Pliki how_recover, samoistne usuwanie sie programów, zablokowany menedżer zadań...

[pawb0]

Witam,
Mój problem polega na tym że  rano uruchomiłem komputer i zauważyłem że niedość że baaardzo wolno sie uruchamiał to jeszcze strasznie mulił nie dało sie kompletnie nic zrobić.
Próbowałem powyłączać jakieś procesy ale do tego był mi potrzebny menadżer zadań który oczywiście był zablokowany znalazlem na to rozwiązanie w rejestrze, gdy uruchomiłem menadżer zadań było poodpalane pierdyliard procesów iexplorer.exe oraz inne procesy których nazw nie pamiętam.. Zakończyłem wszystkie procesy lecz to nie pomogło w dodatku proces iexplorer.exe na nowo sie uruchamiał co 15 sekund.
Postanowiłem poczyścić trochę dyski lecz zauważyłem że praktycznie w każdym folderze który mam na komputerze jest masa plików o nazwach: how_recover+cmh.html  how_recover+cmh.txt w którym znajduje się taka oto informacja:
http://wklejto.pl/242393
 
Nie mogę również zainstalować żadnego antywirusa (próbowałem avg i avast) wyskakuje błąd, dodam że nie miałem przedtem żadnego antywirusa.
Zapora systemu windows jest wyłączona i przy próbie jej włączenia jest błąd: Zapora systemu Windows nie może zmienić niektórych ustawień. Kod błędu: 0x80070422
Niektóre programy zostały pousuwane takie jak np. google chrome, ccleaner
System to Windows 7  ultimate x86
 
Bardzo proszę o pomoc :/

FRST.txtPobieranie informacji ...

Addition.txtPobieranie informacji ...

Shortcut.txtPobieranie informacji ...

GMER.txtPobieranie informacji ...

[picasso]

System jest w tragicznym stanie: masowo zainfekowany różnymi trojanami oraz adware (w tym patch pliku dnsapi.dll i infekcja ogólna DNS systemowych), programy zabezpieczające są zablokowane na bazie polityk oprogramowania, a Windows w ogóle nieaktualizowany.

 

Niestety mam też niedobre wieści. Te pliki how_recover* oznaczają infekcję szyfrującą dane TeslaCrypt w najnowszym wariancie: KLIK. Twoje pliki zostały zaszyfrowane i mają obecnie rozszerzenie *.vvv. Plików nie da się odkodować.... Jedyne co będzie w mojej gestii, to usunięcie aktywnej infekcji i nabitych przez infekcję plików how_recover*.

 

 

Operacje do przeprowadzenia:

 

1. Otwórz Notatnik i wklej w nim:

 

