Trojany pobite, ale komp NADAL wymusza restart! - pomocy!

kermorvan · 30 Czerwiec 2006 22:48

Gdy przedwczoraj zaczynałem - mialem trojany, backdoor’y, i adware’y - ponad setkę śmiecia.

Część wyczyściłem dzięki pomocy Gutek2222 (Szacuneczek!

Dziś walczyłem samodzielnie od popołudnia, ale…

Coś nadal fika - bo odpalenie w normalnym trybie konczy się restartem po 20 sekundach od pełnego załadowania Wingrozy XP.

Lager-T wybilem recznie
Duzo smiecia wywalil mi Ewido (naprawde jest niezly…)
SmithFraud’y usunąłem “SmithFraudFix’em” - chyba skutecznie

Obecnie stan zasyfienia testuję Xoftspy oraz Ewido (pokazują SmithFrauda’ - nadal, ale moze już mylnie)

Załadowałem też Kasprzaka do systemu (Avast niestety dał ciała) - i nic nie znajduje

NADAL jednak komputer po kilkunastu sekundach “zrzuca pamięć fizyczną” i sam się wyłącza.

O co chodzi???

Zobaczcie, prosze, co tu jeszcze siedzi?

Log z HijackThis:

Logfile of HijackThis v1.99.1 Scan saved at 00:31:02, on 2006-07-01 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\WINDOWS\explorer.exe C:\TOOLS\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM…\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM…\Run: [˙_zskWEXJK] C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [!ewido] “C:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized O4 - HKLM…\Run: [KAVPersonal50] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe” /minimize O4 - HKLM…\RunServices: [˙_zskWEXJK] C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe O4 - HKCU…\Run: [a1cc7d37.exe] C:\Documents and Settings\Maciej\Ustawienia lokalne\Dane aplikacji\a1cc7d37.exe O4 - HKCU…\Run: [˙_zskWEXJK] C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 1072168578 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Log z Silent Runners:

“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “a1cc7d37.exe” = “C:\Documents and Settings\Maciej\Ustawienia lokalne\Dane aplikacji\a1cc7d37.exe” [file not found] “˙_zskWEXJK” = “C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMAXPnP” = “C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe” [“Analog Devices, Inc.”] “SoundMAX” = “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray” [“Analog Devices, Inc.”] “IgfxTray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “HotKeysCmds” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “Persistence” = “C:\WINDOWS\system32\igfxpers.exe” [“Intel Corporation”] “eabconfg.cpl” = “C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start” ["Hewlett-Packard "] “˙_zskWEXJK” = “C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe” [file not found] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “AGRSMMSG” = “AGRSMMSG.exe” [“Agere Systems”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” [MS] “!ewido” = ““C:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized” [“Anti-Malware Development a.s.”] “KAVPersonal50” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe” /minimize” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” - {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” - {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “ewido anti-spyware 4.0” - {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” - {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” - {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\ssstars.scr” [MS] Startup items in “Maciej” “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” - shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, “C:\Program Files\ewido anti-spyware 4.0\guard.exe” [“Anti-Malware Development a.s.”] HP WMI Interface, hpqwmi, “C:\Program Files\HPQ\SHARED\HPQWMI.exe” [“Hewlett-Packard Development Company, L.P.”] HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS] kavsvc, kavsvc, ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe”” [“Kaspersky Lab”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] Office Source Engine, ose, ““C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE”” [MS] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]} Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\mspmsnsv.dll” [MS]} ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 5 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 9 seconds. ---------- (total run time: 40 seconds)

Gutek · 30 Czerwiec 2006 22:56

to nowy syf - http://forum.twojastrefapc.pl/index.php … ic=743&hl= więc pobierz gmera i daj log z niego - http://www.gmer.net/

kermorvan · 30 Czerwiec 2006 23:42

Odpalilem gmer’a

Chyba rozsądnie bedzie jak wstrzymam sie z wcielaniem moich genialnych pomysłow na uzdrowienie kompa - do czasu info zwrotnego na temat nowego diabełka.

Bede wypatrywal wieści.

