iamx
(Madzia90)
24 Listopad 2007 12:34
#1
Prosze o sprawdzenie loga, gdyz ostatnio moj komputer bardzo długo sie wlacza jak i wylacza, znikaja ikony i pasek narzedzi i musze restartowac komputer… spybot wykrył virumonde, ktory przy kazdym uruchomieniu systemu powraca i nie wiem jak sobie z nim poradzic. Dodatkowo niektóre pliki wykrywane przez skanery jako wirusy nie sa usuwane.
z gory dziekuje za pomoc!
log z hijackthis:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:27:02, on 2007-11-24 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\hidserv.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\WINNT\system32\win32dll.exe C:\WINNT\system32\xlzxk.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINNT\system32\rundll32.exe C:\Program Files\Opera\Opera.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: @msdxmLC.dll ,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: G DATA WebFilter - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G DATA AntiVirus Trial\Webfilter\AvkWebIE.dll (file missing) O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe” O4 - HKLM…\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [wind32dll] win32dll.exe O4 - HKLM…\Run: [Advanced DHTML Enable] C:\WINNT\system32\xlzxk.exe O4 - HKLM…\Run: [AVKTray] “C:\Program Files\G DATA AntiVirus Trial\AVKTray\AVKTray.exe” O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [Windows Explorer] C:\WINNT\system32\explorer.exe O4 - HKLM…\RunServices: [wind32dll] win32dll.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [wind32dll] win32dll.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKUS.DEFAULT…\Run: [internat.exe] internat.exe (User ‘Default user’) O4 - HKUS.DEFAULT…\Run: [wind32dll] win32dll.exe (User ‘Default user’) O4 - HKUS.DEFAULT…\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘Default user’) O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house … hcImpl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/res … nPUpld.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/pl/securityadvisor/pestscan/pestscan.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: G DATA AntiVirus Proxy (AVKProxy) - Unknown owner - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe (file missing) O23 - Service: G DATA Scheduler (AVKService) - Unknown owner - C:\Program Files\G DATA AntiVirus Trial\AVK\AVKService.exe (file missing) O23 - Service: Strażnik AntiVirus (AVKWCtl) - Unknown owner - C:\Program Files\G DATA AntiVirus Trial\AVK\AVKWCtl.exe (file missing) O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
log z combofix:
ComboFix 07-11-19.3 - Administrator 2007-11-24 12:36:19.1 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1250.1.1045.18.113 [GMT 1:00] Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe . Unable to gain System Privileges ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINNT\Downloaded Program Files\Quarantine C:\WINNT\system32\ds113n.dll C:\WINNT\system32\fehjl.ini C:\WINNT\system32\fehjl.ini2 C:\WINNT\system32\khfcy.exe C:\WINNT\system32\ljhef.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\nm ((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 ))))))))))))))))))))))))))))))) . 2007-11-24 11:52 2007-11-24 10:57 2007-11-23 23:08 62 --ah----- C:\aaw7boot.cmd 2007-11-23 21:18 24,442 --a------ C:\WINNT\system32\kimbuup.exe 2007-11-23 21:15 24,442 --a------ C:\WINNT\system32\jxrgzsq.exe 2007-11-23 21:05 24,442 --a------ C:\WINNT\system32\idef.exe 2007-11-23 21:00 39,424 --a------ C:\WINNT\system32\rqrommk.dll 2007-11-23 21:00 24,442 --a------ C:\WINNT\system32\imqfmw.exe 2007-11-23 21:00 15,785 --a------ C:\WINNT\system32\ohdqiksr.exe 2007-11-23 20:59 80,676 --a------ C:\WINNT\system32\uxdqop.exe 2007-11-17 16:34 2007-11-17 16:34 32 --a------ C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat 2007-11-17 16:30 2007-11-17 16:30 2007-11-17 16:30 2007-11-15 22:58 2007-11-15 19:09 2007-11-15 18:49 41,928 --a------ C:\WINNT\system32\drivers\GDTdiIcpt.sys 2007-11-15 18:48 52,602 --a------ C:\WINNT\system32\interceptor.sys 2007-11-15 18:45 2007-11-15 18:29 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys 2007-11-15 18:17 2007-11-15 17:44 2007-11-14 23:47 2007-11-14 23:22 2007-11-14 23:13 442,640 --a------ C:\WINNT\system32\ipnathlp.dll 2007-11-14 23:13 312,592 --a–c— C:\WINNT\system32\dllcache\NETAPI32.DLL 2007-11-14 23:13 311,296 --a–c— C:\WINNT\system32\dllcache\winhttp.dll 2007-11-14 23:13 255,248 --a------ C:\WINNT\system32\h323.tsp 2007-11-14 23:13 244,496 -----c— C:\WINNT\system32\dllcache\winsrv.dll 2007-11-14 23:13 167,184 --a–c— C:\WINNT\system32\dllcache\wintrust.dll 2007-11-14 23:13 116,496 --a------ C:\WINNT\system32\PSBASE.DLL 2007-11-14 23:13 114,960 --a------ C:\WINNT\system32\scecli.dll 2007-11-14 23:13 61,200 --a–c— C:\WINNT\system32\dllcache\cryptnet.dll 2007-11-14 23:13 52,496 --a------ C:\WINNT\system32\w32time.dll 2007-11-14 23:12 1,720,560 -----c— C:\WINNT\system32\dllcache\win32k.sys 2007-11-14 23:12 1,028,880 --a------ C:\WINNT\system32\ntdsa.dll 2007-11-14 23:12 545,040 --a–c— C:\WINNT\system32\dllcache\CRYPT32.DLL 2007-11-14 23:12 522,512 --a------ C:\WINNT\system32\LSASRV.DLL 2007-11-14 23:12 210,192 --a------ C:\WINNT\system32\kerberos.dll 2007-11-14 23:12 184,080 --a–c— C:\WINNT\system32\dllcache\WINLOGON.EXE 2007-11-14 23:12 76,048 --a–c— C:\WINNT\system32\dllcache\cryptsvc.dll 2007-11-13 15:20 2007-11-13 15:08 198,848 --a------ C:\WINNT\system32\MCI32.OCX 2007-11-13 14:43 2007-11-13 14:43 2007-11-13 13:32 2007-11-13 12:52 2007-11-13 10:48 2007-11-13 10:48 2007-11-01 10:03 2007-10-27 09:52 2007-10-25 18:58 2007-10-25 10:26 53,248 --a------ C:\WINNT\bdoscandel.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-23 22:08 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\XnView 2007-11-23 22:03 --------- d-----w C:\Program Files\foobar2000 2007-11-23 21:20 24,442 ----a-w C:\WINNT\system32\xlzxk.exe 2007-11-23 21:05 24,442 ----a-w C:\WINNT\system32\xzgoxwu.exe 2007-11-23 19:47 24,442 ----a-w C:\WINNT\system32\tqjoaknr.exe 2007-11-21 21:47 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\foobar2000 2007-11-20 19:56 --------- d-----w C:\Program Files\Gadu-Gadu 2007-11-17 15:30 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype 2007-11-15 17:46 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-12 18:24 729,088 ----a-w C:\WINNT\system32\win32dll.exe 2007-11-03 16:39 271 —h–w C:\Program Files\desktop.ini 2007-11-03 16:39 22,039 —h–w C:\Program Files\folder.htt 2007-11-01 09:18 --------- d-----w C:\Documents and Settings\xxxxxx\Dane aplikacji\uTorrent 2007-10-10 21:47 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2007-10-10 21:27 --------- d-----w C:\Program Files\Lavasoft 2007-10-10 21:27 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft 2007-10-10 21:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-10-10 21:10 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Lavasoft 2007-10-08 06:57 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu 2007-10-07 21:07 --------- d-----w C:\Program Files\uTorrent 2007-10-07 21:04 --------- d-----w C:\Program Files\Opera 2007-10-07 18:08 --------- d-----w C:\Documents and Settings\xxxxxx\Dane aplikacji\XnView 2007-10-07 17:21 --------- d-----w C:\Documents and Settings\xxxxxx\Dane aplikacji\foobar2000 2006-12-29 17:21 3,792 ----a-w C:\Program Files\INSTALL.LOG 2000-03-21 00:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys 1998-04-30 13:56 129,024 ----a-w C:\Program Files\UNWISE.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{CDEFFD4C-B15D-4C79-8500-0ED4CF6AC68B}] 07-11-23 21:00 39424 --a------ C:\WINNT\system32\rqrommk.