daniel Opublikowano 16 Września 2012 Zgłoś Udostępnij Opublikowano 16 Września 2012 Od pewnego czasu AVAST co chwię informuje : Zablokowane złośliwe oprogramowanie ! Osłona systemu plików avast! zablokowała zagrożenie. Nie są wymagane dalsze działania. Obiekt: C:\Windows\Installer\...\00000001@ Zarażenie Win32:Trojan-gen Proces: C:\Windows\system32\services.exe Oraz dwa inne komunikaty informujące o zarażeniu win64:sirefef-a trj i win32:sirefef-ao rtk Mam 32 bitowy sysem operacyjny Windows Vista Nigdy nie miałem z tym do czyniena wiec zwracam sie z prosba o pomoc. Extras.Txt OTL.Txt gmer.txt Odnośnik do komentarza
picasso Opublikowano 16 Września 2012 Zgłoś Udostępnij Opublikowano 16 Września 2012 Potrzebne dodatkowe skany: 1. Uruchom SystemLook i w oknie wklej: :reg HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s :filefind services.exe Klik w Look. 2. Zrób też log z Farbar Service Scanner. . Odnośnik do komentarza
daniel Opublikowano 16 Września 2012 Autor Zgłoś Udostępnij Opublikowano 16 Września 2012 Dziękuje za szybką odpowiedz. SystemLook 30.07.11 by jpshortstuff Log created at 15:57 on 16/09/2012 by JaDowity Administrator - Elevation successful ========== reg ========== [HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}] (Unable to open key - key not found) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}] @="Microsoft WBEM New Event Subsystem" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32] @="%systemroot%\system32\wbem\wbemess.dll" "ThreadingModel"="Both" ========== filefind ========== Searching for "services.exe" C:\Windows\SoftwareDistribution\Download\15d05090e6f876555f2419af621dda9f\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe --a---- 279552 bytes [09:33 13/04/2010] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B C:\Windows\System32\services.exe --a---- 279040 bytes [22:08 19/07/2008] [07:33 19/01/2008] 5DC3C54FC22BBB6F66C290C7C0384DF9 C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe --a---- 279552 bytes [08:35 02/11/2006] [09:45 02/11/2006] 329CF3C97CE4C19375C8ABCABAE258B0 C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --a---- 279040 bytes [22:08 19/07/2008] [07:33 19/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C -= EOF =- Farbar Service Scanner Version: 06-08-2012 Ran by JaDowity (administrator) on 16-09-2012 at 16:05:05 Running from "C:\Users\JaDowity\Downloads" Windows Vista Home Premium Service Pack 1 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= mpsdrv Service is not running. Checking service configuration: The start type of mpsdrv service is OK. The ImagePath of mpsdrv service is OK. MpsSvc Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist. bfe Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist. Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ wscsvc Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist. Windows Update: ============ wuauserv Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist. BITS Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist. Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== WinDefend Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist. Other Services: ============== Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist. Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist. Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to open SharedAccess registry key. The service key does not exist. File Check: ======== C:\Windows\system32\nsisvc.dll => MD5 is legit C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit C:\Windows\system32\dhcpcsvc.dll [2008-07-20 00:07] - [2008-01-19 09:34] - 0204288 ____A (Microsoft Corporation) 43A988A9C10333476CB5FB667CBD629D C:\Windows\system32\Drivers\afd.sys [2011-06-16 19:33] - [2011-04-21 15:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457 C:\Windows\system32\Drivers\tdx.sys => MD5 is legit C:\Windows\system32\Drivers\tcpip.sys [2010-08-13 06:47] - [2010-06-16 17:59] - 0898952 ____A (Microsoft Corporation) 782568AB6A43160A159B6215B70BCCE9 C:\Windows\system32\dnsrslvr.dll [2011-04-15 21:38] - [2011-03-02 16:49] - 0086528 ____A (Microsoft Corporation) 4805D9A6D281C7A7DEFD9094DEC6AF7D C:\Windows\system32\mpssvc.dll [2008-07-20 00:09] - [2008-01-19 09:34] - 0393216 ____A (Microsoft Corporation) D1639BA315B0D79DEC49A4B0E1FB929B C:\Windows\system32\bfe.dll [2008-07-20 00:08] - [2008-01-19 09:33] - 0328704 ____A (Microsoft Corporation) 8582E233C346AEFE759833E8A30DD697 C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit C:\Windows\system32\SDRSVC.dll => MD5 is legit C:\Windows\system32\vssvc.exe [2008-07-20 00:09] - [2008-01-19 09:33] - 1054720 ____A (Microsoft Corporation) D5FB73D19C46ADE183F968E13F186B23 C:\Windows\system32\wscsvc.dll [2008-07-20 00:08] - [2008-01-19 09:37] - 0061440 ____A (Microsoft Corporation) 683DD16B590372F2C9661D277F35E49C C:\Windows\system32\wbem\WMIsvc.dll [2008-07-20 00:07] - [2008-01-19 09:36] - 0161792 ____A (Microsoft Corporation) 00B79A7C984678F24CF052E5BEB3A2F5 C:\Windows\system32\wuaueng.dll => MD5 is legit C:\Windows\system32\qmgr.dll [2008-07-20 00:09] - [2008-01-19 09:36] - 0758272 ____A (Microsoft Corporation) 02ED7B4DBC2A3232A389106DA7515C3D C:\Windows\system32\es.dll [2008-08-13 06:26] - [2008-04-18 07:48] - 0269312 ____A (Microsoft Corporation) 3CB3343D720168B575133A0A20DC2465 C:\Windows\system32\cryptsvc.dll [2008-07-20 00:07] - [2008-01-19 09:34] - 0128000 ____A (Microsoft Corporation) 6DE363F9F99334514C46AEC02D3E3678 C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\system32\ipnathlp.dll [2008-07-20 00:07] - [2008-01-19 09:34] - 0288256 ____A (Microsoft Corporation) E1499BD0FF76B1B2FBBF1AF339D91165 C:\Windows\system32\svchost.exe => MD5 is legit C:\Windows\system32\rpcss.dll [2009-06-29 02:07] - [2009-03-03 06:39] - 0551424 ____A (Microsoft Corporation) 301AE00E12408650BADDC04DBC832830 **** End of log **** Odnośnik do komentarza
picasso Opublikowano 18 Września 2012 Zgłoś Udostępnij Opublikowano 18 Września 2012 1. Start > w polu szukania wpisz cmd > z prawokliku Uruchom jako Administrator > wklej komendę: sfc /scanfile=C:\Windows\system32\services.exe Zresetuj system. 2. Uruchom OTL i w sekcji Własne opcje skanowania / skrypt wklej: :Files C:\Windows\Installer\{0e2553a6-37a1-c30c-c87e-704663c4430e} C:\Users\JaDowity\AppData\Local\{0e2553a6-37a1-c30c-c87e-704663c4430e} C:\Users\JaDowity\AppData\Roaming\mozilla\Firefox\Profiles\e4pl2a2e.default\extensions\toolbar@ask.com C:\Users\JaDowity\AppData\Roaming\mozilla\firefox\profiles\e4pl2a2e.default\searchplugins\askcom.xml C:\Users\JaDowity\AppData\Roaming\mozilla\firefox\profiles\e4pl2a2e.default\searchplugins\askcomsearch.xml C:\Program Files\mks_vir_9 :OTL FF - prefs.js..browser.search.defaultengine: "Ask.com Search" FF - prefs.js..browser.search.defaultenginename: "Ask.com Search" FF - prefs.js..browser.search.defaulturl: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=" FF - prefs.js..browser.search.order.1: "Ask.com Search" FF - prefs.js..browser.search.selectedEngine: "Ask.com Search" FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.11.3.15590 FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=LMW2&o=16050&locale=en_DE&apn_uid=792947E0-F6E1-428C-9E8C-3F27689CBB62&apn_ptnrs=OF&apn_sauid=582A8503-DCB7-493E-96DD-E2590308A441&apn_dtid=VIN001NTDE&&q=" IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = "http://downloads.phpnuke.org/en/index.php?rvs=google" IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = "http://downloads.phpnuke.org/en/index.php?rvs=google" IE - HKU\S-1-5-21-2476290609-3752394115-1800974415-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = "http://downloads.phpnuke.org/en/index.php?rvs=google" IE - HKU\S-1-5-21-2476290609-3752394115-1800974415-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = "http://downloads.phpnuke.org/en/index.php?rvs=google" IE - HKLM\..\SearchScopes\{CB5BB9DD-D23F-4395-822C-ABF678931ED7}: "URL" = "http://downloads.phpnuke.org/en/index.php?rvs=google" IE - HKLM\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&query={searchTerms}&invocationType=tb50winampie7" IE - HKU\S-1-5-21-2476290609-3752394115-1800974415-1000\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = "http://websearch.ask.com/custom/java/redirect?client=ie&tb=ORJ&o=100000026&src=crm&q={searchTerms}&locale=&apn_ptnrs=U3&apn_dtid=OSJ000" IE - HKU\S-1-5-21-2476290609-3752394115-1800974415-1000\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = "http://127.0.0.1:4664/search&s=yIwe_qd4ve8nWGFtp1YqhEkSK64?q={searchTerms}" IE - HKU\S-1-5-21-2476290609-3752394115-1800974415-1000\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB9}: "URL" = "http://www.daemon-search.com/search?q={searchTerms}" IE - HKU\S-1-5-21-2476290609-3752394115-1800974415-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = "http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1210541" IE - HKU\S-1-5-21-2476290609-3752394115-1800974415-1000\..