CloseProcesses:
(Microsoft Corporation) C:\Windows\explorer.exe
R1 cherimoya; C:\Windows\System32\drivers\cherimoya.sys [49408 2007-12-21] (Cherimoya Ltd) [File not signed]
R2 ginoquci; C:\Users\Aramejskie PsP\AppData\Local\Temp\nsc1610.tmp [222208 2007-12-21] () [File not signed]
R2 NetTcpHandler; C:\Users\Aramejskie PsP\AppData\Roaming\NetService\netservice.exe [173088 2015-07-09] ()
R2 nyneryxo; C:\Program Files\E8F0E980-1449267636-81DC-39F9-001D6007944C\hnsmB63D.tmp [134656 2015-12-04] () [File not signed]
R2 roqenufe; C:\Program Files\E8F0E980-1449267636-81DC-39F9-001D6007944C\jnsv9AA4.tmp [307200 2015-12-04] () [File not signed]
R2 SSFK; C:\Program Files\SFK\SSFK.exe [155280 2015-12-04] (TODO: )
R2 sypycuge; C:\Program Files\E8F0E980-1449267636-81DC-39F9-001D6007944C\knshF0DC.tmp [658432 2015-12-06] () [File not signed]
R2 WindowsMangerProtect; C:\ProgramData\Tmp0x0x\ProtectWindowsManager.exe [344232 2015-12-04] (Sysinternals process Explorer) 
U2 avgsvc; "C:\Program Files\AVG\Framework\Common\avgsvcx.exe" [X]
S3 cpuz134; \??\C:\Users\ARAMEJ~1\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [X]
R1 swsedrvr_vt_1_10_0_25; system32\drivers\swsedrvr_vt_1_10_0_25.sys [X]
IFEO\mbam.exe: [Debugger] epdmfji.exe
IFEO\mbamgui.exe: [Debugger] kxemabm.exe
IFEO\MRT.exe: [Debugger] kgmnddmbzri.exe
IFEO\Mrtstub.exe: [Debugger] cyduxutsugs.exe
IFEO\rstrui.exe: [Debugger] gfscokwngcs.exe
SecurityProviders: credssp.dll, AmzoygUjducc.dll
HKLM\...\Run: [sound+] => "C:\Program Files\Sound+\Sound+.exe"
HKLM\...\Run: [rec_en_77] => [X]
HKLM\...\Run: [gmsd_pl_005010165] => [X]
HKLM\...\Run: [gmsd_pl_005010167] => [X]
HKLM\...\Run: [gmsd_pl_005010168] => [X]
HKLM\...\Run: [NetworkChecker] => C:\Users\Aramejskie PsP\AppData\Roaming\Microsoft\Windows\Templates\venktp.exe [1064807 2015-12-06] ()
HKLM\...\Run: [gmsd_pl_005010169] => [X]
HKLM\...\RunOnce: [upgmsd_pl_005010168.exe] => C:\Users\Aramejskie PsP\AppData\Local\gmsd_pl_005010168\upgmsd_pl_005010168.exe [3278512 2015-12-06] ()
HKLM\...\RunOnce: [Windows Update Engine] => C:\ProgramData\Windows Update Engine\3wgwegkm5a.exe [470528 2007-12-21] ()
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software 
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client 
HKLM Group Policy restriction on software: C:\Program Files\Avira 
HKLM Group Policy restriction on software: C:\Program Files\Avira 
HKLM Group Policy restriction on software: C:\Program Files\COMODO 
HKLM Group Policy restriction on software: C:\Program Files\COMODO 
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software 
HKLM Group Policy restriction on software: C:\Program Files\COMODO 
HKLM Group Policy restriction on software: C:\Program Files\COMODO 
HKLM Group Policy restriction on software: C:\Program Files\COMODO 
HKLM Group Policy restriction on software: C:\Program Files\Avira 
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software 
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software 
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software 
HKLM Group Policy restriction on software: C:\Program Files\Avira 
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client 
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client 
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software 
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client 
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client 
HKLM Group Policy restriction on software: C:\Program Files\COMODO 
HKLM Group Policy restriction on software: C:\Program Files\Avira 
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client 
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software 
HKLM Group Policy restriction on software: C:\Program Files\Avira 
HKLM Group Policy restriction on software: C:\Program Files\Avira 
HKLM Group Policy restriction on software: C:\Program Files\COMODO 
HKLM Group Policy restriction on software: C:\Program Files\Microsoft Security Client 
HKLM\...\Policies\Explorer\Run: [1245908319] => C:\ProgramData\msnos.exe [313856 2009-07-14] ()
HKLM\...\Policies\Explorer\Run: [638143719] => C:\ProgramData\msrbgbio.exe [102400 2009-07-14] ()
HKLM\...\Policies\Explorer\Run: [1876573201] => C:\ProgramData\msukbv.exe [162304 2007-12-21] ()
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] 
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [Acronis] => C:\Users\Aramejskie PsP\AppData\Roaming\hvskb-bc.exe
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [KdjSaS011arbaaa1z] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arbaaaa1z.exe [259072 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [djSaS011arbaaa1za13a1] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-186117711\djSaS011arbaaaa1za13a1.exe [260608 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [KdjSaS011arbaaa1za13a] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arbaaaa1za13a.exe [260608 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [KdjSaS011ar] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011ar.exe [259584 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [KdjSaS011arh] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arh.exe [311808 2007-12-21] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [KdjSaS011arhaaa] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arhaaaa.exe [259072 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [djSaS01121za13a1a] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611127711\djSaS011a12a13a1a.exe [262144 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [a12121zq] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-186171411\854561araaq.exe [264192 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [we121za13a1ab] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18623451\we1a12a13a1ab.exe [264192 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [we121za13a1abab] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1862314511\we1a12a13a1abavb.exe [291840 2007-12-21] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [we121za13a1abab1] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18623145111\we1a12a13a1abavb1.exe [290816 2007-12-21] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [Windows Update Engine] => C:\ProgramData\Windows Update Engine\3wgwegkm5a.exe [470528 2007-12-21] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [AQworks] => C:\Users\Aramejskie PsP\AppData\Local\AQworks\KB00258656.exe [167936 2007-12-21] (DVDVideoSoft Ltd.)
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [bcdsserv] => C:\Users\Aramejskie PsP\AppData\Roaming\Certnect\authesvc.exe
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [YbPack] => regsvr32.exe "C:\Users\Aramejskie PsP\AppData\Local\YbPack\jdlriwcn.dll" 
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [YfkPack] => C:\Windows\System32\regsvr32.exe "C:\Users\Aramejskie PsP\AppData\Local\AQworks\fjxcixtq.dll"
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [we121za13a1abab1ab] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1862314511111\we1a12a13a1abavb1ab.exe [309248 2007-12-21] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Run: [we121za13a1abab1a] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-186231451111\we1a12a13a1abavb1a.exe [313856 2007-12-21] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [KdjSaS011arbaaa1z] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arbaaaa1z.exe [259072 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [KdjSaS011arhaaa] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arhaaaa.exe [259072 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [djSaS011arbaaa1za13a1] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-186117711\djSaS011arbaaaa1za13a1.exe [260608 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [KdjSaS011arbaaa1za13a] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arbaaaa1za13a.exe [260608 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [we121za13a1ab] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18623451\we1a12a13a1ab.exe [264192 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [KdjSaS011ar] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011ar.exe [259584 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [djSaS01121za13a1a] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611127711\djSaS011a12a13a1a.exe [262144 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [KdjSaS011arh] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771\KdjSaS011arh.exe [311808 2007-12-21] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [a12121zq] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-186171411\854561araaq.exe [264192 2015-12-06] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [we121za13a1abab1] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18623145111\we1a12a13a1abavb1.exe [290816 2007-12-21] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [we121za13a1abab] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1862314511\we1a12a13a1abavb.exe [291840 2007-12-21] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [we121za13a1abab1ab] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1862314511111\we1a12a13a1abavb1ab.exe [309248 2007-12-21] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\RunOnce: [we121za13a1abab1a] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-186231451111\we1a12a13a1abavb1a.exe [313856 2007-12-21] ()
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\CurrentVersion\Windows: [Load] C:\PROGRA~2\msnos.exe 
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...\MountPoints2: {7a652b40-af4f-11dc-8934-806e6f6e6963} - G:\SETUP.EXE
HKU\S-1-5-21-4007559694-3794498742-1702077847-1002\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\Aramejskie PsP\AppData\Local\AQworks\gbkwevrv.dll ATTENTION! ====> ZeroAccess?
CustomCLSID: HKU\S-1-5-21-4007559694-3794498742-1702077847-1002_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InprocServer32 -> C:\Users\Aramejskie PsP\AppData\Local\AQworks\gbkwevrv.dll ()
Startup: C:\Users\Aramejskie PsP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ST6UNST Uninstaller.LNK [2007-12-21]
Task: {1CFF9393-2E8C-48B3-B7A5-89915CED6E8A} - System32\Tasks\RegClean Pro_DEFAULT => C:\Program Files\RCP\RegCleanPro.exe 
Task: {357BF60E-CD5E-4B50-98FE-6C1808BBF87B} - System32\Tasks\{F5942225-B64B-4BF9-8AD3-03AAF9886671} => pcalua.exe -a "C:\Users\Aramejskie PsP\AppData\Roaming\yoursearching\UninstallManager.exe" -c -ptid=face
Task: {7891D619-6EAC-412D-9BE3-DB0A22F57984} - System32\Tasks\RegClean Pro_UPDATES => C:\Program Files\RCP\RegCleanPro.exe 
Task: {7B557CA1-B408-4ADC-9C2F-6A1A95ABD941} - System32\Tasks\Girwhyka => C:\PROGRA~1\GROOVE~1\Ufigys.bat
Task: {B9B624F2-8241-4A4E-9435-8C71AFCE2C44} - System32\Tasks\SmartWeb Upgrade Trigger Task => C:\Users\Aramejskie PsP\AppData\Local\SmartWeb\SmartWebHelper.exe 
Task: {C0122447-7E61-4BDB-8663-C9409ADCBA74} - System32\Tasks\{3ADE5C10-33C6-434A-9C82-ED0665008D25} => pcalua.exe -a "C:\Users\Aramejskie PsP\AppData\Roaming\mysites123\UninstallManager.exe" -c -ptid=amt
Task: {FB162231-74F0-4380-B557-15299DC4BC27} - System32\Tasks\RegClean Pro => C:\Program Files\RCP\RegCleanPro.exe 
Task: C:\Windows\Tasks\RegClean Pro_DEFAULT.job => C:\Program Files\RCP\RegCleanPro.exe 
Task: C:\Windows\Tasks\RegClean Pro_UPDATES.job => C:\Program Files\RCP\RegCleanPro.exe 
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.mysites123.com/?type=sc&ts=1449266897&z=c393f8356b294b209f17ae0g2zdz0t0o0qfq0b1m2t&from=amt&uid=WDCXWD3200BEVT-60A23T0_WD-WXL1A90H1351H1351
DeleteKey: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7ADF667E-E14D-4D2C-827C-B0108F0D93BC}
DeleteKey: HKLM\SOFTWARE\Mozilla
DeleteKey: HKLM\SOFTWARE\MozillaPlugins
RemoveDirectory: C:\Program Files\AVG
RemoveDirectory: C:\Program Files\E8F0E980-1449267636-81DC-39F9-001D6007944C
RemoveDirectory: C:\Program Files\Opera
RemoveDirectory: C:\Program Files\SFK
RemoveDirectory: C:\Program Files\Wooden Seal
RemoveDirectory: C:\Program Files\Common Files\Steam
RemoveDirectory: C:\ProgramData\Avg
RemoveDirectory: C:\ProgramData\CreativeAudio
RemoveDirectory: C:\ProgramData\Tmp0x0x
RemoveDirectory: C:\ProgramData\Windows Update Engine
RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GAMESDESKTOP
RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegClean Pro
RemoveDirectory: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
RemoveDirectory: C:\RECYCLER
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\AvgSetupLog
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\Avg
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\AQworks
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\Camera Plugin
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\CEF
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\E8F0E980-1449271314-81DC-39F9-001D6007944C
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\GeometryDash
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\gmsd_pl_005010168
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\Opera Software
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\Steam
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\YbPack
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Roaming\BrowserMe
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Roaming\Certnect
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Roaming\mysites123
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Roaming\NetService
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Roaming\Opera Software
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Roaming\shortCutStore
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage
C:\ProgramData\@system.temp
C:\ProgramData\@system3.att
C:\ProgramData\fb19r8t.2koqu
C:\ProgramData\j3ymz.7yyn
C:\ProgramData\jsvef3g8x0.e3s4r
C:\ProgramData\mscxoz.exe
C:\ProgramData\msnos.exe
C:\ProgramData\msrbgbio.exe
C:\ProgramData\msukbv.exe
C:\ProgramData\oyqij0.4x
C:\ProgramData\y16w2.s1
C:\ProgramData\zj63ef.ej2
C:\Users\Aramejskie PsP\AppData\Local\4zsfk3.0b
C:\Users\Aramejskie PsP\AppData\Local\541g3q.2o5
C:\Users\Aramejskie PsP\AppData\Local\Apps\barldt9b.05u
C:\Users\Aramejskie PsP\AppData\Roaming\½Ó
C:\Users\Aramejskie PsP\AppData\Roaming\Microsoft\Windows\Templates\venktp.exe
C:\Windows\system32\AmzoygUjducc.dll
C:\Windows\system32\Giqdulti.dll
C:\Windows\system32\history.dat
C:\Windows\system32\roboot.exe
C:\Windows\System32\drivers\cherimoya.sys
C:\Windows\system32\drivers\etc\hp.bak
CMD: netsh winsock reset
CMD: attrib -r -h -s C:\how_recover* /s
CMD: attrib -r -h -s C:\HELP_YOUR_FILES* /s
CMD: attrib -r -h -s D:\how_recover* /s
CMD: attrib -r -h -s D:\HELP_YOUR_FILES* /s
CMD: del /q /s C:\how_recover*
CMD: del /q /s C:\HELP_YOUR_FILES*
CMD: del /q /s D:\how_recover*
CMD: del /q /s D:\HELP_YOUR_FILES*
CMD: dir /a C:\
CMD: dir /a "C:\Program Files"
CMD: dir /a "C:\Program Files\Common Files"
CMD: dir /a C:\ProgramData
CMD: dir /a "C:\Users\Aramejskie PsP\AppData\Local"
CMD: dir /a "C:\Users\Aramejskie PsP\AppData\LocalLow"
CMD: dir /a "C:\Users\Aramejskie PsP\AppData\Roaming"
CMD: dir /a D:\
EmptyTemp:

