Zainfekowany komputer (trojany, virusy) - log

Rapcio (Rapciorek) 2006-06-24 09:03:02 UTC #1

Na moim komputerze dzisiaj zaczeły pojawiać sie trojany i inne virusy, proszę więc o sprawzenie loga.

Logfile of HijackThis v1.99.1

Scan saved at 11:02:10, on 2006-07-25

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

C:\WINDOWS\win32host.exe

C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\mssvcc.exe

C:\WINDOWS\System32\rwqn.exe

C:\WINDOWS\System32\winsystems.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\DOCUME~1\Jaco\USTAWI~1\Temp\Rar$EX00.125\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [autoclk] autoclk.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [adiras] adiras.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe

O4 - HKLM\..\Run: [secures23] mssecure.exe

O4 - HKLM\..\Run: [Windows ASN4 Services] rwqn.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [winsystems25] winsystems.exe

O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe

O4 - HKLM\..\RunServices: [secures23] mssecure.exe

O4 - HKLM\..\RunServices: [Windows ASN4 Services] rwqn.exe

O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_03) - 

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)

O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe

Bieniol (Bbieniol) 2006-06-24 09:11:54 UTC #2

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (jeżeli jakieś znaczki są żółte, to niech takie zostaną). Po użyciu tego narzędzia wymagany jest reset sysa.

Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługe Win32 Kernel Update

Otwórz hijackthis --> open misc tools section --> delete a NT service --> wpisz Win32Kernel i ok

W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku (w razie problemów z usuwaniem plików użyj narzędzia KillBox):

Po zabiegach nowy log z Hijacka + log z Silent Runners

Rapcio (Rapciorek) 2006-06-24 09:15:06 UTC #3

Mam 3 znaczki zielone i 2 czerowne x to co mam zrobic?

Bieniol (Bbieniol) 2006-06-24 09:16:22 UTC #4

Zmień czerwone na zielone I zrestartuj komputer

squeet (squeet) 2006-06-24 09:16:35 UTC #5

Użyj przycisku

Rapcio (Rapciorek) 2006-06-24 09:41:49 UTC #6

"Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługe Win32 Kernel Update " Mozesz napisac co mam pokoleji zrobic? iknonka zatrzymaj jest nieaktywna wiec neiwiem co mam zrobic

Bieniol (Bbieniol) 2006-06-24 09:47:37 UTC #7

Możesz to zrobić poprzez: Start --> uruchom --> cmd i wpisać:

sc stop Win32Kernel

sc delete Win32Kernel

Rapcio (Rapciorek) 2006-06-24 09:49:01 UTC #8

Prosze o szybką pomoc gdyż sam probuje sie mi wylonczyc kompter i wyskakuje duzo stron z reklamami

Gutek (Gutek) 2006-06-24 09:50:50 UTC #9

daj log z Silenta - http://forum.dobreprogramy.pl/viewtopic.php?t=36654

Rapcio (Rapciorek) 2006-06-24 09:58:42 UTC #10

" Otwórz hijackthis --> open misc tools section --> delete a NT service --> wpisz Win32Kernel i ok " Wyskakuje mi " Unable to delete service Win32Kernel. Make sure the name is correct and the service is not runing"

Zaraz dam loga z silenta.

