Page 1 of 2 12 LastLast
Results 1 to 25 of 27

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91

    Win32/PSW.OnLineGames.NMY òðîÿíåö

    Çäðàâåéòå,

    îò èçâåñòíî âðåìå ÍÎÄ-à ìè çàñè÷à â ïåðèôåðíèÿ õàðä è ôëàøêèòå êîèòî ñëàãàì ñëåäíèÿ âèðóñ Win32/PSW.OnLineGames.NMY êàòî ìè êàçâà ÷å autorun.inf íà ñúîòâåòíîòî ïåðèô ó-âî ìè å çàðàçåí è ìè ïðåäëàãà äà ãî èçòðèÿ. òðèÿ îáà÷å ñëåä èçâåñòíî âðåìå ïàê ñå ïîÿâÿâà.

    Íÿêîé èìà ëè èäåÿ êàê äà ñå îòúðâà îò òîÿ òðîÿíåö? ãëåäàì ñåãà èç íåòà â ñòðàíèöàòà http://www.scanforfree.com/08/win32_...y-removal.html èìà íÿêâà ïðîãðàìêà çà ïðåìàõâàíå íà òîÿ âèðóñ . Çíàåòå ëè íÿêàêúâ äðóã íà÷èí çà èç÷èñòâàíå èëè äà ñå äîâåðÿâàì íà òàÿ ïðîãðàìà?

    ìåðñè ïðåäâàðèòåëíî

  2. #2
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    Îòèäè äî \windows\system32 è íàìåðè spoolsv.exe, êàæè ãîëåìèíàòà ìó.
    Ñúùî è íà \windows\system32\dllcache\spoolsv.exe

  3. #3
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    \windows\system32 - 56,5 KB (57 856 bytes)
    \windows\system32\dllcache\spoolsv.exe - 56,5 KB (57 856 bytes)

    ãëåäàõ åäíè ÷óæäè ñàéòîâå è ñ íÿêàêâè ïðîãðàìè hijackthis i combofix ïðàâèõ äèàãíîñòèêà è
    ñàìî ëîãîâå ïîñòâàõ.
    åòî è ëîãîâåòå:
    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:02:06, on 18.11.2008 ã.
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Globe Software\StatBar\StatBar.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\Datecs\Flex2K.exe
    C:\Program Files\RBTray\RBTray.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\ESET\nod32kui.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
    O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: RBTray.lnk = C:\Program Files\RBTray\RBTray.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: FlexType 2K.lnk = C:\WINDOWS\Datecs\Flex2K.exe
    O8 - Extra context menu item: Add to &Teleport - C:\PROGRA~1\TELEPO~1\teleport.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Ïðåâåäè - {60237576-b24c-4ba9-9740-c9f3ec9db557} - C:\PROGRA~1\SkyCode\WEBTRA~1\wt2ie.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F5DF859B-68D0-4380-9DBA-230377CFEA59}: NameServer = 212.39.90.42,212.39.90.43
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Windows Smrss Service - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    O24 - Desktop Component 1: ÀÁÂ - ÏÎÙÀ - http://mail03.abv.bg/app/servlet/bg....et=Cp1251&ac=s
    
    --
    End of file - 5682 bytes

    è äðóãèÿ îò Combofix

    Code:
    ComboFix 08-11-17.06 - Vanio 2008-11-18 20:15:10.1 - NTFSx86
    Microsoft Windows XP Professional  5.1.2600.2.1251.1.1033.18.550 [GMT 2:00]
    Running from: c:\documents and settings\Vanio\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Vanio\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
     * Created a new restore point
     * Resident AV is active
    
    .
    
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    
    C:\test.txt
    
     c:\windows\system32\winlogon.exe . . . is infected!!
    
    .
    (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    
    -------\Legacy_WINDOWS_SMRSS_SERVICE
    -------\Service_Windows Smrss Service
    
    
    (((((((((((((((((((((((((   Files Created from 2008-10-18 to 2008-11-18  )))))))))))))))))))))))))))))))
    .
    
    2008-11-18 20:01 . 2008-11-18 20:01	<DIR>	d--------	c:\program files\Trend Micro
    2008-11-18 19:15 . 2008-11-18 19:15	<DIR>	d--------	c:\documents and settings\Vanio\Application Data\True Sword
    2008-11-18 19:14 . 2008-11-18 19:22	<DIR>	d--------	c:\program files\True Sword 5
    2008-11-16 00:14 . 2008-05-30 14:11	3,850,760	--a------	c:\windows\system32\D3DX9_38.dll
    2008-11-16 00:13 . 2008-11-16 00:13	<DIR>	d--------	c:\windows\Logs
    2008-11-16 00:07 . 2008-11-16 00:07	682,280	--a------	c:\windows\system32\pbsvc.exe
    2008-11-10 23:30 . 2008-11-10 23:30	<DIR>	d--------	c:\program files\Common Files\Skype
    2008-11-10 23:30 . 2008-11-18 19:03	<DIR>	d--------	c:\documents and settings\Vanio\Application Data\skypePM
    2008-11-10 23:30 . 2008-11-10 23:30	56	--ah-----	c:\windows\system32\ezsidmv.dat
    
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-18 18:18	---------	d-----w	c:\documents and settings\Vanio\Application Data\Skype
    2008-11-18 17:49	---------	d-----w	c:\program files\ESET
    2008-11-17 21:52	138,376	----a-w	c:\windows\system32\drivers\PnkBstrK.sys
    2008-11-17 21:51	182,928	----a-w	c:\windows\system32\PnkBstrB.exe
    2008-11-17 21:06	---------	d-----w	c:\documents and settings\Vanio\Application Data\uTorrent
    2008-11-15 22:07	22,328	----a-w	c:\documents and settings\Vanio\Application Data\PnkBstrK.sys
    2008-11-15 22:07	---------	d--h--w	c:\program files\InstallShield Installation Information
    2008-10-02 18:11	---------	d-----w	c:\program files\TVAnts
    2008-09-21 16:28	---------	d-----w	c:\program files\mIRC
    .
    
