Nie mogę usunąć spoolsvv.exe


(Pawcio 1) #1

A ja co muszę zrobić?


(Gutek) #2

nie wiesz nie pisz

usuń wpisy HJT. Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz Microsoft authenticate service i Card Adapter

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot oraz All Files i w polu Full Path of File to Delete wklejasz ścieżki

C:\WINNT\system32\spoolsvv.exe

C:\DOCUME~1\Kamila\USTAWI~1\Temp\woso.exe

C:\WINNT\system32\msasvc.exe

C:\WINNT\vcd1.exe

i naciskasz X czerwony. Program poprosi o reset kompa ... czyli resetujesz.

Daj log z Combofix


(Pawcio 1) #3

Próbowałem wszystko co napisałeś, ale niektóre wpisy w Hijack niestety pozostały... Obecne logi:

"Administrator" - 2007-06-03 22:01:46 Service Pack 4  

ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Kamila\Pulpit\"



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



"C:\WINNT\system32\dlh9jkd1q8.exe"

"C:\WINNT\system32\dlh9jkd1q7.exe"

"C:\WINNT\system32\kernels88.exe"

"C:\DOCUME~1\KAMILA\DANEAP~1\Install.dat"

"C:\WINNT\system32\wnscpsu.exe"

"C:\DOCUME~1\Kamila\DANEAP~1\Microsoft\2236.dat"

"C:\WINNT\system32\info.txt"

"C:\WINNT\system32\svcp.csv"

"C:\WINNT\system32\vx.tll"

"C:\WINNT\system32\winsub.xml"

"C:\WINNT\system32\zlbw.dll"

"C:\WINNT\comdlj32.dll"

"C:\WINNT\dembat.tm"

"C:\WINNT\desktop.html"

"C:\WINNT\emdat.tm"

"C:\WINNT\emdat.tmp"

"C:\WINNT\hook.txt"

"C:\WINNT\ie-hook.txt"

"C:\WINNT\system32\spoolsvv.sys"



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))



-------\LEGACY_NETDOWN

-------\Driver

-------\NETDown



((((((((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 ))))))))))))))))))))))))))))))))))



2007-05-25 14:31	302	--a------	C:\fix.reg

2007-05-25 09:13

[code]Logfile of HijackThis v1.99.1 Scan saved at 22:07:53, on 2007-06-03 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\SYSTEM32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\WINNT\Explorer.EXE C:\WINNT\SOUNDMAN.EXE D:\Programy\QuickTime\qttask.exe C:\Program Files\Softwin\BitDefender8\bdmcon.exe C:\Program Files\Softwin\BitDefender8\bdnagent.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\PLANET WL-8313\WLANMON.exe C:\WINNT\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM..\Run: [QuickTime Task] "D:\Programy\QuickTime\qttask.exe" -atboottime O4 - HKLM..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe" O4 - HKLM..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe" O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - Global Startup: WL-8313 Configuration Utility.lnk = C:\Program Files\PLANET WL-8313\WLANMON.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\Programy\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\PROGRA~1\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\PROGRA~1\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O12 - Plugin for .m3u: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O17 - HKLM\System\CCS\Services\Tcpip..{8086BBDA-5C8E-4864-A4F8-EE34866206E4}: NameServer = 192.168.1.2 O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Dokumenty\Settings\bot.dll O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing) O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


(Heniu133) #4

Ściągnij The Avenger,

wypakuj > uruchom > Input script manually > klikasz w lupkę > w nowo otwartym oknie wklejasz:

Po wklejeniu > Done > klik na zielone światło > ok i będzie restart.

Nowy log z ComboFix


(Pawcio 1) #5
Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\hdeatowt


*******************


Script file located at: \??\C:\aqoqrpej.txt

Script file opened successfully.


Script file read successfully


Backups directory opened successfully at C:\Avenger


*******************


Beginning to process script file:


File C:\WINNT\comdlg64.dll deleted successfully.

File C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll deleted successfully.

File C:\Documents and Settings\All Users\Dokumenty\Settings\bot.dll deleted successfully.

Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\botreg deleted successfully.

Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg deleted successfully.


Completed script processing.


*******************


Finished! Terminate.

"Administrator" - 2007-06-08 9:54:17 Service Pack 4

(Joan Sunshine) #6

jest ok


(Pawcio 1) #7

Dziękuję ślicznie :slight_smile: