12-03 16:53 . 2007-12-03 16:53 2007-12-03 16:52 . 2007-12-03 16:52 2007-12-03 16:52 . 2005-12-08 13:56 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2007-12-03 16:52 . 2005-12-08 13:56 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts 2007-12-03 16:51 . 2007-12-03 16:51 2007-12-03 16:45 . 2004-01-22 19:06 157,696 --a------ C:\WINDOWS\system32\unrar.dll 2007-12-03 16:28 . 2007-12-03 16:28 2007-12-03 16:28 . 2007-12-03 16:28 2007-12-03 16:09 . 2007-12-03 16:09 100,489 --a------ C:\WINDOWS\UninstallFirefox.exe 2007-12-03 16:09 . 2007-12-03 16:12 3,277 --a------ C:\WINDOWS\mozver.dat 2007-12-03 16:09 . 2007-12-03 16:09 0 --a------ C:\WINDOWS\nsreg.dat 2007-12-03 16:05 . 2007-12-03 16:05 2007-12-03 16:02 . 2007-12-03 16:02 2007-12-03 16:02 . 2007-12-03 16:16 569,856 -r-hs---- C:\WINDOWS\Mrshield.exe 2007-12-03 16:02 . 2003-06-18 16:48 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-12-03 16:02 . 2001-10-26 16:47 36,224 --a------ C:\WINDOWS\system32\dllcache\isapnp.sys 2007-12-03 16:01 . 2007-12-03 16:02 569,856 --a------ C:\WINDOWS\system32\jcq.exe 2007-12-03 16:01 . 2003-04-15 09:59 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS 2007-12-03 16:01 . 2007-12-03 17:56 3,287 --a------ C:\WINDOWS\Ascd_tmp.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-05 08:28 42,496 ----a-w C:\WINDOWS\system32\ftp.exe 2007-12-05 08:28 42,496 ----a-w C:\WINDOWS\system32\dllcache\ftp.exe 2007-12-05 08:28 16,896 ----a-w C:\WINDOWS\system32\tftp.exe 2007-12-05 08:28 16,896 ----a-w C:\WINDOWS\system32\dllcache\tftp.exe 2007-12-03 15:16 133,120 ----a-w C:\WINDOWS\system32\sfc_os.dll 2007-12-03 14:59 --------- d-----w C:\Program Files\Alwil Software 2007-12-03 14:54 --------- d-----w C:\Program Files\microsoft frontpage 2007-12-03 14:51 --------- d-----w C:\Program Files\Usługi online 2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-10-25 17:20] “NvCplDaemon”=“RUNDLL32.exe” [2001-10-26 17:30 C:\WINDOWS\system32\rundll32.exe] “Smapp”=“C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [2003-05-05 08:57] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2001-10-26 17:29] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2003-12-13 01:50 33792 --a------ C:\Program Files\Winamp\winampa.exe R2 Microsoft register shield;Microsoft register shield;“C:\WINDOWS\Mrshield.exe” . ************************************************************************** catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-05 09:32:09 Windows 5.1.2600 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-05 9:32:21 C:\ComboFix3.txt … 2007-12-04 00:41 C:\ComboFix2.txt … 2007-12-05 09:24 . — E O F —
co do pliku C:\WINDOWS\Mrshield.exe to juz go nie stwierdzam
po uruchomieniu za to pojawia sie z powrotem w C:\8e9w3l6u1g1.exe
dzieki
Gutek
5 Grudzień 2007 13:57
#4
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
piter83
5 Grudzień 2007 14:16
#5
witam,
przy uruchamieniu wywala komunikat, ze nie moze odnalezc C:\WINDOWS\Mrshield.exe
nie usuwalem tego, probowalem przeskanowac jak mowiles
ale doslownie wyparowal !