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown 
    REGEDIT4
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StatBar"="c:\program files\Globe Software\StatBar\StatBar.exe" [2003-07-25 335872]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
    "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-09 128920]
    "D_V_T"="c:\\dvt.exe" [2008-08-07 3584]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-20 282624]
    "nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-07 949376]
    "Resume copy"="copyfstq.exe" [2002-03-24 c:\windows\COPYFSTQ.EXE]
    "AtiPTA"="atiptaxx.exe" [2005-11-23 c:\windows\system32\atiptaxx.exe]
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    
    c:\documents and settings\Vanio\Start Menu\Programs\Startup\
    RBTray.lnk - c:\program files\RBTray\RBTray.exe [2006-07-14 53248]
    
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
    FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2006-11-16 130048]
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\ICQLite\\ICQLite.exe"=
    "c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
    "d:\\GAMES\\Call of Duty 2\\CoD2MP_s.exe"=
    "d:\\GAMES\\Counter-Strike\\cstrike.exe"=
    "c:\\Program Files\\PPMate\\ppmate.exe"=
    "c:\\Program Files\\PPMate\\ppmnet.exe"=
    "c:\\Program Files\\uTorrent\\utorrent.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\DC++\\DCPlusPlus.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "h:\\downloads\\uTorrent\\utorrent-1.8-beta-9704.upx.exe"=
    "d:\\GAMES\\Call of Duty - World at War\\CoDWaWmp.exe"=
    "d:\\GAMES\\Call of Duty - World at War\\CoDWaW.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    
    R1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.205\ATI Tray Tools\atitray.sys [2005-11-14 10496]
    R2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys [2007-01-23 2368]
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bf33c29-75c1-11db-85ef-806d6172696f}]
    \Shell\AutoRun\command - F:\ASUSACPI.exe
    .
    Contents of the 'Scheduled Tasks' folder
    
    2008-11-17 c:\windows\Tasks\At1.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-10-05 c:\windows\Tasks\At10.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-15 c:\windows\Tasks\At11.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-15 c:\windows\Tasks\At12.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-15 c:\windows\Tasks\At13.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At14.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At15.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At16.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At17.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At18.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At19.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-15 c:\windows\Tasks\At2.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-16 c:\windows\Tasks\At20.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-18 c:\windows\Tasks\At21.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-17 c:\windows\Tasks\At22.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-17 c:\windows\Tasks\At23.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-17 c:\windows\Tasks\At24.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-01 c:\windows\Tasks\At3.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-01 c:\windows\Tasks\At4.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-11-01 c:\windows\Tasks\At5.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-10-05 c:\windows\Tasks\At6.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-10-05 c:\windows\Tasks\At7.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-10-05 c:\windows\Tasks\At8.job
    - c:\windows\system32\fGJ5mMa7.exe []
    
    2008-10-05 c:\windows\Tasks\At9.job
    - c:\windows\system32\fGJ5mMa7.exe []
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - c:\documents and settings\Vanio\Application Data\Mozilla\Firefox\Profiles\cmi6eeu2.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - 
    .
    
    **************************************************************************
    
    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-18 20:17:29
    Windows 5.1.2600 Service Pack 2 NTFS
    
    scanning hidden processes ... 
    
    scanning hidden autostart entries ...
    
    scanning hidden files ... 
    
    scan completed successfully
    hidden files: 0
    
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\ati2evxx.exe
    c:\windows\ehome\ehRecvr.exe
    c:\windows\ehome\ehSched.exe
    c:\program files\ESET\nod32krn.exe
    c:\windows\system32\PnkBstrA.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Skype\Plugin Manager\skypePM.exe
    .
    **************************************************************************
    .
    Completion time: 2008-11-18 20:19:12 - machine was rebooted
    ComboFix-quarantined-files.txt  2008-11-18 18:18:59
    
    Pre-Run: 11 281 354 752 bytes free
    Post-Run: 11,500,244,992 bytes free
    
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
    
    183



    îò îêîëî äâà äíè íå å çàñè÷àí âèðóñà. ñàìî íà ïåðèôåðíè USB è íà âúíøíèÿ õàðä äèñê ìè ñå ïîÿâÿâà ÷å å çàðàçåí autorun.inf-a

    ïðåäè ìàëêî ïóñíàõ Spy bot search and destroy ... íàìåðè ñàìî cookies è àç ãè èçòðèõ âñè÷êèòå . íàäàëè òîâà å âèðóñà
    Last edited by lisi4ko; 22nd November 2008 at 12:17.

  4. #4
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    Òóê ùå ïàäà ÷èñòåíå, àêî ñè íàâèò äà ÷èñòèø, à íå äà ïðåèíñòàëèðàø- êàçâàé, ùå ïîìàãàìå.

  5. #5
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    Quote Originally Posted by ilko View Post
    Òóê ùå ïàäà ÷èñòåíå, àêî ñè íàâèò äà ÷èñòèø, à íå äà ïðåèíñòàëèðàø- êàçâàé, ùå ïîìàãàìå.
    ùå ÷èñòÿ ... windows-a íå ñúì ãî áóòàë îò ñóìàòè âðåìå . íå ìè ñå èñêà ðåèíñòàë.
    âèæàì ,÷å èìà èíôåêòåä winlogon ,íî òúé êàòî íå ìè ãîâîðÿò íèùî òåçè ëîã-îâå äîðè íå çíàì îò êúäå äà çàïî÷íà ïúê è èñêàì äà ñå íàó÷à . àêî íåùî ñå îìàöà ùå ðåèíñòàëâàì

    â ìîìåíòà ñúì íà ðàáîòà , íî âå÷åðòà ùå ñúì ñè ïðåä êîìïà
    Last edited by lisi4ko; 19th November 2008 at 10:39.