\SearchScopes\{CB5BB9DD-D23F-4395-822C-ABF678931ED7}: "URL" = "http://downloads.phpnuke.org/en/index.php?rvs=google" IE - HKU\S-1-5-21-2476290609-3752394115-1800974415-1000\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&query={searchTerms}&invocationType=tb50winampie7" O4 - HKLM..\Run: [] File not found O9 - Extra Button: eBay - {76577871-04EC-495E-A12B-91F7C3600AFA} - "http://rover.ebay.com/rover/1/4908-44618-9400-3/4" File not found O9 - Extra Button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - "http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home" File not found SRV - File not found [Auto | Stopped] -- C:\Program Files\mks_vir_9\bin\mks_services.exe -- (mks_services) SRV - File not found [Disabled | Unknown] -- C:\Program Files\Alwil Software\Avast5\afwServ.exe -- (avast! Firewall) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\igdkmd32.sys -- (igfx) DRV - File not found [Kernel | Boot | Stopped] -- system32\DRIVERS\ElbyVCD.sys -- (ElbyVCD) :Reg [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2] :Commands [emptytemp] Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach. Klik w Wykonaj skrypt. System zostanie zrestartowany. 3. Przez Panel sterowania odinstaluj adware Ask Toolbar, download-boosters Toolbar. 4. Uruchom AdwCleaner i zastosuj Delete. Na dysku C powstanie log z usuwania. 5. Zrób nowy log OTL z opcji Skanuj (już bez Extras) oraz SystemLook na warunki: :filefind services.exe Dołącz też log z wynikami usuwania AdwCleaner. . Odnośnik do komentarza
daniel Opublikowano 18 Września 2012 Autor Zgłoś Udostępnij Opublikowano 18 Września 2012 Avast przestał bombardować. To chyba doba wiadomość? SystemLook 30.07.11 by jpshortstuff Log created at 19:46 on 18/09/2012 by JaDowity Administrator - Elevation successful ========== filefind ========== Searching for "services.exe" C:\Windows\SoftwareDistribution\Download\15d05090e6f876555f2419af621dda9f\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe --a---- 279552 bytes [09:33 13/04/2010] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B C:\Windows\System32\services.exe --a---- 279040 bytes [22:08 19/07/2008] [07:33 19/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe --a---- 279552 bytes [08:35 02/11/2006] [09:45 02/11/2006] 329CF3C97CE4C19375C8ABCABAE258B0 C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --a---- 279040 bytes [22:08 19/07/2008] [07:33 19/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C -= EOF =- OTL.Txt AdwCleanerS2.txt Odnośnik do komentarza
picasso Opublikowano 18 Września 2012 Zgłoś Udostępnij Opublikowano 18 Września 2012 Tak, prowadziłam tu procedurę leczenia zainfekowanego pliku systemowego oraz usuwanie produktów ubocznych tej infekcji. Dlatego Avast już się uspokoił. Natomiast robota jeszcze przed nami. Ten trojan uszkodził usługi Windows, całkowicie skasował z rejestru Zaporę systemu Windows, Centrum zabezpieczeń, Windows Defender i Windows Update. I tym się zajmiemy teraz. Później jeszcze usuniesz szczątki po komercyjnej wersji Avast Internet Security. 1. Rekonstrukcja usług Zapory systemu Windows (BFE+ MpsSvc + SharedAccess i ich uprawnień): KLIK. Omiń sfc /scannow, nie jest potrzebne. 2. Rekonstrukcja pozostałych usług oraz inne drobne korekty. Otwórz Notatnik i wklej w nim: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS] "DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000" "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 "Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001" "ObjectName"="LocalSystem" "ErrorControl"=dword:00000001 "Start"=dword:00000002 "DelayedAutoStart"=dword:00000001 "Type"=dword:00000020 "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\ 6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00 "ServiceSidType"=dword:00000001 "RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\ 00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\ 67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\ 00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\ 00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\ 00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\ 72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\ 00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\ 63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\ 00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00 "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\ 00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters] "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance] "Library"="bitsperf.dll" "Open"="PerfMon_Open" "Collect"="PerfMon_Collect" "Close"="PerfMon_Close" "InstallType"=dword:00000001 "PerfIniFile"="bitsctrs.ini" "First Counter"=dword:000007d2 "Last Counter"=dword:000007e2 "First Help"=dword:000007d3 "Last Help"=dword:000007e3 "Object List"="2002" "PerfMMFileName"="Global\\MMF_BITS_s" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security] "Security"=hex:01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\ 00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\ 00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\ 00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ 20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\ 00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\ 00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\ 00,20,02,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc] "DisplayName"="@%SystemRoot%\\System32\\wscsvc.dll,-200" "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\ 00,65,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,\ 72,00,69,00,63,00,74,00,65,00,64,00,00,00 "Start"=dword:00000002 "Type"=dword:00000020 "Description"="@%SystemRoot%\\System32\\wscsvc.dll,-201" "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,57,00,69,00,6e,00,\ 4d,00,67,00,6d,00,74,00,00,00,00,00 "ObjectName"="NT AUTHORITY\\LocalService" "ServiceSidType"=dword:00000001 "RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\ 00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\ 67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\ 00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\ 00,00,00,00 "DelayedAutoStart"=dword:00000001 "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\ 00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters] "ServiceDllUnloadOnStop"=dword:00000001 "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Security] "Security"=hex:01,00,14,80,c8,00,00,00,d4,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,98,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\ 00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\ 00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,28,00,15,00,00,00,01,06,00,\ 00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,0e,a7,8b,eb,ca,\ 7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,\ 00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend] "DisplayName"="@%ProgramFiles%\\Windows Defender\\MsMpRes.dll,-103" "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,73,00,65,00,63,00,73,00,76,00,63,00,73,00,00,00 "Start"=dword:00000002 "Type"=dword:00000020 "Description"="@%ProgramFiles%\\Windows Defender\\MsMpRes.dll,-1176" "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00 "ObjectName"="LocalSystem" "ServiceSidType"=dword:00000001 "RequiredPrivileges"=hex(7):53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,\ 00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\ 65,00,00,00,53,00,65,00,42,00,61,00,63,00,6b,00,75,00,70,00,50,00,72,00,69,\ 00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,52,00,65,00,73,00,\ 74,00,6f,00,72,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,\ 00,00,00,53,00,65,00,44,00,65,00,62,00,75,00,67,00,50,00,72,00,69,00,76,00,\ 69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,68,00,61,00,6e,00,67,\ 00,65,00,4e,00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,\ 6c,00,65,00,67,00,65,00,00,00,53,00,65,00,53,00,65,00,63,00,75,00,72,00,69,\ 00,74,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\ 53,00,65,00,53,00,68,00,75,00,74,00,64,00,6f,00,77,00,6e,00,50,00,72,00,69,\ 00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,63,00,\ 72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,00,69,\ 00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,\ 69,00,67,00,6e,00,50,00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,\ 00,65,00,6e,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\ 00,00 "DelayedAutoStart"=dword:00000001 "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\ 00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend\Parameters] "ServiceDllUnloadOnStop"=dword:00000001 "ServiceDll"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,\ 00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,\ 20,00,44,00,65,00,66,00,65,00,6e,00,64,00,65,00,72,00,5c,00,6d,00,70,00,73,\ 00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend\Security] "Security"=hex:01,00,14,80,dc,00,00,00,e8,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,ac,00,06,00,00,00,00,00,28,00,ff,01,0f,00,01,06,00,00,00,00,00,\ 