nowy log
ComboFix 07-12-02.6 - Piotrek 2007-12-05 15:12:21.12 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.63 [GMT 1:00] Running from: C:\Documents and Settings\Piotrek\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 ))))))))))))))))))))))))))))))) . 2007-12-05 15:03 . 2007-12-05 15:06 139,264 --a------ C:\WINDOWS\system32\zex.exe 2007-12-05 15:00 . 2007-12-05 15:05 569,856 --a------ C:\WINDOWS\system32\ckd.exe 2007-12-05 10:52 . 2007-12-05 10:52 63 --a------ C:\WINDOWS\system32\i 2007-12-05 10:22 . 2007-12-05 10:22 2007-12-05 10:22 . 2007-12-05 10:22 2007-12-05 10:22 . 2007-12-05 10:22 2007-12-05 10:22 . 2007-12-05 10:22 2007-12-05 10:21 . 2007-12-05 10:27 569,856 --a------ C:\WINDOWS\system32\ryk.exe 2007-12-04 00:26 . 2007-12-04 00:26 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:26 . 2007-12-03 15:47 2007-12-04 00:08 . 2007-12-04 00:08 2007-12-04 00:07 . 2007-12-04 00:07 2007-12-04 00:07 . 2007-12-04 00:07 2007-12-03 23:49 . 2007-12-03 23:49 2007-12-03 19:59 . 2007-12-03 19:59 2007-12-03 19:59 . 2007-12-03 19:59 2007-12-03 19:27 . 2001-08-18 06:24 135,040 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-12-03 19:27 . 2001-08-18 06:24 134,144 --a------ C:\WINDOWS\system32\drivers\ks.sys 2007-12-03 19:27 . 2001-10-26 17:30 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax 2007-12-03 19:27 . 2001-08-17 22:01 57,344 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-12-03 19:27 . 2001-08-17 22:01 42,752 --a------ C:\WINDOWS\system32\drivers\stream.sys 2007-12-03 19:27 . 2002-11-06 20:00 40,820 --a------ C:\WINDOWS\system32\Syncor11.dll 2007-12-03 19:27 . 2001-10-26 17:27 4,096 --a------ C:\WINDOWS\system32\ksuser.dll 2007-12-03 17:57 . 2001-08-17 22:00 159,232 --a------ C:\WINDOWS\system32\drivers\kmixer.sys 2007-12-03 17:57 . 2001-07-24 01:25 122,472 --a------ C:\WINDOWS\system32\drivers\aec.sys 2007-12-03 17:57 . 2001-08-18 06:24 79,616 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys 2007-12-03 17:57 . 2001-08-18 06:24 57,472 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys 2007-12-03 17:57 . 2001-08-17 22:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys 2007-12-03 17:57 . 2001-08-17 21:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys 2007-12-03 17:57 . 2001-08-17 22:00 5,632 --a------ C:\WINDOWS\system32\drivers\splitter.sys 2007-12-03 17:57 . 2001-08-17 22:01 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys 2007-12-03 17:56 . 2007-12-03 17:56 2007-12-03 17:56 . 2007-12-03 17:56 2007-12-03 17:56 . 2007-12-03 17:56 2007-12-03 17:52 . 2001-10-26 16:47 36,224 --a------ C:\WINDOWS\system32\drivers\isapnp.sys 2007-12-03 17:45 . 2003-10-28 11:02 20,016 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys 2007-12-03 17:44 . 2007-12-03 17:44 2007-12-03 17:44 . 2007-12-05 15:05 192 --a------ C:\WINDOWS\winamp.ini 2007-12-03 16:58 . 2007-12-03 16:58 2007-12-03 16:53 . 2007-12-03 16:53 2007-12-03 16:52 . 2007-12-03 16:52 2007-12-03 16:52 . 2005-12-08 13:56 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2007-12-03 16:52 . 2005-12-08 13:56 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts 2007-12-03 16:51 . 2007-12-03 16:51 2007-12-03 16:45 . 2004-01-22 19:06 157,696 --a------ C:\WINDOWS\system32\unrar.dll 2007-12-03 16:28 . 2007-12-03 16:28 2007-12-03 16:28 . 2007-12-03 16:28 2007-12-03 16:09 . 2007-12-03 16:09 100,489 --a------ C:\WINDOWS\UninstallFirefox.exe 2007-12-03 16:09 . 2007-12-03 16:12 3,277 --a------ C:\WINDOWS\mozver.dat 2007-12-03 16:09 . 2007-12-03 16:09 0 --a------ C:\WINDOWS\nsreg.dat 2007-12-03 16:05 . 2007-12-03 16:05 2007-12-03 16:02 . 2007-12-03 16:02 2007-12-03 16:02 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe 2007-12-03 16:02 . 2001-10-26 16:47 36,224 --a------ C:\WINDOWS\system32\dllcache\isapnp.sys 2007-12-03 16:01 . 2007-12-03 16:02 569,856 --a------ C:\WINDOWS\system32\jcq.exe 2007-12-03 16:01 . 2003-04-15 09:59 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS 2007-12-03 16:01 . 