 

Adnotacja dla innych czytających: skrypt unikatowy - dopasowany tylko i wyłącznie pod ten system, proszę nie stosować na swoich systemach.

 

Z menu Notatnika > Plik > Zapisz jako > wprowadź nazwę fixlist.txt > Kodowanie zmień na UTF-8

 

Plik fixlist.txt umieść obok narzędzia FRST. Przejdź w Tryb awaryjny Windows. Uruchom FRST i kliknij w Napraw (Fix). Czekaj cierpliwie, nie przerywaj działania. Gdy Fix ukończy pracę, nastąpi restart, opuść Tryb awaryjny. W tym samym katalogu skąd uruchamiano FRST powstanie plik fixlog.txt.

 

2. Uruchom RepairDNS. Poczekaj aż narzędzie ukończy działanie. Powstanie raport RepairDNS.txt.

 

3. Panel sterowania > Sieć i internet > Centrum sieci i udostępniania > z boku klik w Zmień ustawienia karty sieciowej > w folderze połączeń prawoklik na każde połączenie po kolei > Właściwości > zmień adresy DNS wg instrukcji: KLIK.

 

4. Zrób nowe logi: FRST z opcji Skanuj (Scan) - ponownie z Addition, ale bez Shortcut - oraz GMER. Dołącz też pliki fixlog.txt + RepairDNS.txt. Przy czym fixlog będzie ogromny ze względu na rekursywne usuwanie z wszystkich dysków plików infekcji. W związku z tym shostuj ten plik na jakimś zewnętrznym serwisie nie-wklejkowym i podaj do niego link.

 

 

PS. Odpowiadasz mi już w nowym poście.

[pawb0]

Operacja wydaje sie na zakończoną pomyślnie

 FIXLOG:

http://www.speedyshare.com/jfvEd/Fixlog.txt

 

FRST.txtPobieranie informacji ...

GMER.txtPobieranie informacji ...

Addition.txtPobieranie informacji ...

RepairDNS.txtPobieranie informacji ...

[picasso]

Poprzednie logi FRST były tworzone na systemie mającym poprawny czas, choć zauważyłam, że niektóre pliki mają strasznie stare datowanie, mimo że na pewno były tworzone świeżo, co sugerowało że data była cofana. Obecnie masz nieprawidłowy czas komputera, dlatego logi FRST pokazują masę zbędnych danych sprzed kilku lat:

Ran by Aramejskie PsP (administrator) on ARABSKAPATELNIA (21-12-2007 00:06:57)

Ustaw ponownie poprawny czas komputera i zrób nowe raporty FRST (FRST.txt + Addition.txt).

[pawb0]

Problem w tym że nieważne czy ustawie raz czas to przy ponownym uruchomieniu komputera czas się zmieni do 2007...

I mam jeszcze jedno pytanie jak przywrócić ten system do porządku żeby nie było takich sytuacji no i żeby jednak zaktualizować tego windowsa chce zrobić już porządnie żeby mieć spokój

[picasso]

Problem z datą to pewnie problem sprzętowy, tzn. bateria BIOS padła i do wymiany. Na razie ustaw czas w Windows, by nowe logi FRST zrobione zostały z prawidłowego kontekstu czasowego (i będziesz musiał czas korygować przed uruchomieniem innych narzędzi). I tu jeszcze nie koniec sprzątania systemu, ale czekam na nowe logi. Zapomniałam poprzednio napisać, dorzuć mi jeszcze log z Farbar Service Scanner.

[pawb0]

Logi z obecną datą i z Farbar Service Scanner

 

Problem z przestawianiem się klawiatury z "z" na "y" to też przez baterie w biosie? bo ctrl + shift tylko pomaga ale na jednorazowe uruchomienie laptopa

P.S ciężko będzie wymienić baterie biosa w starodawnym laptopie

FRST.txtPobieranie informacji ...

Addition.txtPobieranie informacji ...

FSS.txtPobieranie informacji ...

[picasso]

Wszystko zostało wykonane, infekcje usunięte, teraz już tylko cyzelowanie. Kolejne poprawki:

 

1. Odinstaluj zbędny Adobe Flash Player 19 NPAPI, to wersja dla Firefox, którego tu nie ma. Przeinstaluj także Google Chrome od zera, gdyż było poszkodowane przez adware:

• Upewnij się, że nie masz włączonej synchronizacji, w razie czego wykonaj Opcję 2: KLIK.
• Jeśli potrzebne, wyeksportuj zakładki: CTRL+SHIFT+O > Organizuj > Eksportuj zakładki do pliku HTML.
• Odinstaluj Google Chrome. Przy deinstalacji zaznacz Usuń także dane przeglądarki.
• Zainstaluj najnowszą wersję Google Chrome: KLIK.

2. Start > w polu szukania wpisz cmd > z prawokliku Uruchom jako Administrator > wklej komendę i ENTER:

 

sfc /scannow

 

Gdy komenda ukończy działanie:

 

3. Otwórz Notatnik i wklej w nim:

 

S3 Steam Client Service; "C:\Program Files\Common Files\Steam\SteamService.exe" /RunAsService [X]
RemoveDirectory: C:\FRST\Quarantine
RemoveDirectory: C:\found.000
RemoveDirectory: C:\ProgramData\Microsoft\Windows\WER\ReportArchive
RemoveDirectory: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\SmartWeb
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\Tempfolder
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\Microsoft\Feeds Cache
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\Microsoft\Windows\WER\ReportArchive
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\Microsoft\Windows\WER\ReportQueue
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\LocalLow\Company
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\LocalLow\Sun\Java\Deployment\cache
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Roaming\ChromeUpdServeis
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Roaming\FoucnYbuiw
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Roaming\istartpageing
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Roaming\Macromedia
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Roaming\RunDir
RemoveDirectory: C:\Windows\system32\dyka
RemoveDirectory: D:\$RECYCLE.BIN
Reg: reg add HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall /t REG_DWORD /d 0x1 /f
Reg: reg add HKLM\SYSTEM\CurrentControlSet\services\wuauserv /v ImagePath /t REG_EXPAND_SZ /d "^%systemroot^%\system32\svchost.exe -k netsvcs" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /f
CMD: attrib -h "C:\Users\Aramejskie PsP\AppData\Roaming\*"
CMD: del /q "C:\Users\Aramejskie PsP\AppData\Roaming\*"
CMD: del /q "C:\Users\Aramejskie PsP\AppData\Local\Apps\8df46qrdf.5r"
CMD: del /q "C:\Users\Aramejskie PsP\Documents\4hw4w59.gv74"
CMD: del /q "C:\Users\Aramejskie PsP\Documents\5l2s8j2.y6n"
CMD: del /q "C:\Users\Aramejskie PsP\Documents\dq3tcem.8ww"
CMD: del /q "C:\Users\Aramejskie PsP\Documents\w60odudr9n.r6z69"
CMD: del /q "C:\Users\Aramejskie PsP\Documents\xq5xbo4u.cpn0"
CMD: del /q "C:\Users\Aramejskie PsP\Downloads\9ylfu6o6.exe"
CMD: del /q C:\Users\Public\Documents\2x1x7.1vele
CMD: del /q C:\Users\Public\Documents\52l8z1b5.q9
CMD: del /q C:\Users\Public\Documents\558yr.thw2s
CMD: del /q C:\Users\Public\Documents\hylj1cpv6o.x2t6g
CMD: del /q C:\Users\Public\Documents\i1tdqm.9r
CMD: del /q C:\Windows\system32\Giqdulti.ini
CMD: del /q C:\Windows\system32\GiqdultiOff.ini
CMD: del /q "C:\Windows\system32\Number of results"
CMD: del /q D:\cn82hor.l4st
CMD: ipconfig /flushdns
CMD: sc config BITS start= auto
CMD: sc config MpsSvc start= auto
CMD: sc config WinDefend start= demand
CMD: sc config wscsvc start= delayed-auto
CMD: sc config wuauserv start= auto
CMD: netsh advfirewall reset
CMD: findstr /c:"[sR]" %windir%\logs\cbs\cbs.log
CMD: dir /a "C:\Users\Aramejskie PsP\AppData\Local\Google"
CMD: dir /a "C:\Users\Aramejskie PsP\AppData\Local\VirtualStore"
Reg: reg query HKEY_CURRENT_USER\Software
Reg: reg query HKEY_LOCAL_MACHINE\SOFTWARE
Reboot:

 

Plik zapisz pod nazwą fixlist.txt (tym razem nie trzeba w UTF-8) i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix).Nastąpi restart. Powstanie kolejny fixlog.txt.

 

4. Popraw datę komputera. Zrób nowy log FRST z opcji Skanuj (Scan), bez Addition i Shortcut, oraz Farbar Service Scanner. Dołącz też plik fixlog.txt.

 

 

 

  Cytat

Problem z przestawianiem się klawiatury z "z" na "y" to też przez baterie w biosie? bo ctrl + shift tylko pomaga ale na jednorazowe uruchomienie laptopa

Czy w Panelu sterowania masz ustawiony układ klawiatury Polski (Programisty) jako domyślny?

[pawb0]

Podczas skanowania SFC wystąpił jakiś błąd przy 79%.

Log CBS:

http://www.speedyshare.com/xCUe8/CBS.log

 

Miałem złe ustawienia z klawiaturą faktycznie, już jest okej

Fixlog.txtPobieranie informacji ...

FRST.txtPobieranie informacji ...

[picasso]

W skrypcie FRST było już zadane drukowanie wyników:

 

CMD: findstr /c:"[sR]" %windir%\logs\cbs\cbs.log

 

 

  Pokaż ukrytą zawartość

 

========= findstr /c:"[sR]" %windir%\logs\cbs\cbs.log =========
 

2007-12-21 00:04:57, Info CSI 00000009 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:04:57, Info CSI 0000000a [sR] Beginning Verify and Repair transaction

2007-12-21 00:05:03, Info CSI 0000000c [sR] Verify complete

2007-12-21 00:05:03, Info CSI 0000000d [sR] Verifying 100 (0x00000064) components

2007-12-21 00:05:03, Info CSI 0000000e [sR] Beginning Verify and Repair transaction

2007-12-21 00:05:09, Info CSI 00000010 [sR] Verify complete

2007-12-21 00:05:09, Info CSI 00000011 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:05:09, Info CSI 00000012 [sR] Beginning Verify and Repair transaction

2007-12-21 00:05:14, Info CSI 00000014 [sR] Verify complete

2007-12-21 00:05:14, Info CSI 00000015 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:05:14, Info CSI 00000016 [sR] Beginning Verify and Repair transaction

2007-12-21 00:05:19, Info CSI 00000018 [sR] Verify complete

2007-12-21 00:05:20, Info CSI 00000019 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:05:20, Info CSI 0000001a [sR] Beginning Verify and Repair transaction

2007-12-21 00:05:24, Info CSI 0000001c [sR] Verify complete

2007-12-21 00:05:24, Info CSI 0000001d [sR] Verifying 100 (0x00000064) components

2007-12-21 00:05:24, Info CSI 0000001e [sR] Beginning Verify and Repair transaction

2007-12-21 00:05:31, Info CSI 00000020 [sR] Verify complete

2007-12-21 00:05:32, Info CSI 00000021 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:05:32, Info CSI 00000022 [sR] Beginning Verify and Repair transaction

2007-12-21 00:05:37, Info CSI 00000024 [sR] Verify complete

2007-12-21 00:05:37, Info CSI 00000025 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:05:37, Info CSI 00000026 [sR] Beginning Verify and Repair transaction

2007-12-21 00:05:42, Info CSI 00000028 [sR] Verify complete

2007-12-21 00:05:42, Info CSI 00000029 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:05:42, Info CSI 0000002a [sR] Beginning Verify and Repair transaction

2007-12-21 00:05:47, Info CSI 0000002c [sR] Verify complete

2007-12-21 00:05:47, Info CSI 0000002d [sR] Verifying 100 (0x00000064) components

2007-12-21 00:05:47, Info CSI 0000002e [sR] Beginning Verify and Repair transaction

2007-12-21 00:05:53, Info CSI 00000030 [sR] Verify complete

2007-12-21 00:05:53, Info CSI 00000031 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:05:53, Info CSI 00000032 [sR] Beginning Verify and Repair transaction

2007-12-21 00:05:57, Info CSI 00000034 [sR] Verify complete

2007-12-21 00:05:58, Info CSI 00000035 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:05:58, Info CSI 00000036 [sR] Beginning Verify and Repair transaction

2007-12-21 00:06:00, Info CSI 00000038 [sR] Verify complete

2007-12-21 00:06:01, Info CSI 00000039 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:06:01, Info CSI 0000003a [sR] Beginning Verify and Repair transaction

2007-12-21 00:06:07, Info CSI 0000003c [sR] Verify complete

2007-12-21 00:06:07, Info CSI 0000003d [sR] Verifying 100 (0x00000064) components

2007-12-21 00:06:07, Info CSI 0000003e [sR] Beginning Verify and Repair transaction

2007-12-21 00:06:17, Info CSI 00000040 [sR] Verify complete

2007-12-21 00:06:18, Info CSI 00000041 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:06:18, Info CSI 00000042 [sR] Beginning Verify and Repair transaction

2007-12-21 00:06:25, Info CSI 00000045 [sR] Verify complete

2007-12-21 00:06:25, Info CSI 00000046 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:06:25, Info CSI 00000047 [sR] Beginning Verify and Repair transaction

2007-12-21 00:06:32, Info CSI 0000004a [sR] Verify complete

2007-12-21 00:06:32, Info CSI 0000004b [sR] Verifying 100 (0x00000064) components

2007-12-21 00:06:32, Info CSI 0000004c [sR] Beginning Verify and Repair transaction

2007-12-21 00:06:39, Info CSI 00000051 [sR] Verify complete

2007-12-21 00:06:39, Info CSI 00000052 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:06:39, Info CSI 00000053 [sR] Beginning Verify and Repair transaction

2007-12-21 00:06:45, Info CSI 00000055 [sR] Verify complete

2007-12-21 00:06:46, Info CSI 00000056 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:06:46, Info CSI 00000057 [sR] Beginning Verify and Repair transaction

2007-12-21 00:06:55, Info CSI 0000005b [sR] Verify complete

2007-12-21 00:06:55, Info CSI 0000005c [sR] Verifying 100 (0x00000064) components

2007-12-21 00:06:55, Info CSI 0000005d [sR] Beginning Verify and Repair transaction

2007-12-21 00:07:08, Info CSI 00000067 [sR] Verify complete

2007-12-21 00:07:09, Info CSI 00000068 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:07:09, Info CSI 00000069 [sR] Beginning Verify and Repair transaction

2007-12-21 00:07:15, Info CSI 0000006b [sR] Verify complete

2007-12-21 00:07:16, Info CSI 0000006c [sR] Verifying 100 (0x00000064) components

2007-12-21 00:07:16, Info CSI 0000006d [sR] Beginning Verify and Repair transaction