05,50,00,00,00,b5,89,fb,38,19,84,c2,cb,5c,6c,23,6d,57,00,77,6e,c0,02,64,87,\ 00,0b,28,00,00,00,00,10,01,06,00,00,00,00,00,05,50,00,00,00,b5,89,fb,38,19,\ 84,c2,cb,5c,6c,23,6d,57,00,77,6e,c0,02,64,87,00,00,14,00,fd,01,02,00,01,01,\ 00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,\ 05,20,00,00,00,20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,\ 04,00,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,\ 01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend\TriggerInfo] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend\TriggerInfo\0] "Type"=dword:00000005 "Action"=dword:00000001 "GUID"=hex:e6,ca,9f,65,db,5b,a9,4d,b1,ff,ca,2a,17,8d,46,e0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv] "PreshutdownTimeout"=dword:036ee800 "DisplayName"="Windows Update" "ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\ 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 "Description"="@%systemroot%\\system32\\wuaueng.dll,-106" "ObjectName"="LocalSystem" "ErrorControl"=dword:00000001 "Start"=dword:00000002 "DelayedAutoStart"=dword:00000001 "Type"=dword:00000020 "DependOnService"=hex(7):72,00,70,00,63,00,73,00,73,00,00,00,00,00 "ServiceSidType"=dword:00000001 "RequiredPrivileges"=hex(7):53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,\ 00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,\ 65,00,61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,\ 00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,\ 61,00,74,00,65,00,50,00,61,00,67,00,65,00,46,00,69,00,6c,00,65,00,50,00,72,\ 00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,54,00,63,00,\ 62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,\ 00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,72,00,69,00,6d,00,61,00,72,00,\ 79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\ 00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,\ 6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,\ 00,00,00,53,00,65,00,49,00,6e,00,63,00,72,00,65,00,61,00,73,00,65,00,51,00,\ 75,00,6f,00,74,00,61,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,\ 00,00,00,53,00,65,00,53,00,68,00,75,00,74,00,64,00,6f,00,77,00,6e,00,50,00,\ 72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00 "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\ 00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Parameters] "ServiceDll"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\ 00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 77,00,75,00,61,00,75,00,65,00,6e,00,67,00,2e,00,64,00,6c,00,6c,00,00,00 "ServiceMain"="WUServiceMain" "ServiceDllUnloadOnStop"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Security] "Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,00,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,48,00,03,00,00,00,00,00,14,00,9d,00,02,00,01,01,00,00,00,00,00,\ 05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,ff,01,0f,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\ 01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] "DefaultScope"="{DDE73E3B-E9BF-483D-A846-CE1ADC552A4B}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main] "Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896" "Start Page"="about:blank" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896" "Start Page"="about:blank" Adnotacja dla innych czytających: import dopasowany do Windows Vista. Z menu Notatnika > Plik > Zapisz jako > Ustaw rozszerzenie na Wszystkie pliki > Zapisz jako FIX.REG > z prawokliku na plik Scal 3. Zresetuj system i wygeneruj nowy log z Farbar Service Scanner. . Odnośnik do komentarza
daniel Opublikowano 19 Września 2012 Autor Zgłoś Udostępnij Opublikowano 19 Września 2012 Farbar Service Scanner Version: 06-08-2012 Ran by JaDowity (administrator) on 19-09-2012 at 18:41:01 Running from "C:\Users\JaDowity\Downloads" Windows Vista Home Premium Service Pack 1 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ wscsvc Service is not running. Checking service configuration: The start type of wscsvc service is OK. The ImagePath of wscsvc service is OK. The ServiceDll of wscsvc service is OK. Windows Update: ============ wuauserv Service is not running. Checking service configuration: The start type of wuauserv service is OK. The ImagePath of wuauserv service is OK. The ServiceDll of wuauserv service is OK. Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== WinDefend Service is not running. Checking service configuration: The start type of WinDefend service is OK. The ImagePath of WinDefend service is OK. The ServiceDll of WinDefend service is OK. Other Services: ============== File Check: ======== C:\Windows\system32\nsisvc.dll => MD5 is legit C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit C:\Windows\system32\dhcpcsvc.dll [2008-07-20 00:07] - [2008-01-19 09:34] - 0204288 ____A (Microsoft Corporation) 43A988A9C10333476CB5FB667CBD629D C:\Windows\system32\Drivers\afd.sys [2011-06-16 19:33] - [2011-04-21 15:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457 C:\Windows\system32\Drivers\tdx.sys => MD5 is legit C:\Windows\system32\Drivers\tcpip.sys [2010-08-13 06:47] - [2010-06-16 17:59] - 0898952 ____A (Microsoft Corporation) 782568AB6A43160A159B6215B70BCCE9 C:\Windows\system32\dnsrslvr.dll [2011-04-15 21:38] - [2011-03-02 16:49] - 0086528 ____A (Microsoft Corporation) 4805D9A6D281C7A7DEFD9094DEC6AF7D C:\Windows\system32\mpssvc.dll [2008-07-20 00:09] - [2008-01-19 09:34] - 0393216 ____A (Microsoft Corporation) D1639BA315B0D79DEC49A4B0E1FB929B C:\Windows\system32\bfe.dll [2008-07-20 00:08] - [2008-01-19 09:33] - 0328704 ____A (Microsoft Corporation) 8582E233C346AEFE759833E8A30DD697 C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit C:\Windows\system32\SDRSVC.dll => MD5 is legit C:\Windows\system32\vssvc.exe [2008-07-20 00:09] - [2008-01-19 09:33] - 1054720 ____A (Microsoft Corporation) D5FB73D19C46ADE183F968E13F186B23 C:\Windows\system32\wscsvc.dll [2008-07-20 00:08] - [2008-01-19 09:37] - 0061440 ____A (Microsoft Corporation) 683DD16B590372F2C9661D277F35E49C C:\Windows\system32\wbem\WMIsvc.dll [2008-07-20 00:07] - [2008-01-19 09:36] - 0161792 ____A (Microsoft Corporation) 00B79A7C984678F24CF052E5BEB3A2F5 C:\Windows\system32\wuaueng.dll => MD5 is legit C:\Windows\system32\qmgr.dll [2008-07-20 00:09] - [2008-01-19 09:36] - 0758272 ____A (Microsoft Corporation) 02ED7B4DBC2A3232A389106DA7515C3D C:\Windows\system32\es.dll [2008-08-13 06:26] - [2008-04-18 07:48] - 0269312 ____A (Microsoft Corporation) 3CB3343D720168B575133A0A20DC2465 C:\Windows\system32\cryptsvc.dll [2008-07-20 00:07] - [2008-01-19 09:34] - 0128000 ____A (Microsoft Corporation) 6DE363F9F99334514C46AEC02D3E3678 C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\system32\ipnathlp.dll [2008-07-20 00:07] - [2008-01-19 09:34] - 0288256 ____A (Microsoft Corporation) E1499BD0FF76B1B2FBBF1AF339D91165 C:\Windows\system32\svchost.exe => MD5 is legit C:\Windows\system32\rpcss.dll [2009-06-29 02:07] - [2009-03-03 06:39] - 0551424 ____A (Microsoft Corporation) 301AE00E12408650BADDC04DBC832830 **** End of log **** Odnośnik do komentarza
picasso Opublikowano 19 Września 2012 Zgłoś Udostępnij Opublikowano 19 Września 2012 Usługi pomyślnie odbudowane. Kolejna porcja zadań: 1. Pozbądź się wspominanych wcześniej szczątków komercyjnego Avasta. Wejdź w Tryb awaryjny Windows (normalny Avast nie może być uruchomiony). Start > w polu szukania wpisz cmd > z prawokliku Uruchom jako Administrator > wpisz komendę: sc delete "avast! Firewall" 2. Porządki po narzędziach: w AdwCleaner użyj Uninstall, w OTL uruchom Sprzątanie. 3. Wyczyść foldery Przywracania systemu: KLIK. 4. Wykonaj pełne skanowanie w Malwarebytes Anti-Malware. Jeśli coś wykryje, przedstaw raport. . Odnośnik do komentarza
daniel Opublikowano 21 Września 2012 Autor Zgłoś Udostępnij Opublikowano 21 Września 2012 Zadania wykonane.Malwarebytes Anti-Malware nic nie wykrył.Cieszymy Się ? Odnośnik do komentarza
picasso Opublikowano 21 Września 2012 Zgłoś Udostępnij Opublikowano 21 Września 2012 Cieszymy się. Czynności końcowe: 1. W Dzienniku zdarzeń powiela się drobny błąd WMI numer 10. Instrukcje naprawcze: KB950375. 2. Obowiązkowe aktualizacje: KLIK. Wg Twoich raportów system ma krytyczny poziom aktualizacji (brak SP2 + IE9 i łatek wydanych po) oraz są widoczne następujące wersje oprogramowania: Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstationInternet Explorer (Version = 7.0.6001.18000) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0"{AC76BA86-7AD7-1045-7B44-A80000000000}" = Adobe Reader 8 - Polish"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX (wtyczka dla IE)"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin (wtyczka dla Firefox) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll () 3. Prewencyjnie zmień hasła logowania w serwisach. . Odnośnik do komentarza
daniel Opublikowano 21 Września 2012 Autor Zgłoś Udostępnij Opublikowano 21 Września 2012 Bardzo dziękuję za fachową pomoc. Odnośnik do komentarza
Rekomendowane odpowiedzi