Jump to content
Sign in to follow this  
Jc-g

Merkelig beskjed ved oppstart av WinXP

Recommended Posts

Vet ikke om noen her har vært borti det samme problemet. Da jeg skrudde på maskinen i dag tidlig, så fikk jeg opp en merkelig beskjed.

 

"Finner ikke C:Windows\System32\System32.exe. Kontroller at du skrev navnet riktig, og prøv på nytt. Hvis du vil søke etter en fil, klikker du startknappen og deretter Søk"

 

Merkelig dette her. maskinen startet mye tregere enn før. Jeg har testet selektiv oppstart, med kun innlastning av system tjenester. Noen som har forslag på hva jeg bør gjøre?

Share this post


Link to post

Tror dette er et virus. Har sjekket endel rundt, og fant dette:

When W32.Kwbot.C.Worm runs, it does the following:

 

 

Copies itself as one of the following:

%System%\System32.exe

%System%\Cmd32.exe

 

The attribute of this copy is set to Hidden.

 

NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

 

 

Adds one of the following the values:

 

SystemSAS system32.exe

CMD cmd32.exe

 

to these registry keys:

 

HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_Local_Machine\Software\Microsoft\Windows\

CurrentVersion\RunServices

HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

so that the worm runs when you start Windows.

 

 

Creates the subkey, krypton, in the registry key:

 

HKEY_Local_Machine\Software

 

 

May change the value data of the value, Shell, in the registry key:

 

HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

 

to:

 

explorer.exe C:\<The file name of the copy of the worm>

 

 

For example, the value in this registry key may be changed to:

 

Shell explorer.exe C:\Windows\system32\cmd32.exe

 

In this way, the worm runs when you restart Windows 2000/NT/XP.

 

 

Creates one of the following folders:

%Windir%\UserTemp

%Windir%\User32

 

 

Copies itself into the folder that the worm created in the previous step using many different file names that the worm carried. The attributes of all the copies are set to Hidden.

 

Some examples of these file names are:

Battlefield1942_bloodpatch.exe

NBA2003_crack.exe

UT2003_keygen.exe

Age of Empires 2 crack.exe

MediaPlayer Update.exe

iMesh 3.7b (beta).exe

KaZaA Speedup 3.6.exe

Download Accelerator Plus 6.1.exe

Network Cable e ADSL Speed 2.0.5.exe

Guitar Chords Library 5.5.exe

 

 

Adds the value:

 

Dir? 012345:%Windir%\UserTemp

 

or:

 

Dir? 012345:%Windir%\User32

 

(NOTE: "?" in these values represents a number that the worm has chosen.)

 

to these registry keys:

 

HKEY_Current_User\Software\Kazaa\LocalContent

HKEY_Current_User\Software\iMesh\Client\LocalContent

 

so that other KaZaA or iMesh users may download the files from the %Windir%\UserTemp or %Windir%\User32 folders.

 

NOTE: For the worm to spread, it requires the KaZaA or iMesh software be installed on the computer.

 

 

Opens two randomly selected TCP and UDP ports to connect to the hacker.

 

 

Listens for the commands from the hacker using its own IRC channel. The commands allow the hacker to perform any of the following actions:

Upgrade the worm

Steal the system and network information from your computer and send it to the hacker

Download and execute files

Perform Denial of Service (DoS) attacks against a target, which the hacker selects

Send the worm to other IRC users

 

Skal vistnok være det samme som windows32...

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...