2007-12-21 00:07:24, Info CSI 0000006f [sR] Verify complete

2007-12-21 00:07:24, Info CSI 00000070 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:07:24, Info CSI 00000071 [sR] Beginning Verify and Repair transaction

2007-12-21 00:07:32, Info CSI 00000073 [sR] Verify complete

2007-12-21 00:07:32, Info CSI 00000074 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:07:32, Info CSI 00000075 [sR] Beginning Verify and Repair transaction

2007-12-21 00:07:39, Info CSI 00000077 [sR] Verify complete

2007-12-21 00:07:39, Info CSI 00000078 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:07:39, Info CSI 00000079 [sR] Beginning Verify and Repair transaction

2007-12-21 00:07:46, Info CSI 0000007b [sR] Verify complete

2007-12-21 00:07:46, Info CSI 0000007c [sR] Verifying 100 (0x00000064) components

2007-12-21 00:07:46, Info CSI 0000007d [sR] Beginning Verify and Repair transaction

2007-12-21 00:07:52, Info CSI 0000007f [sR] Verify complete

2007-12-21 00:07:52, Info CSI 00000080 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:07:52, Info CSI 00000081 [sR] Beginning Verify and Repair transaction

2007-12-21 00:08:02, Info CSI 00000083 [sR] Verify complete

2007-12-21 00:08:03, Info CSI 00000084 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:08:03, Info CSI 00000085 [sR] Beginning Verify and Repair transaction

2007-12-21 00:08:15, Info CSI 00000089 [sR] Verify complete

2007-12-21 00:08:16, Info CSI 0000008a [sR] Verifying 100 (0x00000064) components

2007-12-21 00:08:16, Info CSI 0000008b [sR] Beginning Verify and Repair transaction

2007-12-21 00:08:30, Info CSI 0000008d [sR] Verify complete

2007-12-21 00:08:31, Info CSI 0000008e [sR] Verifying 100 (0x00000064) components

2007-12-21 00:08:31, Info CSI 0000008f [sR] Beginning Verify and Repair transaction

2007-12-21 00:08:48, Info CSI 00000091 [sR] Verify complete

2007-12-21 00:08:48, Info CSI 00000092 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:08:48, Info CSI 00000093 [sR] Beginning Verify and Repair transaction

2007-12-21 00:09:04, Info CSI 00000095 [sR] Verify complete

2007-12-21 00:09:04, Info CSI 00000096 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:09:04, Info CSI 00000097 [sR] Beginning Verify and Repair transaction

2007-12-21 00:09:10, Info CSI 00000099 [sR] Verify complete

2007-12-21 00:09:10, Info CSI 0000009a [sR] Verifying 100 (0x00000064) components

2007-12-21 00:09:10, Info CSI 0000009b [sR] Beginning Verify and Repair transaction

2007-12-21 00:09:16, Info CSI 0000009d [sR] Verify complete

2007-12-21 00:09:16, Info CSI 0000009e [sR] Verifying 100 (0x00000064) components

2007-12-21 00:09:16, Info CSI 0000009f [sR] Beginning Verify and Repair transaction

2007-12-21 00:09:19, Info CSI 000000a1 [sR] Verify complete

2007-12-21 00:09:19, Info CSI 000000a2 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:09:19, Info CSI 000000a3 [sR] Beginning Verify and Repair transaction

2007-12-21 00:09:22, Info CSI 000000a5 [sR] Verify complete

2007-12-21 00:09:22, Info CSI 000000a6 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:09:22, Info CSI 000000a7 [sR] Beginning Verify and Repair transaction

2007-12-21 00:09:26, Info CSI 000000a9 [sR] Verify complete

2007-12-21 00:09:27, Info CSI 000000aa [sR] Verifying 100 (0x00000064) components

2007-12-21 00:09:27, Info CSI 000000ab [sR] Beginning Verify and Repair transaction

2007-12-21 00:09:42, Info CSI 000000c9 [sR] Verify complete

2007-12-21 00:09:42, Info CSI 000000ca [sR] Verifying 100 (0x00000064) components

2007-12-21 00:09:42, Info CSI 000000cb [sR] Beginning Verify and Repair transaction

2007-12-21 00:09:46, Info CSI 000000cd [sR] Verify complete

2007-12-21 00:09:46, Info CSI 000000ce [sR] Verifying 100 (0x00000064) components

2007-12-21 00:09:46, Info CSI 000000cf [sR] Beginning Verify and Repair transaction

2007-12-21 00:09:48, Info CSI 000000d1 [sR] Verify complete

2007-12-21 00:09:49, Info CSI 000000d2 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:09:49, Info CSI 000000d3 [sR] Beginning Verify and Repair transaction

2007-12-21 00:09:54, Info CSI 000000d5 [sR] Verify complete

2007-12-21 00:09:54, Info CSI 000000d6 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:09:54, Info CSI 000000d7 [sR] Beginning Verify and Repair transaction

2007-12-21 00:09:58, Info CSI 000000d9 [sR] Verify complete

2007-12-21 00:09:59, Info CSI 000000da [sR] Verifying 100 (0x00000064) components

2007-12-21 00:09:59, Info CSI 000000db [sR] Beginning Verify and Repair transaction

2007-12-21 00:10:07, Info CSI 000000dd [sR] Verify complete

2007-12-21 00:10:08, Info CSI 000000de [sR] Verifying 100 (0x00000064) components

2007-12-21 00:10:08, Info CSI 000000df [sR] Beginning Verify and Repair transaction

2007-12-21 00:10:18, Info CSI 000000e1 [sR] Verify complete

2007-12-21 00:10:18, Info CSI 000000e2 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:10:18, Info CSI 000000e3 [sR] Beginning Verify and Repair transaction

2007-12-21 00:10:22, Info CSI 000000e5 [sR] Verify complete

2007-12-21 00:10:22, Info CSI 000000e6 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:10:22, Info CSI 000000e7 [sR] Beginning Verify and Repair transaction

2007-12-21 00:10:25, Info CSI 000000e9 [sR] Verify complete

2007-12-21 00:10:25, Info CSI 000000ea [sR] Verifying 100 (0x00000064) components

2007-12-21 00:10:25, Info CSI 000000eb [sR] Beginning Verify and Repair transaction

2007-12-21 00:10:29, Info CSI 000000ed [sR] Verify complete

2007-12-21 00:10:29, Info CSI 000000ee [sR] Verifying 100 (0x00000064) components

2007-12-21 00:10:29, Info CSI 000000ef [sR] Beginning Verify and Repair transaction

2007-12-21 00:10:37, Info CSI 000000f1 [sR] Verify complete

2007-12-21 00:10:38, Info CSI 000000f2 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:10:38, Info CSI 000000f3 [sR] Beginning Verify and Repair transaction

2007-12-21 00:10:45, Info CSI 000000f5 [sR] Verify complete

2007-12-21 00:10:45, Info CSI 000000f6 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:10:45, Info CSI 000000f7 [sR] Beginning Verify and Repair transaction

2007-12-21 00:10:52, Info CSI 000000f9 [sR] Verify complete

2007-12-21 00:10:53, Info CSI 000000fa [sR] Verifying 100 (0x00000064) components

2007-12-21 00:10:53, Info CSI 000000fb [sR] Beginning Verify and Repair transaction

2007-12-21 00:11:01, Info CSI 000000fd [sR] Verify complete

2007-12-21 00:11:01, Info CSI 000000fe [sR] Verifying 100 (0x00000064) components

2007-12-21 00:11:01, Info CSI 000000ff [sR] Beginning Verify and Repair transaction

2007-12-21 00:11:19, Info CSI 0000011d [sR] Verify complete

2007-12-21 00:11:19, Info CSI 0000011e [sR] Verifying 100 (0x00000064) components

2007-12-21 00:11:19, Info CSI 0000011f [sR] Beginning Verify and Repair transaction

2007-12-21 00:11:27, Info CSI 00000129 [sR] Verify complete

2007-12-21 00:11:27, Info CSI 0000012a [sR] Verifying 100 (0x00000064) components

2007-12-21 00:11:27, Info CSI 0000012b [sR] Beginning Verify and Repair transaction