2007-12-03 17:56 3,287 --a------ C:\WINDOWS\Ascd_tmp.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-05 14:07 42,496 ----a-w C:\WINDOWS\system32\ftp.exe 2007-12-05 14:07 42,496 ----a-w C:\WINDOWS\system32\dllcache\ftp.exe 2007-12-05 14:07 16,896 ----a-w C:\WINDOWS\system32\tftp.exe 2007-12-05 14:07 16,896 ----a-w C:\WINDOWS\system32\dllcache\tftp.exe 2007-12-03 15:16 133,120 ----a-w C:\WINDOWS\system32\sfc_os.dll 2007-12-03 14:59 --------- d-----w C:\Program Files\Alwil Software 2007-12-03 14:54 --------- d-----w C:\Program Files\microsoft frontpage 2007-12-03 14:51 --------- d-----w C:\Program Files\Usługi online 2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-10-25 17:20] “NvCplDaemon”=“RUNDLL32.exe” [2001-10-26 17:30 C:\WINDOWS\system32\rundll32.exe] “Smapp”=“C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [2003-05-05 08:57] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2001-10-26 17:29] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2003-12-13 01:50 33792 --a------ C:\Program Files\Winamp\winampa.exe . ************************************************************************** catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-05 15:12:52 Windows 5.1.2600 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-05 15:13:05 . — E O F —
edit:
nadal pojawia sie C:\8e9w3l6u1g1.exe
zrobil bym formata, ale to tez nie pomoglo…
kilka razy zamykal sie system awaryjnie (odliczanie od 1:00 i restart, ‘RCP’ jakos tak, rowniez zwieszaja sie neiraz outlook, firefox czy gg, nie wiem czy to sie laczy, ale system swiezo po formacie i troche mnie to dziwi
piter83
5 Grudzień 2007 17:15
#7
witam ponownie
zrobilem formata, zainstalowalem gg, avasta, mozille i kodeck pack’a.
oczywiscie pojawil sie tez C:\8e9w3l6u1g1.exe
oto raport z SDFix
SDFix: Version 1.117 Run by P on 2007-12-05 at 18:10 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: Microsoft register shield Path: “C:\WINDOWS\Mrshield.exe” Microsoft register shield - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\Mrshield.exe - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-05 18:11:49 Windows 5.1.2600 FAT NTAPI scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Finished!
piter83
5 Grudzień 2007 22:04
#9
kolejny ‘objaw’
wywala errora:
debugger detected- pleas eclose it down & restart Win NT Users please note that having WinIce/SoftIce service installed means that you are running a debugger
rowniez co jakis czas jakby padaly sterowniki od dzwieku, nie odtwarza np muzy i wywala blad, po restarcie jest ok.
tez kilka razy mial miejsce restat(RCP zdalne wywolywanie procedur…)etc.
ten caly burdel od tego trojana?
log
ComboFix 07-12-02.6 - P 2007-12-05 22:50:50.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.70 [GMT 1:00] Running from: C:\Documents and Settings\P\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 ))))))))))))))))))))))))))))))) . 2007-12-05 21:56 . 2007-12-05 21:56 2007-12-05 20:53 . 2007-12-05 20:53 2007-12-05 20:28 . 2001-08-18 06:24 135,040 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-12-05 20:28 . 2001-08-18 06:24 134,144 --a------ C:\WINDOWS\system32\drivers\ks.sys 2007-12-05 20:28 . 2001-10-26 17:30 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax 2007-12-05 20:28 . 2001-08-17 22:01 57,344 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-12-05 20:28 . 2001-08-17 22:01 42,752 --a------ C:\WINDOWS\system32\drivers\stream.sys 2007-12-05 20:28 . 2002-11-06 20:00 40,820 --a------ C:\WINDOWS\system32\Syncor11.dll 2007-12-05 20:28 . 2001-10-26 17:27 4,096 --a------ C:\WINDOWS\system32\ksuser.dll 2007-12-05 18:51 . 2007-12-05 18:51 2007-12-05 18:46 . 2007-12-05 18:46 569,856 -r-hs---- C:\WINDOWS\Mrshield.exe 2007-12-05 18:40 . 2007-12-05 18:46 401,408 --a------ C:\WINDOWS\system32\nkz.exe 2007-12-05 18:09 . 