.

skorzystałam z twoich rad ale wciąź mam problem przy starcie systemu pojawia sie notatnik z czymś takim

MZ @ !L!This program cannot be run in DOS mode.

$ WU©9U©9U©9U©9P©9:¶3^©9µ7W©9:¶=W©97¶*R©9U©8i©9cŹ2T©9RichU©9 PE L #C , @ @ ! x .text
`.rdata @ @.data 0 0 @ U SV\WPj
tj 3h WWjh5@ @ ;?Euu
j~ VPu, @ »5@ PS YYuPS YY8 VP0 @ PP h5@ P
h5@ P
;t P
Y0Ph5@ h5@ h¬5@ h WP 54 @ h@7@ h(7@ W
Pu
Y3Y0@ @= rń30@ @=© rń3L1@ @= rń3,2@ @1ró3`2@ @ ró3l2@ @kró32@ @= rń3|3@ @=1 rń34@ @= rń34@ @
rójWh 7@ jWh$7@ ± Ł » $7@ 7@ `5 @ %#7@ %"7@ EWP'7@ &7@ }Ed %7@ !7@ ?
_^3[ SV@7@ V @ =0@ uG=#7@ u6="7@ u'=!7@ u= 7@ u V( @ j 7@ !7@ "7@ #7@ %0@ V( @ $7@
7@ :w3
!7@ "7@ u):w!&7@ u:Ów:u:Óu#7@ :'7@ v3–¶#7@ P¶P¶P¶ 7@ Ph 6@ t$ ) D$$^[U0 ESVW 3?EjESP EPó5
X7@ jW( @ _^[Vt$V YL$LAHt! 0II^U$ SV3W}Sh h0@ W]» Śc SVPW
F 8: Sh h0@ Wy Ś! SVPW\
Sh hL1@ WH Ś SVPW+
8 j0h,2@ P uh@6@ P P,PPą Ń·? jEEP)P
, jh`2@ W fjf+EEPPm
8 Sjjhl2@ W$ Ś SVPW
8 Sh h2@ W ŚŹ SVPWĘ
v{8usVjP^ h0 h|3@ P hę ,ńh4@ Pz jh4@ Pg 0Sh PW_ }h,6@ = Y3_^[SVPW4 jXU SVWjjj ?] uV Vu EjEjP @jP fE E fEęEjPS uiVuuhX6@ Pt j Po YPPSz uuhP6@ P= hL6@ P uS· 2j

u
uę
u

t@;|Ó2W+jQP łWjVPĘ UWL YuW _^[UQS @ VEWPh6@ h Óu^u? Y@P5 @ ujj uuu= @ ?EPh6@ h Óuu Y@Pujj uuu_^[U SVEW= @ »6@ PSh E ?`7@ uSVPŚ YEYE PPEPj uu @ uVPµ YYucu @ EPSh ?u`VP) YEYE PPEPj uu @ u VPR YYt
u @ u @ 2_^[U` VuP¶ YYPh 8 @ PPŹ 3jDE¬VP] EE¬D E fE?EPE¬PVVj0VVVuV @ ^tuu @ 2%ś @ % @ % @ %¬ @ % @ % @ % @ % @ %H @ %L @ %P @ %T @ %X @ %\ @ %` @ Q= L$r – = s+?ą@P%d @ %h @ Ujh!@ h@ d Pd% hSVWe3?]j @ Y
t7@
x7@ Ś @
p7@ @
l7@ @ Ł|7@ 97@ uh@ @ Y h0@ h0@ h7@ EEP5d7@ EśPEPEPx @ h0@ h 0@ $t @ 0uŚ>"u:FuŚ:t"uFuŚ:t vFuŚj
XPVSS$ @ PEPL @ E MPQ YYËeul @ %p @ %| @ h h YY3% @ % @ % @ % !@ % @ % @ % @ % @ % @ % @ % @ % @ % @ % @ % @ $ $ % % $ # *# " % " " " ś"
t s j@ ~@ ! T# ! $ H \" Ę$ Ś! (% L" x% $ $ % % $ # *# " % " " " ś"
t s Sleep InitializeCriticalSection YGetSystemDirectoryA $GetModuleFileNameA LeaveCriticalSection f EnterCriticalSection WaitForSingleObject D CreateProcessA GetCurrentDirectoryA KERNEL32.dll Ą _beginthread ¦rand memset srand time Lfclose Wfopen ¶strcat strcpy Iexit sprintf _endthread strlen printf memcpy ffwrite strcmp MSVCRT.dll Ó _exit H _XcptFilter Ź _acmdln X __getmainargs _initterm __setusermatherr _adjust_fdiv j __p__commode o __p__fmode __set_app_type Ę _except_handler3 · _controlfp WS2_32.dll [RegCloseKey RegSetValueExA ^RegCreateKeyA {RegQueryValueExA qRegOpenKeyA ADVAPI32.dll V InternetCloseHandle f InternetGetConnectedState o InternetOpenA WININET.dll &GetModuleHandleA PGetStartupInfoA śćJT[kJŃć{IZ9W\MNVKR9IKV^KXT9(7)UXWTXW(7)Npw}vnj9vk9Nvkr~kvlij9*7(xUT(7+A))+UXWTXW+7(WM9UT9)7(+ ćJT[jŃć ć9pWMUTJJI®Npw}vnj9+)))9+( ,Npw}vnj9+)))9,7) ćJT[jŃć9ćNWMUTJJI_^YYY ^QV]X5>ź?@ąGłvNpw}vnj9+)))9+( ,Npw}vnj9+)))9,7) CćJT[lŃć)ćC6 &&&&& ćJT[»ŃaYć Y
E{kvnj|k ćJT[
VOKHćqJńEćććXHOćqgjJńUććććqmmi#66/ 7,)7(/,7( 6li}xm|7|a|ć 69.50.165.19 / msvcrtdd.dll rb \msvcrtdd.dll MouseDrv Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) %d.%d.%d.%d
[–] send failed
\\%s\IPC$ wb %s\%s GET %s%s HTTP/1.1
User–Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Accept: */*
Host: %s
Connection: close