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"] "Ooaa" = ""C:\PROGRA~1\COMMON~1\STEM~1\dexplore.exe" -vt yazr" [null data] "fori" = "C:\PROGRA~1\COMMON~1\fori\forim.exe" [empty string] "sys_up1" = "C:\Program Files\Common Files\svchostsys\svchostsys.exe" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string] "autoclk" = "autoclk.exe" [file not found] "WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"] "WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"] "adiras" = "adiras.exe" [file not found] "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data] "DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."] "msconfig38" = "mssvcc.exe" [null data] "secures23" = "mssecure.exe" [file not found] "Windows ASN4 Services" = "rwqn.exe" [null data] "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS] "winsystems25" = "winsystems.exe" [null data] "Win32 Kernel Update" = "C:\WINDOWS\System32\win32update.exe" [null data] "defender" = "c:\dfndra_1.exe" ["."] "keyboard" = "c:\kybrd_1.exe" ["."] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] "{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt" -> {HKLM...CLSID} = "SnagIt" \InProcServer32(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"] "{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension" -> {HKLM...CLSID} = "SnagItShellExt Class" \InProcServer32(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"] "{AA0E2EB3-ADC2-4559-AE7F-D702CE8F5843}" = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32(Default) = "C:\WINDOWS\system32\mfxmlr.dll" [null data] "{6660A24A-7278-4A05-B39B-850984213F0E}" = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32(Default) = "C:\WINDOWS\system32\agmeter.dll" [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] INFECTION WARNING! Controls Folder\DLLName = "C:\WINDOWS\system32\mfxmlr.dll" [null data] INFECTION WARNING! MS-DOS Emulation\DLLName = "C:\WINDOWS\system32\agmeter.dll" [null data] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] SnagItMainShellExt(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}" -> {HKLM...CLSID} = "SnagItShellExt Class" \InProcServer32(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"] WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ SnagItMainShellExt(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}" -> {HKLM...CLSID} = "SnagItShellExt Class" \InProcServer32(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"] WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Jaco\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "Jaco" & "All Users" startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart "DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" [file not found] "{C49DD894-C6DE-4910-8C41-BA20F852D8BC}" -> {HKLM...CLSID} = "Affiliate Beta" \InProcServer32(Default) = "C:\Program Files\Affiliate Beta\untitled.dll" ["IE Toolbar"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = (no title provided) -> {HKLM...CLSID} = "SnagIt" \InProcServer32(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"] "{C49DD894-C6DE-4910-8C41-BA20F852D8BC}" = (no title provided) -> {HKLM...CLSID} = "Affiliate Beta" \InProcServer32(Default) = "C:\Program Files\Affiliate Beta\untitled.dll" ["IE Toolbar"] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {C49DD894-C6DE-4910-8C41-BA20F852D8BC}\ "ButtonText" = "Affiliate Beta" "MenuText" = "Affiliate Beta" "CLSIDExtension" = "{C49DD894-C6DE-4910-8C41-BA20F852D8BC}" -> {HKLM...CLSID} = "Affiliate Beta" \InProcServer32(Default) = "C:\Program Files\Affiliate Beta\untitled.dll" ["IE Toolbar"] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided) -> {HKLM...CLSID} = "Search Class" \InProcServer32(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string] "{C49DD894-C6DE-4910-8C41-BA20F852D8BC}" = (no title provided) -> {HKLM...CLSID} = "Affiliate Beta" \InProcServer32(Default) = "C:\Program Files\Affiliate Beta\untitled.dll" ["IE Toolbar"] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."] avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data] avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data] Command Service, cmdService, "C:\WINDOWS\V2F3cnlzemN6dWs\command.exe" [null data] Network Monitor, Network Monitor, "C:\Program Files\Network Monitor\netmon.exe service" [null data] Sunbelt Kerio Personal Firewall 4, KPF4, "C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe" ["Sunbelt Software"] Win32 Kernel Update, Win32Kernel, ""C:\WINDOWS\win32host.exe"" [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 229 seconds, including 13 seconds for message boxes)

Bieniol (Bbieniol) 2006-06-24 10:04:00 UTC #11

Log jest urwany

Poczekaj na komunikat, że log skończony - dopiero wtedy wklej go na forum

Wczesniej wykonaj moje powyższe polecenia

Rapcio (Rapciorek) 2006-06-24 10:09:52 UTC #12

Niemoge tego zrobic gdyż Wyskakuje mi " Unable to delete service Win32Kernel. Make sure the name is correct and the service is not runing"

Zedytowalem i dalem nowego calego loga.

Proszę o dalsze instrukcje.

Złączono Posta : 24.06.2006 (Sob) 12:41

Prosze o pomoc wyskakuje mi coraz wiecej nieznanych mi ikonek nieiwem co mam robic.

Złączono Posta : 24.06.2006 (Sob) 12:44

Prosze o pomoc wyskakuje mi coraz wiecej nieznanych mi ikonek nieiwem co mam robic.

Misq (Miśq) 2006-06-24 16:41:06 UTC #13

Jeśli masz możliwość, to ściągnij EWIDO

Bieniol (Bbieniol) 2006-06-24 16:51:44 UTC #14

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (jeżeli jakieś znaczki są żółte, to niech takie zostaną). Po użyciu tego narzędzia wymagany jest reset sysa.

Otwórz notatnik i wklej w nim to:

Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Ooaa"=- "fori"=- "sys_up1"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msconfig38"=- "secures23"=- "Windows ASN4 Services"=- "winsystems25"=- "Win32 Kernel Update"=- "defender"=- "keyboard"=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{AA0E2EB3-ADC2-4559-AE7F-D702CE8F5843}"=- "{6660A24A-7278-4A05-B39B-850984213F0E}"=- [-HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder] [-HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-

Plik --> zapisz jako --> zmień rozszerzenie na wszystkie pliki --> zapisz pod nazwą FIX.REG

Uruchamiasz tryb awaryjny --> Start --> uruchom --> cmd i wpisujesz:

sc stop Win32Kernel

sc delete Win32Kernel

Usuwasz ręcznie z dysku foldery:

C:\PROGRA~1\COMMON~1\ fori

C:\Program Files\Common Files\ svchostsys

Uruchamiasz narzędzie KillBox, zaznaczasz Delete on reboot i All Files , w polu full path of file wklej ścieżkę:

C:\WINDOWS\system32\mfxmlr.dll

C:\WINDOWS\system32\agmeter.dll

C:\PROGRA~1\COMMON~1\STEM~1\dexplore.exe

C:\WINDOWS\System32\mssvcc.exe

C:\WINDOWS\System32\rwqn.exe

C:\WINDOWS\System32\winsystems.exe

C:\WINDOWS\System32\win32update.exe

c:\dfndra_1.exe

c:\kybrd_1.exe

Klikasz X i restart kompa

W trybie awaryjnym odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa

Po zabiegach nowe logi

Oparte na Discourse, najlepiej oglądać z włączonym JavaScriptem