2007-12-21 00:11:38, Info CSI 0000012d [sR] Verify complete

2007-12-21 00:11:39, Info CSI 0000012e [sR] Verifying 100 (0x00000064) components

2007-12-21 00:11:39, Info CSI 0000012f [sR] Beginning Verify and Repair transaction

2007-12-21 00:12:10, Info CSI 00000131 [sR] Verify complete

2007-12-21 00:12:10, Info CSI 00000132 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:12:10, Info CSI 00000133 [sR] Beginning Verify and Repair transaction

2007-12-21 00:12:20, Info CSI 00000135 [sR] Verify complete

2007-12-21 00:12:20, Info CSI 00000136 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:12:20, Info CSI 00000137 [sR] Beginning Verify and Repair transaction

2007-12-21 00:12:23, Info CSI 00000139 [sR] Cannot repair member file [l:32{16}]"msoobeui.dll.mui" of Microsoft-Windows-OOBE-Machine-UI.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:12:35, Info CSI 0000013c [sR] Cannot repair member file [l:32{16}]"msoobeui.dll.mui" of Microsoft-Windows-OOBE-Machine-UI.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:12:35, Info CSI 0000013d [sR] This component was referenced by [l:262{131}]"Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~en-US~6.1.7600.16385.Windows Foundation Language Pack"

2007-12-21 00:12:35, Info CSI 00000140 [sR] Could not reproject corrupted file [ml:520{260},l:68{34}]"\??\C:\Windows\System32\oobe\en-US"\[l:32{16}]"msoobeui.dll.mui"; source file in store is also corrupted

2007-12-21 00:12:35, Info CSI 00000142 [sR] Verify complete

2007-12-21 00:12:35, Info CSI 00000143 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:12:35, Info CSI 00000144 [sR] Beginning Verify and Repair transaction

2007-12-21 00:12:47, Info CSI 00000146 [sR] Verify complete

2007-12-21 00:12:47, Info CSI 00000147 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:12:47, Info CSI 00000148 [sR] Beginning Verify and Repair transaction

2007-12-21 00:12:55, Info CSI 0000014a [sR] Verify complete

2007-12-21 00:12:56, Info CSI 0000014b [sR] Verifying 100 (0x00000064) components

2007-12-21 00:12:56, Info CSI 0000014c [sR] Beginning Verify and Repair transaction

2007-12-21 00:13:01, Info CSI 0000014e [sR] Verify complete

2007-12-21 00:13:01, Info CSI 0000014f [sR] Verifying 100 (0x00000064) components

2007-12-21 00:13:01, Info CSI 00000150 [sR] Beginning Verify and Repair transaction

2007-12-21 00:13:09, Info CSI 00000152 [sR] Verify complete

2007-12-21 00:13:09, Info CSI 00000153 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:13:09, Info CSI 00000154 [sR] Beginning Verify and Repair transaction

2007-12-21 00:13:13, Info CSI 00000156 [sR] Verify complete

2007-12-21 00:13:13, Info CSI 00000157 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:13:13, Info CSI 00000158 [sR] Beginning Verify and Repair transaction

2007-12-21 00:13:19, Info CSI 0000015b [sR] Verify complete

2007-12-21 00:13:20, Info CSI 0000015c [sR] Verifying 100 (0x00000064) components

2007-12-21 00:13:20, Info CSI 0000015d [sR] Beginning Verify and Repair transaction

2007-12-21 00:13:23, Info CSI 0000015f [sR] Verify complete

2007-12-21 00:13:24, Info CSI 00000160 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:13:24, Info CSI 00000161 [sR] Beginning Verify and Repair transaction

2007-12-21 00:13:34, Info CSI 00000163 [sR] Cannot repair member file [l:34{17}]"windeploy.exe.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:34, Info CSI 00000165 [sR] Cannot repair member file [l:32{16}]"WinLGDep.dll.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:34, Info CSI 00000167 [sR] Cannot repair member file [l:26{13}]"audit.exe.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:34, Info CSI 00000169 [sR] Cannot repair member file [l:26{13}]"setup.exe.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:34, Info CSI 0000016b [sR] Cannot repair member file [l:32{16}]"W32UIRes.dll.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:34, Info CSI 0000016d [sR] Cannot repair member file [l:32{16}]"winsetup.dll.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:34, Info CSI 0000016f [sR] Cannot repair member file [l:30{15}]"oobeldr.exe.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:40, Info CSI 00000171 [sR] Cannot repair member file [l:34{17}]"windeploy.exe.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:40, Info CSI 00000172 [sR] This component was referenced by [l:262{131}]"Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~en-US~6.1.7600.16385.Windows Foundation Language Pack"

2007-12-21 00:13:40, Info CSI 00000174 [sR] Cannot repair member file [l:32{16}]"WinLGDep.dll.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:40, Info CSI 00000175 [sR] This component was referenced by [l:262{131}]"Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~en-US~6.1.7600.16385.Windows Foundation Language Pack"

2007-12-21 00:13:40, Info CSI 00000177 [sR] Cannot repair member file [l:26{13}]"audit.exe.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:40, Info CSI 00000178 [sR] This component was referenced by [l:262{131}]"Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~en-US~6.1.7600.16385.Windows Foundation Language Pack"

2007-12-21 00:13:40, Info CSI 0000017a [sR] Cannot repair member file [l:26{13}]"setup.exe.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:40, Info CSI 0000017b [sR] This component was referenced by [l:262{131}]"Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~en-US~6.1.7600.16385.Windows Foundation Language Pack"

2007-12-21 00:13:40, Info CSI 0000017d [sR] Cannot repair member file [l:32{16}]"W32UIRes.dll.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:40, Info CSI 0000017e [sR] This component was referenced by [l:262{131}]"Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~en-US~6.1.7600.16385.Windows Foundation Language Pack"

2007-12-21 00:13:40, Info CSI 00000180 [sR] Cannot repair member file [l:32{16}]"winsetup.dll.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:40, Info CSI 00000181 [sR] This component was referenced by [l:262{131}]"Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~en-US~6.1.7600.16385.Windows Foundation Language Pack"

2007-12-21 00:13:40, Info CSI 00000183 [sR] Cannot repair member file [l:30{15}]"oobeldr.exe.mui" of Microsoft-Windows-Setup-Component.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:13:40, Info CSI 00000184 [sR] This component was referenced by [l:262{131}]"Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~en-US~6.1.7600.16385.Windows Foundation Language Pack"

2007-12-21 00:13:40, Info CSI 00000187 [sR] Could not reproject corrupted file [ml:520{260},l:68{34}]"\??\C:\Windows\System32\oobe\en-US"\[l:34{17}]"windeploy.exe.mui"; source file in store is also corrupted

2007-12-21 00:13:40, Info CSI 0000018a [sR] Could not reproject corrupted file [ml:520{260},l:68{34}]"\??\C:\Windows\System32\oobe\en-US"\[l:32{16}]"WinLGDep.dll.mui"; source file in store is also corrupted

2007-12-21 00:13:40, Info CSI 0000018d [sR] Could not reproject corrupted file [ml:520{260},l:68{34}]"\??\C:\Windows\System32\oobe\en-US"\[l:26{13}]"audit.exe.mui"; source file in store is also corrupted

2007-12-21 00:13:40, Info CSI 00000190 [sR] Could not reproject corrupted file [ml:520{260},l:68{34}]"\??\C:\Windows\System32\oobe\en-US"\[l:26{13}]"setup.exe.mui"; source file in store is also corrupted

2007-12-21 00:13:40, Info CSI 00000193 [sR] Could not reproject corrupted file [ml:520{260},l:68{34}]"\??\C:\Windows\System32\oobe\en-US"\[l:32{16}]"W32UIRes.dll.mui"; source file in store is also corrupted

2007-12-21 00:13:40, Info CSI 00000196 [sR] Could not reproject corrupted file [ml:520{260},l:68{34}]"\??\C:\Windows\System32\oobe\en-US"\[l:32{16}]"winsetup.dll.mui"; source file in store is also corrupted

2007-12-21 00:13:40, Info CSI 00000199 [sR] Could not reproject corrupted file [ml:520{260},l:68{34}]"\??\C:\Windows\System32\oobe\en-US"\[l:30{15}]"oobeldr.exe.mui"; source file in store is also corrupted

