Nieuruchamiający się explorer po starcie systemu, co jeszcze

Problem pojawił się po usunięciu spy serifa programem Arca online, mogę logować się i uruchamiać programy, ale brak jest pulpitu,paska zadań itp. zrobiłem wszystko co w FAQ http://forum.centrumxp.pl/viewtopic.php?t=29728#faq29 jest napisane, podstawiłem teź userinit, (poniewaź po zalogowaniu odpala się explorator windows, po zamknięciu zostaje pusty pulpit, a po uruchomieniu w menedzerze userinit.exe znowu pojawia sie explorator ,podejrzewałem zmianę tego pliku.) Próbowałem podstawić winlogon.exe , ale wyskakuje komunikat: Nie moźna otworzyć pliku wyjściowego.
Explorer.exe, userunit i winlogon w rejestrze ok, tak jak podane w faq.
W menedźerze w zakładce uźytkownicy pusto(?).To tak pokrótce(i trochę chaotycznie ;)) opis stanu mojego systemu.
Pliki ex_ brałem z katalogu i386 na dysku c: a nie z płyty instalacyjnej, nie wiem czy ma to znaczenie.
Proszę o jakieś sugestie naprawy.
poniźej logi:

Logfile of HijackThis v1.99.1
Scan saved at 05:31:52, on 2006–01–07
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Documents and Settings\centrala\Ustawienia lokalne\temp\Katalog tymczasowy 8 dla hijackthis.zip\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.pl
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 – HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\system32\msdxm.ocx
O4 – HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 – HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" –servicehelper
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – Startup: TERMINARZ.lnk = C:\Program Files\CONTEC\Telbaza2\Sched.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\MSMSGS.EXE
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=39204
O16 – DPF: {3D8700FB–86A4–4CB4–B738–6F0FC016AC7D} (MainControl Class) – http://arcaonline.arcabit.com/ArcaOnline.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135187544437
O16 – DPF: {92ECE6FA–AC2E–4042–BFAE–0C8608E52A43} (SignActivX Control) – https://www.bph.pl/pi/components/SignActivX.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{3F72CABE–FFAD–4761–96D4–01CA1772A789}: NameServer = 192.168.174.20
O23 – Service: VNC Server (winvnc) – Unknown owner – C:\Program Files\TightVNC\WinVNC.exe" –service (file missing)

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"

Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"1" = "C:\WINDOWS\System32\service\explorer.exe" [MS]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsmqIntCert" = "regsvr32 /s mqrt.dll" [MS]
"WinVNC" = ""C:\Program Files\TightVNC\WinVNC.exe" –servicehelper" ["AT&T Research Labs Cambridge"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{63542C48–9552–494A–84F7–73AA6A7C99C1}" = "OpenOffice Property Sheet Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org1.1.0\program\shlxthdl.dll" ["Sun Microsystems, Inc."]
"{5CDEF874–B193–11D5–9C8F–0020AF16D64A}" = "PROInfTip Object"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\PCSCHE~1\PROinf.dll" ["DpS CAD–center ApS"]
"{B39B63C3–B26B–11D5–9C92–0020AF16D64A}" = "TPROProp Object"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\PCSCHE~1\PROprop.dll" ["DpS CAD–center ApS"]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{AD142906–7DFF–4D29–A33B–C9D870E38E99}" = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\cUrds.dll" [file not found]
"{909AE410–F579–4021–9601–8198FF1CCFAA}" = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\guard.tmp" [file not found]
"{596AB062–B4D2–4215–9F74–E9109B0A8153}" = "Previous Versions Property Page"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{9DB7A13C–F208–4981–8353–73CC61AE2783}" = "Previous Versions"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2–3396–4527–9D27–04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
gyssq\(Default) = "{0dc149b4–c31e–410a–ade3–b021127f9423}"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\gmqql.dll" [file not found]

Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Startup items in "centrala" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

C:\Documents and Settings\centrala\Menu Start\Programy\Autostart
"TERMINARZ" –> shortcut to: "C:\Program Files\CONTEC\Telbaza2\Sched.exe" [null data]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE –b –l" [MS]

Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05

Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

HOSTS file
––––––––––

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
HIJACK WARNING! "DataBasePath" = "C:\WINDOWS\nsdb"

Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Message Queuing, MSMQ, "C:\WINDOWS\System32\mqsvc.exe" [MS]
Message Queuing Triggers, MSMQTriggers, "C:\WINDOWS\System32\mqtgsvc.exe" [MS]
Publikowanie za pomocą usługi FTP, MSFtpsvc, "C:\WINDOWS\System32\inetsrv\inetinfo.exe" [MS]
VNC Server, winvnc, ""C:\Program Files\TightVNC\WinVNC.exe" –service" ["AT&T Research Labs Cambridge"]

Print Monitors:
–––––––––––––––

HKLM\System\CurrentControlSet\Control\Print\Monitors\
LPR Port\Driver = "lprmon.dll" [MS]