  6. #6
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    1. Íàìèðàø ÷èñòà âåðñèÿ íà winlogon.exe, íàé- äîáðå îò CD- òî ñ XP:
    Íàòèñêàø Start-->Run è ïèøåø
    cmd
     ÷åðíèÿ ïðîçîðåö ïèøåø
    Code:
    expand h:\xp_sp3\i386\winlogon.ex_ c:\windows\system32\winlogonori.exe
    êàòî ñìåíèø h:\xp_sp3\ ñ ïúòÿ äî I386 ïàïêàòà ïðè òåá.

    !!!Ñëåä òîâà çàäúëæèòåëíî ñå óâåðè, ÷å c:\windows\system32\winlogonori.exe ñúùåñòâóâà!!!
    Àêî ãî íÿìà, ïèøè òóê, ÍÅ èçïúëíÿâàé ñëåäâàùèòå ñòúïêè.

    2. Çàïèñâàø ñëåäíîòî íà äåñêòîïà êàòî ave.txt:

    Code:
    Files to move:
    c:\windows\system32\winlogon.exe | c:\virs\winlogon.vir
    c:\windows\system32\winlogonori.exe | c:\windows\system32\winlogon.exe
    c:\windows\system32\ezsidmv.dat | c:\virs\ezsidmv.dat
    
    Files to delete:
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    c:\windows\system32\fGJ5mMa7.exe
    C:\WINDOWS\svchost.exe
    
    Drivers to delete:
    Windows Smrss Service
    3. Äúðïàø Avenger, ðàçàðõèâèðàø íÿêúäå avenger.exe, ïðåèìåíóâàø ãî íà aven.exe è ãî ïóñêàø. Íàòèñêàø Load Script-->From File è ïîñî÷âàø ïúòÿ äî ave.txt.
    Ìàõàø îòìåòêàòà íà Scan for rootkits è íàòèñêàø Execute, ðàçðåøàâàø êîãàòî ïîèñêà äà ñå ðåñòàðòèðà.

    4. Ñëåä ðåñòàðòà îòâàðÿø C:\avenger.txt è copy-paste ñúäúðæàíèåòî ìó òóê, çàåäíî ñ íîâ ëîã îò HiJackThis.

    Êàòî ïóñêàø ëîãîâåòå òóê, îãðàäè ãè ñ QUOTE èëè CODE (áóòîíà "îùå îïöèè"--> #)

  7. #7
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    òúé êàòî ñàì ñ XP SP2 MEdia Center ùå å ïðîáëåì ëè àêî èçïîëçâàì èíñòàëàöèîíåí äèñê íà SP3 äà ðèïëåéñíà winlogon-a èëè çàäúëæèòåëíî ìè òðÿáâà èíñòàëàöèîííèÿ äèñê íà SP2? ò.å. ðàçëè÷àâàò ëè ñå winlogon-èòå? ...

  8. #8
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    Íå ìèñëÿ ÷å å äîáðà èäåÿ äà ãè ñìåíÿø. Ïî- ñêîðî ïðîâåðè â \system32\dllcache èëè WINDOWS\SoftwareDistribution\Download\XX XXXXXXXXXXXXXXXXXXXXX\ äàëè íÿìàø êîïèå. Àêî èìà, ïðîâåðè ãî ïúðâî íà www.virustotal.com è ãî êîïèðàé â system32 êàòî winlogonori.exe.  òîçè ñëó÷àé ïðîïóñêàø ïúðâàòà ñòúïêà êàêòî ñèãóðíî ñè ñå äîñåòèë.

  9. #9
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    Quote Originally Posted by ilko View Post
    Íå ìèñëÿ ÷å å äîáðà èäåÿ äà ãè ñìåíÿø. Ïî- ñêîðî ïðîâåðè â \system32\dllcache èëè WINDOWS\SoftwareDistribution\Download\XX XXXXXXXXXXXXXXXXXXXXX\ äàëè íÿìàø êîïèå. Àêî èìà, ïðîâåðè ãî ïúðâî íà www.virustotal.com è ãî êîïèðàé â system32 êàòî winlogonori.exe.  òîçè ñëó÷àé ïðîïóñêàø ïúðâàòà ñòúïêà êàêòî ñèãóðíî ñè ñå äîñåòèë.
    òàêààà

    ïðèáðàõ ñå àç ïðåäè ìàëêî è ïîòúðñèõ winlogon.exe â ÏÑòî . íÿìà ãî êàòî êîïèå íèêúäå
    ùå ÷àêàì äî óòðå
    Ïðîâåðèõ ãî âñå ïàê â www.virustotal.com îáà÷å íå ìè äàäå ÷å å çàðàçåí.ñëåä òîâà ñ Combofix ïàê ìè êàçâà ÷å å çàðàçåí.
    Last edited by lisi4ko; 20th November 2008 at 20:53.

  10. #10
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    ñåãà íà ðàáîòíèÿ êîìï, êîéòî å ñúñ SP2 âèäÿõ,÷å èìà êîèïå âúâ WINDOWS\SoftwareDistribution\Download , à äèðåêòîðèÿ \system32\dllcache èçîáùî íÿìà . Êàòî ñå ïðèáåðà äîâå÷åðà ùå ïîòúðñÿ. Àêî ãî íå ãî íàìåðÿ òàì ùå âçåìà èíñòàëàöèîííèÿ MEDIA CENTER çà óòðå âå÷åð ïîíåæå äíåñ íÿìà äà ìîãàò äà ìè ãî äîíåñàò.