2007-12-21 00:13:47, Info CSI 0000019b [sR] Verify complete

2007-12-21 00:13:48, Info CSI 0000019c [sR] Verifying 100 (0x00000064) components

2007-12-21 00:13:48, Info CSI 0000019d [sR] Beginning Verify and Repair transaction

2007-12-21 00:13:58, Info CSI 0000019f [sR] Verify complete

2007-12-21 00:13:58, Info CSI 000001a0 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:13:58, Info CSI 000001a1 [sR] Beginning Verify and Repair transaction

2007-12-21 00:14:03, Info CSI 000001a3 [sR] Cannot repair member file [l:24{12}]"spwizimg.dll" of Microsoft-Windows-Setup-Navigation-Wizard-Framework, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:14:03, Info CSI 000001a5 [sR] Cannot repair member file [l:24{12}]"spwizres.dll" of Microsoft-Windows-Setup-Navigation-Wizard-Framework, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:14:09, Info CSI 000001a8 [sR] Cannot repair member file [l:24{12}]"spwizimg.dll" of Microsoft-Windows-Setup-Navigation-Wizard-Framework, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:14:09, Info CSI 000001a9 [sR] This component was referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385.WindowsFoundationDelivery"

2007-12-21 00:14:09, Info CSI 000001ab [sR] Cannot repair member file [l:24{12}]"spwizres.dll" of Microsoft-Windows-Setup-Navigation-Wizard-Framework, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:14:09, Info CSI 000001ac [sR] This component was referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385.WindowsFoundationDelivery"

2007-12-21 00:14:10, Info CSI 000001af [sR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"spwizimg.dll"; source file in store is also corrupted

2007-12-21 00:14:10, Info CSI 000001b2 [sR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"spwizres.dll"; source file in store is also corrupted

2007-12-21 00:14:12, Info CSI 000001b4 [sR] Verify complete

2007-12-21 00:14:13, Info CSI 000001b5 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:14:13, Info CSI 000001b6 [sR] Beginning Verify and Repair transaction

2007-12-21 00:14:16, Info CSI 000001b8 [sR] Verify complete

2007-12-21 00:14:17, Info CSI 000001b9 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:14:17, Info CSI 000001ba [sR] Beginning Verify and Repair transaction

2007-12-21 00:14:26, Info CSI 000001bc [sR] Verify complete

2007-12-21 00:14:27, Info CSI 000001bd [sR] Verifying 100 (0x00000064) components

2007-12-21 00:14:27, Info CSI 000001be [sR] Beginning Verify and Repair transaction

2007-12-21 00:14:34, Info CSI 000001c0 [sR] Verify complete

2007-12-21 00:14:34, Info CSI 000001c1 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:14:34, Info CSI 000001c2 [sR] Beginning Verify and Repair transaction

2007-12-21 00:14:34, Info CSI 000001c4 [sR] Cannot repair member file [l:24{12}]"W32UIRes.dll" of Microsoft-Windows-Setup-Component, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:14:34, Info CSI 000001c6 [sR] Cannot repair member file [l:18{9}]"Setup.exe" of Microsoft-Windows-Setup-Component, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:14:35, Info CSI 000001c8 [sR] Cannot repair member file [l:24{12}]"winsetup.dll" of Microsoft-Windows-Setup-Component, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:14:44, Info CSI 000001ca [sR] Cannot repair member file [l:24{12}]"W32UIRes.dll" of Microsoft-Windows-Setup-Component, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:14:44, Info CSI 000001cb [sR] This component was referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385.WindowsFoundationDelivery"

2007-12-21 00:14:44, Info CSI 000001cd [sR] Cannot repair member file [l:18{9}]"Setup.exe" of Microsoft-Windows-Setup-Component, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:14:44, Info CSI 000001ce [sR] This component was referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385.WindowsFoundationDelivery"

2007-12-21 00:14:44, Info CSI 000001d0 [sR] Cannot repair member file [l:24{12}]"winsetup.dll" of Microsoft-Windows-Setup-Component, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch

2007-12-21 00:14:44, Info CSI 000001d1 [sR] This component was referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385.WindowsFoundationDelivery"

2007-12-21 00:14:44, Info CSI 000001d4 [sR] Could not reproject corrupted file [ml:520{260},l:56{28}]"\??\C:\Windows\System32\oobe"\[l:24{12}]"W32UIRes.dll"; source file in store is also corrupted

2007-12-21 00:14:44, Info CSI 000001d7 [sR] Could not reproject corrupted file [ml:520{260},l:56{28}]"\??\C:\Windows\System32\oobe"\[l:18{9}]"Setup.exe"; source file in store is also corrupted

2007-12-21 00:14:44, Info CSI 000001da [sR] Could not reproject corrupted file [ml:520{260},l:56{28}]"\??\C:\Windows\System32\oobe"\[l:24{12}]"winsetup.dll"; source file in store is also corrupted

2007-12-21 00:14:48, Info CSI 000001dd [sR] Verify complete

2007-12-21 00:14:49, Info CSI 000001de [sR] Verifying 100 (0x00000064) components

2007-12-21 00:14:49, Info CSI 000001df [sR] Beginning Verify and Repair transaction

2007-12-21 00:14:57, Info CSI 000001e1 [sR] Verify complete

2007-12-21 00:14:58, Info CSI 000001e2 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:14:58, Info CSI 000001e3 [sR] Beginning Verify and Repair transaction

2007-12-21 00:15:03, Info CSI 000001e5 [sR] Verify complete

2007-12-21 00:15:04, Info CSI 000001e6 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:15:04, Info CSI 000001e7 [sR] Beginning Verify and Repair transaction

2007-12-21 00:15:13, Info CSI 000001e9 [sR] Verify complete

2007-12-21 00:15:14, Info CSI 000001ea [sR] Verifying 100 (0x00000064) components

2007-12-21 00:15:14, Info CSI 000001eb [sR] Beginning Verify and Repair transaction

2007-12-21 00:15:20, Info CSI 000001ed [sR] Verify complete

2007-12-21 00:15:20, Info CSI 000001ee [sR] Verifying 100 (0x00000064) components

2007-12-21 00:15:20, Info CSI 000001ef [sR] Beginning Verify and Repair transaction

2007-12-21 00:15:26, Info CSI 000001f2 [sR] Verify complete

2007-12-21 00:15:27, Info CSI 000001f3 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:15:27, Info CSI 000001f4 [sR] Beginning Verify and Repair transaction

2007-12-21 00:15:36, Info CSI 000001f6 [sR] Verify complete

2007-12-21 00:15:36, Info CSI 000001f7 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:15:36, Info CSI 000001f8 [sR] Beginning Verify and Repair transaction

2007-12-21 00:15:42, Info CSI 000001fa [sR] Verify complete

2007-12-21 00:15:42, Info CSI 000001fb [sR] Verifying 100 (0x00000064) components

2007-12-21 00:15:42, Info CSI 000001fc [sR] Beginning Verify and Repair transaction

2007-12-21 00:15:50, Info CSI 000001fe [sR] Verify complete

2007-12-21 00:15:51, Info CSI 000001ff [sR] Verifying 100 (0x00000064) components

2007-12-21 00:15:51, Info CSI 00000200 [sR] Beginning Verify and Repair transaction

2007-12-21 00:15:57, Info CSI 00000203 [sR] Verify complete

2007-12-21 00:15:58, Info CSI 00000204 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:15:58, Info CSI 00000205 [sR] Beginning Verify and Repair transaction

2007-12-21 00:16:06, Info CSI 00000208 [sR] Verify complete

2007-12-21 00:16:07, Info CSI 00000209 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:16:07, Info CSI 0000020a [sR] Beginning Verify and Repair transaction

2007-12-21 00:16:14, Info CSI 0000020c [sR] Verify complete

2007-12-21 00:16:14, Info CSI 0000020d [sR] Verifying 100 (0x00000064) components

2007-12-21 00:16:14, Info CSI 0000020e [sR] Beginning Verify and Repair transaction

2007-12-21 00:16:23, Info CSI 00000210 [sR] Verify complete

2007-12-21 00:16:24, Info CSI 00000211 [sR] Verifying 100 (0x00000064) components

2007-12-21 00:16:24, Info CSI 00000212 [sR] Beginning Verify and Repair transaction
 

========= End of CMD: =========

 

 

 

Wyniki Fixlog opowiadają, że zostały wykryte określone naruszenia i nie zostały naprawione z powodu braku poprawnych kopii w systemie. Nie jestem pewna czy akurat te naruszenia mają wielkie znaczenie pod kątem ewentualnej aktualizacji systemu do SP1 i jest sens inwestować w to czas, bowiem ich naprawa wymaga dużego nakładu pracy i dostarczenia identycznych wersji plików z mojego systemu. Z tym, że skan wyłożył się i nie dokończył, więc nie wiadomo ile jeszcze jest naruszeń. Na pewno jest uszkodzony plik Windows Defender widoczny w logu FRST jako niesygnowany i to pod jego kątem zadałam skan SFC, choć właśnie przerwany skan SFC nie pokazuje go.