Ponizej Log (wyłaczylem usmieszki w poscie, zeby wykrzykniki i znaki zapytania sie nie animowaly)

GMER 1.0.10.10122 - http://www.gmer.net Rootkit 2006-07-01 01:35:11 Windows 5.1.2600 Dodatek Service Pack 2 ---- System - GMER 1.0.10 ---- SSDT kl1.sys ZwOpenFile SYSENTER ? 00810091 ---- Devices - GMER 1.0.10 ---- Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 811D8ADA ---- Services - GMER 1.0.10 ---- Service C:\WINDOWS\pe386.sys (*** hidden *** ) [sYSTEM] pe386 <-- ROOTKIT ! ---- Registry - GMER 1.0.10 ---- Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386\Security Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Security Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Enum Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386\Security Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath ??\C:\WINDOWS\pe386.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 PE files loader Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x90 0x22 0x7F 0x16 … Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1 ---- Files - GMER 1.0.10 ---- File C:\System Volume Information\MountPointManagerRemoteDatabase File C:\System Volume Information\tracking.log File E:\System Volume Information\MountPointManagerRemoteDatabase File E:\System Volume Information\tracking.log ---- EOF - GMER 1.0.10 ----

Gutek · 1 Lipiec 2006 01:41

Jak GMER skończy skanowanie w zakladce Rootkit:

zaznacz wszystkie SSDT i prawy przycisk myszy “Przywróć SSDT”( maja zniknąć wszystkie wpisy typu SSDT )
następnie zaznacz

Service C:\WINDOWS\pe386.sys (*** hidden *** ) [sYSTEM] pe386 <-- ROOTKIT !i prawym myszy wybierasz usuń usługe. 3. w zakładce CMD wklej: DEL D:\WINDOWS\System32\pe386.sys 4. w zakładce REGEDIT wklej: Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pe386] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pe386] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\pe386] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386] 5. w Procesy opcja Zabij wszystko wybierz powrót do zakładki CMD i dla obu opcji (CMD + REGEDIT) klikasz Uruchom i restart, daj nowe logi z HJT, Silenta i GMERA Jeśli w Gmer nie zadziała opcja Zabij wszystko to użyj opcji w zakładce procesy - AWARYJNY. I powtórz usuwanie.

kermorvan · 1 Lipiec 2006 12:31

Szybkie pytanko:

Czy chodziło Ci powyżej o wklejenie w troche innym brzmieniu:

?

Nie wiem czy to istotne, ale gmer po usunięciu usługi - zanim doszedlem do CMD - sam zapytał czy skasowac rowniez plik C:\WINDOWS\pe386.sys - moze wiec juz to zrobil?

system · 1 Lipiec 2006 13:08

Tak komenda ma być taka

To zapuść szukanie jeszcze raz i zobaczysz czy są wpisy.

No i najpierw wklej w zakładke regedit i usuwaj klucze. Albo po usuwaniu wklej log na forum z Gmer

kermorvan · 1 Lipiec 2006 13:19

Chyba jest NIEŹLE!

Po kolei:

HijackThis:

Logfile of HijackThis v1.99.1 Scan saved at 14:46:45, on 2006-07-01 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\TOOLS\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM…\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM…\Run: [˙_zskWEXJK] C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [!ewido] “C:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized O4 - HKLM…\Run: [KAVPersonal50] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe” /minimize O4 - HKLM…\RunServices: [˙_zskWEXJK] C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe O4 - HKCU…\Run: [a1cc7d37.exe] C:\Documents and Settings\Maciej\Ustawienia lokalne\Dane aplikacji\a1cc7d37.exe O4 - HKCU…\Run: [˙_zskWEXJK] C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 1072168578 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Silent Runners:

“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “a1cc7d37.exe” = “C:\Documents and Settings\Maciej\Ustawienia lokalne\Dane aplikacji\a1cc7d37.exe” [file not found] “˙_zskWEXJK” = “C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMAXPnP” = “C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe” [“Analog Devices, Inc.”] “SoundMAX” = “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray” [“Analog Devices, Inc.”] “IgfxTray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “HotKeysCmds” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “Persistence” = “C:\WINDOWS\system32\igfxpers.exe” [“Intel Corporation”] “eabconfg.cpl” = “C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start” ["Hewlett-Packard "] “˙_zskWEXJK” = “C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe” [file not found] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “AGRSMMSG” = “AGRSMMSG.exe” [“Agere Systems”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” [MS] “!ewido” = ““C:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized” [“Anti-Malware Development a.s.”] “KAVPersonal50” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe” /minimize” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “ewido anti-spyware 4.0” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\ssstars.scr” [MS] Startup items in “Maciej” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, “C:\Program Files\ewido anti-spyware 4.0\guard.exe” [“Anti-Malware Development a.s.”] HP WMI Interface, hpqwmi, “C:\Program Files\HPQ\SHARED\HPQWMI.exe” [“Hewlett-Packard Development Company, L.P.”] HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS] kavsvc, kavsvc, ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe”” [“Kaspersky Lab”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] Office Source Engine, ose, ““C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE”” [MS] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]} Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\mspmsnsv.dll” [MS]} ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 25 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 8 seconds. ---------- (total run time: 62 seconds)

oraz log z GMER’a

GMER - alez to jest poteżna bestia - rewelacja! :o :o :o

Sprzecik od 10 minut dziala w trybie normalnym! Działa!!