  11. #11
    Nostrum IvO™'s Avatar
    Join Date: Jun:2008
    Location: HOME.WAD
    Posts: 1,334
    Quote Originally Posted by lisi4ko View Post
    ...à äèðåêòîðèÿ \system32\dllcache èçîáùî íÿìà . Êàòî ñå ïðèáåðà äîâå÷åðà ùå ïîòúðñÿ. Àêî ãî íå ãî íàìåðÿ òàì ùå âçåìà èíñòàëàöèîííèÿ MEDIA CENTER çà óòðå âå÷åð ïîíåæå äíåñ íÿìà äà ìîãàò äà ìè ãî äîíåñàò.

    DLLcache å ñêðèòà ñèñòåìíà ïàïêà è ïðè íîðìàëíè îáñòîÿòåëñòâà íå áè òðÿáâàëî äà ÿ âèæäàø. Ïðîâåðè äàëè å òàì, êàòî îòèäåø íà Windows Explorer -> Tools -> Folder Options -> View -> [çà äà ñå âèæäà ïàïêàòà, òðÿáâà äà íÿìà îòìåòêà íà "Hide protected operating system files (Recommended)"].

  12. #12
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    Quote Originally Posted by IvO™ View Post
    DLLcache å ñêðèòà ñèñòåìíà ïàïêà è ïðè íîðìàëíè îáñòîÿòåëñòâà íå áè òðÿáâàëî äà ÿ âèæäàø. Ïðîâåðè äàëè å òàì, êàòî îòèäåø íà Windows Explorer -> Tools -> Folder Options -> View -> [çà äà ñå âèæäà ïàïêàòà, òðÿáâà äà íÿìà îòìåòêà íà "Hide protected operating system files (Recommended)"].
    àç è òàêà ÿ áÿõ òúðñèë. íå ÿ íàìåðèõ â åêñïëîðúðà . êàòî êîïèðàõ ïúòÿ â àäðåñ áàð-à èçëåçå

  13. #13
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    highjack:
    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:13:25, on 21.11.2008 ã.
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Globe Software\StatBar\StatBar.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\Datecs\Flex2K.exe
    C:\Program Files\RBTray\RBTray.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Skype\Plugin Manager\SkypePM.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wpabaln.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
    O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: RBTray.lnk = C:\Program Files\RBTray\RBTray.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: FlexType 2K.lnk = C:\WINDOWS\Datecs\Flex2K.exe
    O8 - Extra context menu item: Add to &Teleport - C:\PROGRA~1\TELEPO~1\teleport.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Ïðåâåäè - {60237576-b24c-4ba9-9740-c9f3ec9db557} - C:\PROGRA~1\SkyCode\WEBTRA~1\wt2ie.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F5DF859B-68D0-4380-9DBA-230377CFEA59}: NameServer = 212.39.90.42,212.39.90.43
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O24 - Desktop Component 1: ÀÁÂ - ÏÎÙÀ - http://mail03.abv.bg/app/servlet/bg.abv.mail.GetData;jsessionid=aTsvVfadCpZ7?fid=10&mid=1408363779&nid=0&eid=3&charset=Cp1251&ac=s
    
    --
    End of file - 5821 bytes
    avenger:
    Code:
    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com
    
    Platform:  Windows XP
    
    *******************
    
    Script file opened successfully.
    Script file read successfully.
    
    Backups directory opened successfully at C:\Avenger
    
    *******************
    
    Beginning to process script file:
    
    File move operation "c:\windows\system32\winlogon.exe|c:\virs\winlogon.vir" completed successfully.
    
    Error:  file "c:\windows\system32\winlogon.exe" is whitelisted
    File move operation "c:\windows\system32\winlogonori.exe|c:\windows\system32\winlogon.exe" failed!
    Status: 0xc0000022 (STATUS_ACCESS_DENIED)
    
    File move operation "c:\windows\system32\ezsidmv.dat|c:\virs\ezsidmv.dat" completed successfully.
    
    Error:  file "c:\windows\Tasks\At1.job" not found!
    Deletion of file "c:\windows\Tasks\At1.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At10.job" not found!
    Deletion of file "c:\windows\Tasks\At10.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At11.job" not found!
    Deletion of file "c:\windows\Tasks\At11.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At12.job" not found!
    Deletion of file "c:\windows\Tasks\At12.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At13.job" not found!
    Deletion of file "c:\windows\Tasks\At13.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At14.job" not found!
    Deletion of file "c:\windows\Tasks\At14.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At15.job" not found!
    Deletion of file "c:\windows\Tasks\At15.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At16.job" not found!
    Deletion of file "c:\windows\Tasks\At16.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At17.job" not found!
    Deletion of file "c:\windows\Tasks\At17.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At18.job" not found!
    Deletion of file "c:\windows\Tasks\At18.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At19.job" not found!
    Deletion of file "c:\windows\Tasks\At19.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At2.job" not found!
    Deletion of file "c:\windows\Tasks\At2.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At20.job" not found!
    Deletion of file "c:\windows\Tasks\At20.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At21.job" not found!
    Deletion of file "c:\windows\Tasks\At21.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At22.job" not found!
    Deletion of file "c:\windows\Tasks\At22.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At23.job" not found!
    Deletion of file "c:\windows\Tasks\At23.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At24.job" not found!
    Deletion of file "c:\windows\Tasks\At24.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At3.job" not found!
    Deletion of file "c:\windows\Tasks\At3.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At4.job" not found!
    Deletion of file "c:\windows\Tasks\At4.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At5.job" not found!
    Deletion of file "c:\windows\Tasks\At5.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At6.job" not found!
    Deletion of file "c:\windows\Tasks\At6.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At7.job" not found!
    Deletion of file "c:\windows\Tasks\At7.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At8.job" not found!
    Deletion of file "c:\windows\Tasks\At8.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\Tasks\At9.job" not found!
    Deletion of file "c:\windows\Tasks\At9.job" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "c:\windows\system32\fGJ5mMa7.exe" not found!
    Deletion of file "c:\windows\system32\fGJ5mMa7.exe" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  file "C:\WINDOWS\svchost.exe" not found!
    Deletion of file "C:\WINDOWS\svchost.exe" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\Windows Smrss Service" not found!
    Deletion of driver "Windows Smrss Service" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
      --> the object does not exist
    
    
    Completed script processing.
    
    *******************
    
    Finished!  Terminate.
    íàìåðèõ winlogon.ex_ îò èíñòàëàöèîííèÿ ìè óèíäîóñ (ìåæäó äðóãîòî âåðñèÿòà íà winlogon.exå íà èíñòàëàöèîííèÿ ìè óèíäîóñ è íà óèíäîóñ SP3 ñà åäíè é ñúùè è íàé-ñòðàííîòî å ,÷å ñå ðàçëè÷àâàò ïî âåðñèÿ è ðàçìåð îò ìîÿ âå÷å èíñòàëèðàí ...ñòðàííî) è ãî ðàçàðõèâèðàõ òàêà êàêòî òðÿáâàøå. ñëåä òîâà êà÷èõ àâåíäæúð-à è çàðåäèõ ñêðèïòà . ñëåä ðåñòàðòà ðàçãëåäàõ ëîãà è ìè ïèøåøå ,÷å ôàéëîâåòå ,êîèòî òðÿáâàøå äà ñå èçìåñòÿò íå ìîãàò äà ñå èçìåñòÿò ,çàùîòî íÿìàëî ñúçäàäåíà ïàïêà c:\virs\ ... îñòàíàëèòå ôàéëîâå êîèòî òðÿáâàøå äà ñå èçòðèÿò ñå èçòðèõà ,íî äðàéâåðèòå ìàé íå óñïÿõà . êàêòî è äà å àç ÿ íàïðàâèõ(ïàïêàòà VIRS) è ïàê ïóñíàõ àâåíäæúðà. ñëåä êîåòî êîìïà çàïî÷íà äà ñå ðåñòàðòèðà íåïðåêúñíàòî. ðåñòàðòèðàõ ãî â DOS (íåçíàì êàê ñå êàçâà ïðè XP-òî) è âèäÿõ ,÷å ñêðèïòà íå å ïðåèìåíóâàë winlogonori.exe íà winlogon.exe . ðú÷íî ãî ïðîìåíèõ ïðåç command com-a è åòî ÷å óèíäîóñà òðúãíà. òúïîòî å ÷å òðÿáâà äà ìó ñëàãàì îòíîâî êðàê-à , à êàòî ñå ïðîáâàì ïèøå "ERROR: Can't open C:\WINDOWS\system32\winlogon.exe for read access."
    Íå çíàì êàê äà ìîãà äà ìîóäâàì winlogon.exe . ùå ïðîáâàì ñ àâåíäæúðà . ùå íàïèøà ïðîñòî run c:\crack ... èëè ïðîñòî c:\crack . Ùîì ìîæå äà ìåñòè ñèã ùå ìîæå è äà ìîóäâà

    òàà òåçè ôàéëîâå êîèòî â ëîã-à íà àâåíäæúðà ñà ïèñàíè ÷å íå ñà èçòðèòè , ðåàëíî ñà èçòðèòè ñ èçêëþ÷åíèå íà ïîñëåäíèòå äðàéâåðè.

    ïôô àêî çíàì êâî ïðàÿ ùå å ìíîãî õóáàâî
    ÷àêàì íÿêàêâè ïðåïîðúêè çà ïî-íàòàòú÷íè äåéñòâèÿ

  14. #14
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    Äîáðå ñè ñå îïðàâèë ñ êàøàòà

    Çà êðàêà è ðúöå íå ìîãà äà òè ïîìîãíà, íèòî å ðåäíî äà êîìåíòèðàìå âúâ ôîðóìà.

    Çà ïîñëåäíî- ïóñíè ïàê ComboFix è êàòî ñâúðøè ïóñíè ëîãà ìó òóê.

  15. #15
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    Ìäàà, çà êðàêàòà è ðúöåòå ñè ïðàâ

    Ïðèòåñíÿâà ìå ñàìî ,÷å ñëåä öÿëàòà òàçè ðàáîòà çàïî÷íà äà ìè èçëèçà åäèí óèíäîóñêè ïðîçîðåö , íà êîéòî ïèøå íåùî îò ñîðòà ,÷å âàæíè ñèñòåìíè ôàéëîâå íà óèíäîóñ ñà áèëè áóòàíè è èñêà äà ñëîæà èíñòàëàöèîííèÿ äèñê , çà äà îïðàâè âåðñèÿòà èì. Èìàøå è 3 îïöèè . OK , Cancel è ... 3-òîòî ãî çàáðàâèõ . ñìÿòàì äà âàçåìà äíåñ èíñòàëàöèîííèÿ äèñê. Âå÷åðòà êàòî ñå âúðíà ùå ïóñíà ïàê combofix-a è ùå ïîñòíà ëîãà.

  16. #16
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    Ïèñêà íàé- âåðîÿòíî çàðàäè äðóãàòà âåðñèÿ íà winlogon.exe.
    Êàòî âçåìåø äèñêà, â start->run íàïèøè:
    sfc /scannow

    sfc = SystemFileChecker

  17. #17
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    òîêóùî ðàçáðàõ , ÷å ìîì÷åòî, êîåòî òðÿáâàøå äà ìè ïðàòè winlogon.ex_ íà Media Center SP2 ìè å ïðàòèë äðóã ... íà SP3 . Øå ìó ñêúñàì óøèòå. ßâíî çàðàäè òîâà ïèùè. Ò.å. winlogon-èòå íà SP2 i SP3 ñà ðàçëè÷íè.
    Òàçè âå÷åð ùå ãî ðèïëåéñíà áàáåøêàòà ïðåç dos ,÷å íà àâåíäæúðà ùå âçåìà äà îáúðêàì ñêðèïòà
    Ìåæäó äðóãîòî çàáåëÿçàõ ,÷å â system32 èìà åäèí ôàéë winlogon.bat , à òóê íà ñëóæåáíèÿ ãî íÿìà. Íå çíàì äàëè òîé íå ïðàâè íÿêàêâè áúðêîòèè ïðè ñòàðòèðàíå. Íå ñå ñåùàì êîëêî å ãîëÿì, íî âå÷ðòà ùå ïèøà.
    Òàÿ ïàïêà c:\virs äåëâàì ëè ÿ èëè ÷àêàì äîêàòî íå ñå èç÷èñòÿ íàïúëíî?