 

Na razie powyższy wątek pomijam, za wyjątkiem pliku Windows Defender. Kolejne doczyszczanie. Otwórz Notatnik i wklej w nim:

 

DeleteKey: HKCU\Software\{4FFCCBC4-1FF0-4C6A-9C13-2325AE62457E}
DeleteKey: HKCU\Software\24F05F77F660991E
DeleteKey: HKCU\Software\DailyPcClean
DeleteKey: HKCU\Software\Local AppWizard-Generated Applications
DeleteKey: HKCU\Software\MozillaPlugins
DeleteKey: HKCU\Software\Opera Software
DeleteKey: HKCU\Software\Reg\Clean
DeleteKey: HKCU\Software\Reimage
DeleteKey: HKCU\Software\spaceplus
DeleteKey: HKCU\Software\systweak
DeleteKey: HKCU\Software\tstamptoken
DeleteKey: HKCU\Software\Tutorials
DeleteKey: HKCU\Software\TutoTag
DeleteKey: HKCU\Software\Valve
DeleteKey: HKCU\Software\YbPack
DeleteKey: HKCU\Software\zsys
DeleteKey: HKLM\SOFTWARE\Apple Inc.
DeleteKey: HKLM\SOFTWARE\AVG
DeleteKey: HKLM\SOFTWARE\im-dosearch
DeleteKey: HKLM\SOFTWARE\Motorola
DeleteKey: HKLM\SOFTWARE\MozillaPlugins
DeleteKey: HKLM\SOFTWARE\mysites123Software
DeleteKey: HKLM\SOFTWARE\NetTcpHandler
DeleteKey: HKLM\SOFTWARE\NtSvcHandler
DeleteKey: HKLM\SOFTWARE\Opera Software
DeleteKey: HKLM\SOFTWARE\Reg\Clean
DeleteKey: HKLM\SOFTWARE\Reimage
DeleteKey: HKLM\SOFTWARE\SmdmF
DeleteKey: HKLM\SOFTWARE\Sonic
DeleteKey: HKLM\SOFTWARE\SoundPlus
DeleteKey: HKLM\SOFTWARE\SwiftSearch_1.10.0.25
DeleteKey: HKLM\SOFTWARE\Systweak
DeleteKey: HKLM\SOFTWARE\Tutorials
DeleteKey: HKLM\SOFTWARE\Valve
DeleteKey: HKLM\SOFTWARE\Yahoo
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\Google\Chrome Cleanup Tool
RemoveDirectory: C:\Users\Aramejskie PsP\AppData\Local\Google\CrashReports
CMD: del /q "C:\Users\Aramejskie PsP\AppData\Local\Google\w9oln4g4x5.1fjev"
CMD: dir /a "C:\Users\Aramejskie PsP\AppData\Local\Google\Chrome"
CMD: dir /a "C:\Users\Aramejskie PsP\AppData\Local\Google\Chrome\User Data"
CMD: netsh advfirewall reset
CMD: sfc /scanfile="C:\Program Files\Windows Defender\mpsvc.dll"
Reg: reg query HKCU\Software\AppDataLow\Software

 

Plik zapisz pod nazwą fixlist.txt i umieść obok narzędzia FRST. Uruchom FRST i kliknij w Napraw (Fix). Przedstaw wynikowy fixlog.txt.

[pawb0]

nowy log

Fixlog.txtPobieranie informacji ...

[picasso]

Nie wygląda na to, by sfc skierowany na plik Windows Defender go naprawił. Poproszę o spis kopii pliku. Uruchom FRST, w polu Szukaj wklep mpsvc.dll, klik w Szukaj plików i dostarcz wynikowy log.

[pawb0]

Prosze

Search.txtPobieranie informacji ...

[picasso]

Wszystkie kopie Windows Defender są uszkodzone, a uszkodzenie wyląda na ingerencję malware (pliki mają atrybut ukryty). Podmiana plików musi się odbyć z zewnątrz, nie spod Windows, by obejść problem uprawnień Akcja:

 

1. Przesyłam plik Windows Defender: KLIK. Rozpakuj, folder przenieś wprost na C:\, czyli ma być dostępna taka oto ścieżka: C:\Pliki zawierająca bibliotekę MpSvc.dll. Otwórz Notatnik i wklej w nim:

 

CMD: copy /y C:\Pliki\MpSvc.dll C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_579306edb982ae36\MpSvc.dll
CMD: copy /y C:\Pliki\MpSvc.dll C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MpSvc.dll
CMD: copy /y C:\Pliki\MpSvc.dll "C:\Program Files\Windows Defender\MpSvc.dll"

 

Plik zapisz pod nazwą fixlist.txt. Plik ten razem z FRST przenieś wprost na C:\.

 

2. F8 przy starcie komputera > Napraw komputer > Wiersz polecenia > uruchom zodnie z instrukcją FRST: KLIK. Kliknij w Napraw (Fix). Na C:\ powstanie fixlog.txt.

 

3. Zaloguj się z powrotem do Windows i przedstaw w/w log.

[pawb0]

Nowy log.

Fixlog.txtPobieranie informacji ...

[picasso]

Uruchom z poziomu środowiska "Napraw komputer" skrypt o zmodyfikowanej treści:

 

Unlock: C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_579306edb982ae36\MpSvc.dll
Unlock: C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MpSvc.dll
Unlock: C:\Program Files\Windows Defender\MpSvc.dll
CMD: copy /y C:\Pliki\MpSvc.dll C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_579306edb982ae36\MpSvc.dll
CMD: copy /y C:\Pliki\MpSvc.dll C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MpSvc.dll
CMD: copy /y C:\Pliki\MpSvc.dll "C:\Program Files\Windows Defender\MpSvc.dll"

 

Przedstaw wynikowy Fixlog.txt.

[pawb0]

acces denied...

Fixlog (1).txtPobieranie informacji ...

[picasso]

Zastosuj ten skrypt w zamian:

 

Replace: C:\Pliki\MpSvc.dll C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_579306edb982ae36\MpSvc.dll
Replace: C:\Pliki\MpSvc.dll C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MpSvc.dll
Replace: C:\Pliki\MpSvc.dll C:\Program Files\Windows Defender\MpSvc.dll

 

Przedstaw wynikowy Fixlog.txt.

[pawb0]

Chyba się udało

Fixlog (2).txtPobieranie informacji ...

[picasso]

Skoro oporne pliki Windows Defender pomyślnie podstawione, to teraz ponów skan SFC i sprawdź czy się ukończy, poprzednio doszedł tylko do 79%.

[picasso]

Obecnie pliki TeslaCrypt w wersji 2 (rozszerzenia .vvv, .ccc, .zzz, .aaa, .abc, .xyz) jest w stanie odkodować jedno z tych narzędzi: TeslaDecoder * lub Trend Micro TeslacryptDecryptor.

 

* Wymagana dość mozolna ręczna procedura odzysku prywatnego klucza, szczegółowo rozpisana w pliku Instructions.html.

Edytowane 11 Lipca 2016 przez picasso
Temat zostaje zamknięty z powodu braku odpowiedzi. //picasso