2007-12-05 18:09 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-05 20:33 45,632 ----a-w C:\8e9w3l6u1g1.exe 2007-12-05 20:33 42,496 ----a-w C:\WINDOWS\system32\ftp.exe 2007-12-05 20:33 42,496 ----a-w C:\WINDOWS\system32\dllcache\ftp.exe 2007-12-05 20:33 16,896 ----a-w C:\WINDOWS\system32\tftp.exe 2007-12-05 20:33 16,896 ----a-w C:\WINDOWS\system32\dllcache\tftp.exe 2007-12-05 16:52 229,376 ----a-w C:\WINDOWS\system32\xxo.exe 2007-12-05 16:47 --------- d-----w C:\Program Files\Winamp 2007-12-05 16:35 100,489 ----a-w C:\WINDOWS\UninstallFirefox.exe 2007-12-05 16:34 --------- d-----w C:\Program Files\K-Lite Codec Pack 2007-12-05 16:34 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer 2007-12-05 16:33 --------- d-----w C:\Program Files\Gadu-Gadu 2007-12-05 16:25 163,840 ----a-w C:\WINDOWS\system32\ibn.exe 2007-12-05 16:22 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-12-05 16:22 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-12-05 16:22 --------- d-----w C:\Program Files\Analog Devices 2007-12-05 16:20 --------- d-----w C:\Program Files\Alwil Software 2007-12-05 16:17 569,856 ----a-w C:\WINDOWS\system32\xhx.exe 2007-12-05 16:17 133,120 ----a-w C:\WINDOWS\system32\sfc_os.dll 2007-12-05 16:16 --------- d-----w C:\Program Files\microsoft frontpage 2007-12-05 16:13 --------- d-----w C:\Program Files\Usługi online 2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00] “Smapp”=“C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [2003-05-05 08:57] “NvCplDaemon”=“RUNDLL32.exe” [2001-10-26 17:30 C:\WINDOWS\system32\rundll32.exe] “NvMediaCenter”=“RUNDLL32.exe” [2001-10-26 17:30 C:\WINDOWS\system32\rundll32.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2001-10-26 17:29] [HKEY_USERS.default\software\microsoft\windows\currentversion\policies\system] “DisableTaskMgr”= 1 (0x1) “DisableRegistryTools”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] “Shell”=“Explorer.exe %WINDIR%\Mrshield.exe” “SFCDisable”=dword:ffffff9d [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2003-12-13 01:50 33792 --a------ C:\Program Files\Winamp\winampa.exe R2 Microsoft register shield;Microsoft register shield;“C:\WINDOWS\Mrshield.exe” *Newly Created Service* - PROCEXP90 . ************************************************************************** catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-05 22:51:20 Windows 5.1.2600 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-05 22:51:33 . — E O F —
Gutek
6 Grudzień 2007 16:52
#10
Pobierz The Avenger
kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
piter83
6 Grudzień 2007 18:47
#11
do tego momentu szlo wg instrukcji, ale
po restarcie nie mialem juz jak zrobic dalszej czesci, pojawil sie cmd,
w awaryjnym jak i normalnym trybie… nic innego sie nie uruchamia
cos zle robie?
dzieki
Gutek
6 Grudzień 2007 19:16
#12
piter83
6 Grudzień 2007 19:41
#13
to dalej probowac z avengerem jak pisales i powinno pojsc ?
to wkleilem, potem restart i pojawilo sie okno cmd…
nie mialem jak zrobic FIX.REG…?
Gutek
6 Grudzień 2007 19:48
#14
Daj log z Combo, jak nie to usuniemy inaczej gmerem
Gutek
6 Grudzień 2007 20:39
#16
Pobierz Gmer
Otwierasz Gmera i w zakładce CMD dla opcji CMD wklejasz:
i kliknij na Uruchom z prawej strony.
piter83
6 Grudzień 2007 20:52
#17
zrobione,
po ‘Uruchom’ bylo :
DeleteService - parametr nie jest poprawny, potem
wywalilo komunikat o bledzie przy Mrshield.exe 0x…(nr nie spisalem),
carlton ma sie dobrze
po restarcie przy uruchamianiu byl komunikat ze nie moze odnalezc Mrshied.exe, ale carlton w pasku start wisi nadal
Gutek
6 Grudzień 2007 21:10
#18
Otwierasz Gmera i w zakładce CMD dla opcji CMD wklejasz:
i kliknij na Uruchom z prawej strony. Komputer powinien się samoczynnie wyłączyć i włączyć.
po tym nowy log z gmera opcja 2
piter83
6 Grudzień 2007 21:17
#19
wklejone i ‘uruchomione’
ponownie komunikaty:
DeleteService - parametr nie jest poprawny, potem
wywalilo komunikat o bledzie przy Mrshield.exe
nastepnie samoczynny restart.
przy uruchamianiu wina
komunikat ze nie moze odnalezc Mrshied.exe
nie wiem jak zrobic loga gmerem
w zakladce log jest tylko odswiez, ale nic sie ne dzieje:)