  18. #18
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    Virs ìîæå ñïîêîéíî äà ÿ ìàõàø.
    Winlogon.bat- îòâîðè ãî ñ Notepad è ïóñíè òóê êàêâî ïèøå âúòðå.

    edit: Óâåðè ñå, ÷å íå èçïúëíÿâàø ôàéëà, àêî òðÿáâà ïúðâî ãî ïðåêðúñòè íà winlogon.bat.txt.
    Last edited by ilko; 21st November 2008 at 19:51.

  19. #19
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    Quote Originally Posted by ilko View Post
    Virs ìîæå ñïîêîéíî äà ÿ ìàõàø.
    Winlogon.bat- îòâîðè ãî ñ Notepad è ïóñíè òóê êàêâî ïèøå âúòðå.

    edit: Óâåðè ñå, ÷å íå èçïúëíÿâàø ôàéëà, àêî òðÿáâà ïúðâî ãî ïðåêðúñòè íà winlogon.bat.txt.
    sorry ìîÿ ãðåøêà ... ôàéëà íå å áèë bat ,à BAK .
    ñëåä ìàëêî èäâà ìîì÷åòî ñ èíñòàëàöèîííèÿ ìåäèà ñåíòúð

  20. #20
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    Code:
    ComboFix 08-11-21.02 - Vanio 2008-11-21 21:16:51.3 - NTFSx86
    Microsoft Windows XP Professional  5.1.2600.2.1251.1.1033.18.586 [GMT 2:00]
    Running from: c:\documents and settings\Vanio\Desktop\ComboFix.exe
     * Created a new restore point
     * Resident AV is active
    
    .
    
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    
    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\system volume information\_restore{ECFAF43C-1E3D-4CBA-8F9D-97F3938EC463}\RP3\A0000184.exe
    
    .
    (((((((((((((((((((((((((   Files Created from 2008-10-21 to 2008-11-21  )))))))))))))))))))))))))))))))
    .
    
    2008-11-21 21:03 . 2004-08-04 04:56	261,115	--a------	C:\WINLOGON.EX_
    2008-11-21 19:03 . 2008-11-21 19:03	<DIR>	d--------	c:\documents and settings\Administrator
    2008-11-21 00:12 . 2004-10-09 01:05	32,574	--a------	C:\CRACK.EXE
    2008-11-21 00:09 . 2008-11-21 00:09	56	--ah-----	c:\windows\system32\ezsidmv.dat
    2008-11-20 23:42 . 2008-11-20 23:44	<DIR>	d--------	C:\virs
    2008-11-20 23:34 . 2008-11-20 23:43	135,168	--a------	C:\zip.exe
    2008-11-20 23:34 . 2008-11-20 23:43	19,286	--a------	C:\cleanup.exe
    2008-11-20 23:34 . 2008-11-20 23:43	574	--a------	C:\cleanup.bat
    2008-11-20 23:34 . 2008-11-20 23:43	457	--a------	C:\backup.reg
    2008-11-20 22:21 . 2008-05-30 23:09	731,136	--a------	C:\aven.exe
    2008-11-18 23:57 . 2008-11-20 19:53	<DIR>	d--------	c:\program files\Spybot - Search & Destroy
    2008-11-18 23:57 . 2008-11-20 19:53	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-11-18 20:01 . 2008-11-18 20:01	<DIR>	d--------	c:\program files\Trend Micro
    2008-11-18 19:15 . 2008-11-18 19:15	<DIR>	d--------	c:\documents and settings\Vanio\Application Data\True Sword
    2008-11-18 19:14 . 2008-11-18 19:22	<DIR>	d--------	c:\program files\True Sword 5
    2008-11-16 00:13 . 2008-11-16 00:13	<DIR>	d--------	c:\windows\Logs
    2008-11-16 00:07 . 2008-11-16 00:07	682,280	--a------	c:\windows\system32\pbsvc.exe
    2008-11-10 23:30 . 2008-11-10 23:30	<DIR>	d--------	c:\program files\Common Files\Skype
    2008-11-10 23:30 . 2008-11-21 21:13	<DIR>	d--------	c:\documents and settings\Vanio\Application Data\skypePM
    
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-21 19:14	---------	d-----w	c:\documents and settings\Vanio\Application Data\Skype
    2008-11-20 21:31	---------	d-----w	c:\documents and settings\Vanio\Application Data\uTorrent
    2008-11-18 17:49	---------	d-----w	c:\program files\ESET
    2008-11-17 21:52	138,376	----a-w	c:\windows\system32\drivers\PnkBstrK.sys
    2008-11-15 22:07	22,328	----a-w	c:\documents and settings\Vanio\Application Data\PnkBstrK.sys
    2008-11-15 22:07	---------	d--h--w	c:\program files\InstallShield Installation Information
    2008-10-02 18:11	---------	d-----w	c:\program files\TVAnts
    2008-09-21 16:28	---------	d-----w	c:\program files\mIRC
    .
    