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

udało się usunąć wszystko, dzieki wielki za pomoc!

klau

Dodano: 16.09.2005 15:58:23

Zajrzyj sobie tutaj: http://forum.centrumxp.pl/viewtopic.php?t=40073
Będziesz miał przynajmniej jakis przegląd sytuacji.
Nie ma bata winacpi.dll i mdms.exe z dysku wylecieć musąa jak nie w awaryjnym to masz konsole odzyskiwania, Killboxa i jeszcze z dziesięć innych dróg.

Bobi

Dodano: 15.09.2005 22:33:26

dalej nie moge usunąć winacpi.dll i mdms.exe

usunęłam kilka kluczy i wartości podanych na tej stronce
http://labs.paretologic.com/spyware.aspx?remove=Repsamo

no ale problem ciągle jest

klau

Dodano: 15.09.2005 22:27:20

Widać, źe od ostatniego razu co nieco usunąłeś.
Do usunięcia zostało jeszcze:

C:\windows\system32\mdms.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
O4 – HKLM\..\Run: [MouseDrv] C:\DOCUME~1\Moja\USTAWI~1\Temp\link.txt
O4 – HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe

mdms.exe to trojan Repsamo.

Bobi

Dodano: 15.09.2005 16:02:04

ten notatnik pojawiał sie od początku,

Logfile of HijackThis v1.99.1
Scan saved at 13:54:03, on 2005–09–15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Hewlett–Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett–Packard\Digital Imaging\bin\hpotdd01.exe
C:\windows\system32\mdms.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Moja\USTAWI~1\Temp\Rar$EX00.782\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 – HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 – HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 – HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 – HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 – HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 – HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett–Packard\HP Software Update\HPWuSchd.exe
O4 – HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 – HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett–Packard\Digital Imaging\bin\hpotdd01.exe
O4 – HKLM\..\Run: [MouseDrv] C:\DOCUME~1\Moja\USTAWI~1\Temp\link.txt
O4 – HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122832910691
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O16 – DPF: {EF791A6B–FC12–4C68–99EF–FB9E207A39E6} (McFreeScan Class) – http://download.mcafee.com/molbin/iss–loc/vso/en–us/tools/mcfscan/2,0,0,4576/mcfscan.cab
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – C:\WINDOWS\System32\CTsvcCDA.EXE
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe

poza tym wszystko wygląda dobrze.

klau

Dodano: 15.09.2005 15:57:10

klau, jedna zasada – kolejne posty {b]dopisujemy[/b] do zalozonego tematu a nie zakladamy nowego.

Skorzystalas ze strony, usunelas cos i dopiero teraz pokazuje sie Notatnik, czy moze pojawial sie juz wczesniej ?
Wrzuc tutaj ponownie nowy log. Chyba nie obejdzie sie bez wskazania co musi zniknac z dysku.

EL NINO

Dodano: 15.09.2005 01:43:11

.

Odpowiedzi: 6