Jak dotąd - jest spoko!

Aż mam stresa zapytać, czy to już…?

Jak to teraz wygląda od srodka? Patrząc na logi?

InfinityToJa · 1 Lipiec 2006 13:22

w hjt a waryjnym skasuj:

gmer czysty

kermorvan · 1 Lipiec 2006 13:58

OK

Strasznie Wam dziękuję!

Przy Waszej pomocy wszystko dziala teraz jak należy - i obyło się bez formatowania

Zabezpieczenia pozostawiam aktywnymi (na razie Kasperski i Ewido + Xoftspy do skanowania) - mam nadzieje, ze moja kumpela (właścicielka hospitalizowanego laptopa) bedzie się bardziej pilnować.

Jeszcze raz - WIELKIE DZIĘKI!

Gutek · 1 Lipiec 2006 14:33

Daj log z Hijacka

kermorvan · 4 Lipiec 2006 16:50

Cześć

Powróciłem z niebytu - nie mialem jak wczesniej podkleic ostateczne logi z systemu:

A wiec - wygląda to tak (logi generowane w trybie awaryjnym - mam nadzieje ze nadal takie mialy byc):

HijackThis:

Logfile of HijackThis v1.99.1 Scan saved at 16:30:36, on 2006-07-03 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\TOOLS\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM…\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM…\Run: [˙_zskWEXJK] C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [!ewido] “C:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized O4 - HKLM…\Run: [KAVPersonal50] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe” /minimize O4 - HKLM…\RunServices: [˙_zskWEXJK] C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe O4 - HKCU…\Run: [˙_zskWEXJK] C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 1072168578 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Błyskawiczny Silent Runners:

“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “˙_zskWEXJK” = “C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMAXPnP” = “C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe” [“Analog Devices, Inc.”] “SoundMAX” = “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray” [“Analog Devices, Inc.”] “IgfxTray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “HotKeysCmds” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “Persistence” = “C:\WINDOWS\system32\igfxpers.exe” [“Intel Corporation”] “eabconfg.cpl” = “C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start” ["Hewlett-Packard "] “˙_zskWEXJK” = “C:\WINDOWS\system32_zskwrkni05DOBLKX]PQ[\KJXEW.exe” [file not found] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “AGRSMMSG” = “AGRSMMSG.exe” [“Agere Systems”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” [MS] “!ewido” = ““C:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized” [“Anti-Malware Development a.s.”] “KAVPersonal50” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe” /minimize” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “ewido anti-spyware 4.0” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Maciej\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\ssflwbox.scr” [MS] Startup items in “Maciej” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, “C:\Program Files\ewido anti-spyware 4.0\guard.exe” [“Anti-Malware Development a.s.”] HP WMI Interface, hpqwmi, “C:\Program Files\HPQ\SHARED\HPQWMI.exe” [“Hewlett-Packard Development Company, L.P.”] HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS] kavsvc, kavsvc, ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe”” [“Kaspersky Lab”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] Office Source Engine, ose, ““C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE”” [MS] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]} Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\mspmsnsv.dll” [MS]} ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 23 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 8 seconds. ---------- (total run time: 62 seconds)

oraz krotki log z niesamowitego GMER’a:

Chyba ok?

Jedyne co mi sie wydaje podejrzane, to powracający, mimo wczesniejszego conajmniej dwukrotnego usuwania, ten oto wpis w HijackThis:

O4 - HKLM\..\Run: [˙_zskWEXJK] C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe

Usuwalismy go wczesniej - wiec dziwi mnie ze znowu jest widoczny

Ale moze tak ma juz być?

P.J.

InfinityToJa · 4 Lipiec 2006 16:54

zostały tylko wpisy w rejestrze

Otwórz notatnik i wklej:

Plik>>>zapisz jako>>zmień rozszerzenie z .txt na wszystkie pliki>>>zapisz pod nazwą FIX.REG i uruchom w trybie awaryjnym

a jeśli to nie pomoże to start>>>uruchom>>>regedit>>>przejdź do tych kluczy i skasuj wartości ˙_zskWEXJK

ps. gmer czysty