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown 
    REGEDIT4
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StatBar"="c:\program files\Globe Software\StatBar\StatBar.exe" [2003-07-25 335872]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
    "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-09 128920]
    "D_V_T"="c:\\dvt.exe" [2008-08-07 3584]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-20 282624]
    "nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-08-07 949376]
    "Resume copy"="copyfstq.exe" [2002-03-24 c:\windows\COPYFSTQ.EXE]
    "AtiPTA"="atiptaxx.exe" [2005-11-23 c:\windows\system32\atiptaxx.exe]
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    
    c:\documents and settings\Vanio\Start Menu\Programs\Startup\
    RBTray.lnk - c:\program files\RBTray\RBTray.exe [2006-07-14 53248]
    
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
    FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2006-11-16 130048]
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\ICQLite\\ICQLite.exe"=
    "c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
    "d:\\GAMES\\Call of Duty 2\\CoD2MP_s.exe"=
    "d:\\GAMES\\Counter-Strike\\cstrike.exe"=
    "c:\\Program Files\\PPMate\\ppmate.exe"=
    "c:\\Program Files\\PPMate\\ppmnet.exe"=
    "c:\\Program Files\\uTorrent\\utorrent.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\DC++\\DCPlusPlus.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "h:\\downloads\\uTorrent\\utorrent-1.8-beta-9704.upx.exe"=
    "d:\\GAMES\\Call of Duty - World at War\\CoDWaWmp.exe"=
    "d:\\GAMES\\Call of Duty - World at War\\CoDWaW.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    
    S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.205\ATI Tray Tools\atitray.sys [2005-11-14 10496]
    S2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys [2007-01-23 2368]
    
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bf33c29-75c1-11db-85ef-806d6172696f}]
    \Shell\AutoRun\command - F:\ASUSACPI.exe
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - c:\documents and settings\Vanio\Application Data\Mozilla\Firefox\Profiles\cmi6eeu2.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - 
    .
    
    **************************************************************************
    
    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-21 21:24:10
    Windows 5.1.2600 Service Pack 2 NTFS
    
    scanning hidden processes ... 
    
    scanning hidden autostart entries ...
    
    scanning hidden files ... 
    
    scan completed successfully
    hidden files: 0
    
    **************************************************************************
    .
    Completion time: 2008-11-21 21:25:39 - machine was rebooted
    ComboFix-quarantined-files.txt  2008-11-21 19:25:12
    
    Pre-Run: 11 584 221 184 bytes free
    Post-Run: 11,573,157,888 bytes free
    
    114
    òâà å êîìáîôèêñà . íåçíàì äàëè å ÎÊ

    ñìåíèõ ëîãîíà ñ òîÿ êîéòî òðÿáâà äà å
    èìàõ ìàëêî ïðîáëåìè ñúñ ñòàðòèðàíåòî íà âèíà

  21. #21
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    Èçãëåæäà íàðåä, combofix å âçåë winlogon.exe îò System Restore.
    Çà âñåêè ñëó÷àé ñêàíèðàé \windows\system32\winlogon.exe íà www.virustotal.com .

    Îòâîðè Regedit è èçòðèé öåëèÿò êëþ÷:
    HKEY_CURRENT_USER\software\microsoft\win dows\currentversion\explorer\mountpoints 2\{1bf33c29-75c1-11db-85ef-806d6172696f}

    Ôëàø÷åòî, êîåòî å èìàëî áóêâà F: å èìàëî è â autorun.inf äà ñòàðòèðà F:\ASUSACPI.exe, îò íåãî ìàé å òðúãíàëî âñè÷êî.

    Îñòàíàëîòî èçãëåæäà íàðåä. Ïóñíè òàçè ïðîãðàìêà, ïîíå ìàëêî äà ïðåäïàçè â áúäåùå:
    http://download.bleepingcomputer.com...isinfector.exe

  22. #22
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    ñíîùè êàòî ïóñêàõ êîìáîôèêñ-à è ñëåä òîâà ðåñòàðòíàõ êîìïà íîä-à ìè çàñå÷å, ÷å èìà íÿêàêúâ çàðàçåí òåêñòîâè ôàéë â documents and settings/local users/ è ò.í. ...íåùî îò ñîðòà 'AV-*.txt' . íà ìÿñòîòî íà çâåçäè÷êàòà áåøå íÿêàêâî òðèáóêâåíî
    ñúêðàùåíèå. Ñåãà êàòî ãî òúðñÿ íå ìîãà äà ãî íàìåðÿ. Ìîæå äà ñå å èçïîëçâàë îò êîìáîôèêñ è ñëåä òîâà äà ñå å äåëíàë.íåçíàì

    â HKEY_CURRENT_USER\Software\Microsoft\Win dows\CurrentVersion\Explorer\MountPoints 2
    èìà 5 ïîäïàïêè(íåçíàì êàê ñå íàðè÷àò èíà÷å ) ñ òîâà èìå --> {1bf33c29-75c1-11db-85ef-806d6172696f} , åäíàòà îò êîèòî èìà 2 ïîäïàïêè ... autorun è shell .

    âñè÷êèòå 5 ïàïêè ñ òîâà èìå '{1bf33c29-75c1-11db-85ef-806d6172696f}' ëè òðÿáâà äà èçòðèÿ èëè íÿêîÿ òî÷íî îïðåäåëåíà?

    ñàìî äà êàæà ,÷å àáñîëþòíî ñúùèòå 5 ïàïêè ñúñ ñúùèòå èìåíà ãè èìà è â:
    HKEY_USERS\S-1-5-21-117609710-2111687655-725345543-1003\Software\Microsoft\Windows\CurrentV ersion\Explorer\MountPoints2

    ñúùèÿ êëþ÷ ãî èìà è â HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices . ïðèëè÷à ìè íà àðõèâ çà ñëàãàíè ïåðèôåðíè ó-âà.

    btw F: ìè å ÄÂÄ çàïèñâà÷êàòà . ÿâíî ïðèÿòåëêàòà ìè êàòî å ñëàãàëà íÿêàêâè äèñêîâå è å ñòàíàëà áåëÿòà ,çàùîòî àç îò ìåñåöè íå ñàì èçïîëçâàë çàïèñâà÷êàòà.