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [07-05-10 15:36] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [07-10-07 11:04] “Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe” [07-05-03 10:02] “wind32dll”=“win32dll.exe” [07-11-12 19:24 C:\WINNT\system32\win32dll.exe] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [07-11-12 15:48] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Synchronization Manager”=“mobsync.exe” [03-06-19 12:05 C:\WINNT\system32\mobsync.exe] “NeroCheck”=“C:\WINNT\system32\NeroCheck.exe” [01-07-09 11:50] “NvCplDaemon”=“RUNDLL32.exe” [00-03-21 01:00 C:\WINNT\system32\rundll32.exe] “NvMediaCenter”=“RUNDLL32.exe” [00-03-21 01:00 C:\WINNT\system32\rundll32.exe] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe” [06-11-09 15:07] “REGSHAVE”=“C:\Program Files\REGSHAVE\REGSHAVE.exe” [] “nwiz”=“nwiz.exe” [06-10-22 11:22 C:\WINNT\system32\nwiz.exe] “wind32dll”=“win32dll.exe” [07-11-12 19:24 C:\WINNT\system32\win32dll.exe] “Advanced DHTML Enable”=“C:\WINNT\system32\xlzxk.exe” [07-11-23 22:20] “AVKTray”=“C:\Program Files\G DATA AntiVirus Trial\AVKTray\AVKTray.exe” [] “avgnt”=“C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” [06-05-10 13:01] “Windows Explorer”=“C:\WINNT\system32\explorer.exe” [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] “wind32dll”=“win32dll.exe” [07-11-12 19:24 C:\WINNT\system32\win32dll.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “internat.exe”=“internat.exe” [00-03-21 01:00 C:\WINNT\system32\internat.exe] “wind32dll”=“win32dll.exe” [07-11-12 19:24 C:\WINNT\system32\win32dll.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] “^SetupICWDesktop”=“C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe” [03-06-19 12:05] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-09-03 11:41:56] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 06:05:26] [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{CDEFFD4C-B15D-4C79-8500-0ED4CF6AC68B}”= C:\WINNT\system32\rqrommk.dll [07-11-23 21:00 39424] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrommk] rqrommk.dll 07-11-23 21:00 39424 C:\WINNT\system32\rqrommk.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] “Authentication Packages”= msv1_0 C:\WINNT\system32\ljhef.dll R0 avgntmgr;avgntmgr;C:\WINNT\system32\drivers\avgntmgr.sys R1 avgntdd;avgntdd;C:\WINNT\system32\DRIVERS\avgntdd.sys R2 GDTdiInterceptor;GDTdiInterceptor;??\C:\WINNT\system32\drivers\GDTdiIcpt.sys S0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS S2 AVKProxy;G DATA AntiVirus Proxy;“C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe” S2 AVKService;G DATA Scheduler;C:\Program Files\G DATA AntiVirus Trial\AVK\AVKService.exe S2 AVKWCtl;Strażnik AntiVirus;C:\Program Files\G DATA AntiVirus Trial\AVK\AVKWCtl.exe S3 GDInterceptor;GDInterceptor;??\C:\WINNT\system32\interceptor.sys S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys *Newly Created Service* - IPNAT *Newly Created Service* - RASAUTO *Newly Created Service* - SHAREDACCESS . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-24 12:43:07 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … C:\WINNT\system32\Perflib_Perfdata_394.dat 16384 bytes scan completed successfully hidden files: 1 ************************************************************************** . Completion time: 2007-11-24 12:44:45 - machine was rebooted . — E O F —
Gutek
(Gutek)
24 Listopad 2007 15:26
#2
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo, przed logiem:
Wklej do Notatnika:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=-
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Z menu Notatnika Plik Zapisz jako Ustaw rozszerzenie na “Wszystkie pliki” Zapisz jako FIX.REG uruchom ten plik (dwuklik) .