    òúé êàòî òîçè âèðóñ ìè ãî çàñè÷àøå ñàìî íà ïåðèôåðíèòå óñòðîéñòâà â autorun.inf
    è àç âñå ãî òðèåõ . èìà ëè íÿêàêâà îïàñíîñò äà ñå êðèå íÿêúäå òàì ãàäèíêàòà ?
    ïåðèôåðíèÿ ìè õàðä ïîñòîÿííî å âêëþ÷åí è ñåãà ìó íàïðàâèõ ñêàí , íÿìà íèùî . è ñúñ ôëàøêèòå íàïðàâèõ ñúùîòîòî è ïðè òÿõ íÿìà íèùî.
    çà âñåêè ñëó÷àé ïóñíàõ è òàçè ïðîãðàìêà flash disinfector è çà ïåðèôåðíèÿ è çà ôëàøêàòà. ïðè âñÿêî ðúãâàíå íà ôëàøêàòà ùå ÿ ïóñêàì

    èìà ëè íà÷èí äà íå ñå ñòàðòèðà autorun.inf êàòî ñëàãàì äèñêà , çà äà ìîãà äà ïðåðîâÿ äèñêîâåòå è äà íàìåðÿ âèíîâíèêà ASUSACPI.exe è äà ãî çàñèëÿ êúì êîôàòà ?


    è îùå åäíî âúïðîñ÷å êîåòî å ìàëêî â ñòðàíè îò òåìàòà
    êàòî ìè ñå ñòàðòèðà windows îòíà÷àëî ìè äàâà 3 èçáîðà äà ñòàðòèðàì RECOVERY CONSOLE , WINDOWS MEDIA CENTER (po DEFAULT) , WINDOWS XP Proffesional (òîâà å ìèíàëèÿ ìè óèíäîóñ)... òà èñêàì òîçè òðåòèÿ èçáîð äà ãî èçòðèÿ...íåçíàì çàùî èçîáùî ìå ïèòà ñëåä êàòî áÿõ ôîðìàòèðàë õàðäà ïðåäè äà ñè êà÷à Media Center-a . íå çíàì êàê ñå å çàïàçèëî èçîáùî íî èñêàì äà ãî ìàõíà.
    êàòî ðàçãëåæäàõ êîìáîôèêñ ëîãà (ïúðâèÿ êîéòî ñúì ïîñòíàë), íàé-íàêðàÿ âèäÿõ ñëåäíîòî:
    Code:
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
    êîåòî ìå íàâåäå íà ìèñúëòà,÷å ïðîñòî òðÿáâà äà îòâîðÿ c:\cmdcons\BOOTSECT.DAT è äà èçòðèÿ îïöèÿòà XP Proffsional...äà àìà éîê ñ íîóòïàäà ìè èçêàðâà ìàéìóíêè. íå çíàì äàëè èçîáùî îò òàì òðÿáâà äà ñå äåëíå . à áè òðÿáâàëî è äà èìà äðóãà ïðîãðàìêà çà îòâàðÿíå íà òåçè ôàéëîâå.óèíäîóñà ìè å ïúëíà áîçà
    Last edited by lisi4ko; 22nd November 2008 at 13:44.

  23. #23
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    Àêî F òè å çàïèñâà÷êàòà, òîãàâà âúïðîñíèÿ ôàéë âåðîÿòíî ñè å ðåäîâåí, íå çàêà÷àé ðåãèñòúðà.

    Çà äà ìàõíåø èçëèøíîòî ñòàðòîâîòî ìåíþ- îòâîðè ñ Notepad c:\boot.ini è ìàõíè èçëèøíèòå ëèíèè. Ôàéëúò å ñêðèò è read-only. Òðÿáâà äà ðàçðåøèø ïîêàçâàíåòî íà ñêðèòè è ñèñòåìíè ôàéëîâå çà äà ãî âèäèø è â properties äà ìàõíåø îòìåòêàòà read-only çà äà ãî ðåäàêòèðàø.

  24. #24
    Registered User lisi4ko's Avatar
    Join Date: Nov:2008
    Location: Varna
    Posts: 91
    ìäàà ... ãîòîâî . à ðåãèñòúðà íÿìà äà ãî áóòàì èçîáùî.
    òðÿáâà äà ñè ñëîæà íÿêîÿ ñêàíèðàùà ïðîãðàìêà çà òðîÿíöè è òåìïîäîáíè îñâåí íîä-à,÷å òîé ÿâíî íèêàêâà ðàáîòà íå âúðøè.

    ùå å õóáàâî äà ñå îòâîðè åäíà òåìà çà ÷åòåíå è àíàëèçèðàíå íà ëîãîâåòå íà highjack combofix avenger è òåìïîäîáíè . êàêâî òðÿáâà äà ñå ãëåäà ... êàê ñå ìàõà è èçîáùî çà íÿêàêâà ïîìîù ïðèìåðíî.

    ìåðñè ìíîãî çà ïîìîùòà ... íÿìàøå äà ñå ñïðÿâà èíà÷å

    â áúäåùå ùå âíèìàâàì ïîâå÷å

  25. #25
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    Úìì..òåìà ñè èìà, ïîíå ñ íÿêîè îñíîâíè íåùà íàõâúðëÿíè, îò âòîðèÿ ïîñò íàòàòúê:
    http://www.hardwarebg.com/forum/showthread.php?t=91314

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Copyright © 1999-2011 Õàðäóåð ÁÃ. Âúçìîæíî å ñúäúðæàíèåòî íà òàçè ñòðàíèöà äà å îáåêò íà àâòîðñêè ïðàâà.
iskamPC.com | mobility.BG | Bloody's Techblog | Êðèïòîâàëóòè è ìàéíèíã | 3D Vision Blog | Ìàãàçèí çà åëåêòðîííè öèãàðè