––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 77 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 26 seconds.
–––––––––– (total run time: 159 seconds)

No tak, ale juź podstawiałem ( w trybie normalnym i awaryjnym bez przywracania). Nie pomaga.

awja

Dodano: 01.02.2006 10:05:17

Na początek polecam podmienić Explorer.exe

MetaVirus

Dodano: 28.01.2006 08:10:23

Niestety to samo, data path poprawiłem na C:windows\system32\drivers\etc.
Logi

Logfile of HijackThis v1.99.1
Scan saved at 06:42:07, on 2006–01–28
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\centrala\Ustawienia lokalne\temp\Katalog tymczasowy 12 dla hijackthis.zip\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.pl
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 – HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\system32\msdxm.ocx
O4 – HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 – HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" –servicehelper
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – Startup: TERMINARZ.lnk = C:\Program Files\CONTEC\Telbaza2\Sched.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\MSMSGS.EXE
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=39204
O16 – DPF: {3D8700FB–86A4–4CB4–B738–6F0FC016AC7D} (MainControl Class) – http://arcaonline.arcabit.com/ArcaOnline.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135187544437
O16 – DPF: {92ECE6FA–AC2E–4042–BFAE–0C8608E52A43} (SignActivX Control) – https://www.bph.pl/pi/components/SignActivX.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{3F72CABE–FFAD–4761–96D4–01CA1772A789}: NameServer = 192.168.174.20
O23 – Service: VNC Server (winvnc) – Unknown owner – C:\Program Files\TightVNC\WinVNC.exe" –service (file missing)

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"

Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsmqIntCert" = "regsvr32 /s mqrt.dll" [MS]
"WinVNC" = ""C:\Program Files\TightVNC\WinVNC.exe" –servicehelper" ["AT&T Research Labs Cambridge"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{63542C48–9552–494A–84F7–73AA6A7C99C1}" = "OpenOffice Property Sheet Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org1.1.0\program\shlxthdl.dll" ["Sun Microsystems, Inc."]
"{5CDEF874–B193–11D5–9C8F–0020AF16D64A}" = "PROInfTip Object"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\PCSCHE~1\PROinf.dll" ["DpS CAD–center ApS"]
"{B39B63C3–B26B–11D5–9C92–0020AF16D64A}" = "TPROProp Object"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\PCSCHE~1\PROprop.dll" ["DpS CAD–center ApS"]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{596AB062–B4D2–4215–9F74–E9109B0A8153}" = "Previous Versions Property Page"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{9DB7A13C–F208–4981–8353–73CC61AE2783}" = "Previous Versions"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2–3396–4527–9D27–04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Startup items in "centrala" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

C:\Documents and Settings\centrala\Menu Start\Programy\Autostart
"TERMINARZ" –> shortcut to: "C:\Program Files\CONTEC\Telbaza2\Sched.exe" [null data]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE –b –l" [MS]

Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05

Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Message Queuing, MSMQ, "C:\WINDOWS\System32\mqsvc.exe" [MS]
Message Queuing Triggers, MSMQTriggers, "C:\WINDOWS\System32\mqtgsvc.exe" [MS]
Publikowanie za pomocą usługi FTP, MSFtpsvc, "C:\WINDOWS\System32\inetsrv\inetinfo.exe" [MS]
VNC Server, winvnc, ""C:\Program Files\TightVNC\WinVNC.exe" –service" ["AT&T Research Labs Cambridge"]

Print Monitors:
–––––––––––––––

HKLM\System\CurrentControlSet\Control\Print\Monitors\
LPR Port\Driver = "lprmon.dll" [MS]

––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 50 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 26 seconds.
–––––––––– (total run time: 126 seconds)

awja

Dodano: 28.01.2006 07:55:28

Niestety to samo, data path poprawiłem na C:windows\system32\drivers\etc.
Logi

Logfile of HijackThis v1.99.1
Scan saved at 06:42:07, on 2006–01–28
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\centrala\Ustawienia lokalne\temp\Katalog tymczasowy 12 dla hijackthis.zip\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.pl
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 – HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\system32\msdxm.ocx
O4 – HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 – HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" –servicehelper
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – Startup: TERMINARZ.lnk = C:\Program Files\CONTEC\Telbaza2\Sched.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\MSMSGS.EXE
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=39204
O16 – DPF: {3D8700FB–86A4–4CB4–B738–6F0FC016AC7D} (MainControl Class) – http://arcaonline.arcabit.com/ArcaOnline.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135187544437
O16 – DPF: {92ECE6FA–AC2E–4042–BFAE–0C8608E52A43} (SignActivX Control) – https://www.bph.pl/pi/components/SignActivX.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{3F72CABE–FFAD–4761–96D4–01CA1772A789}: NameServer = 192.168.174.20
O23 – Service: VNC Server (winvnc) – Unknown owner – C:\Program Files\TightVNC\WinVNC.exe" –service (file missing)

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"

Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsmqIntCert" = "regsvr32 /s mqrt.dll" [MS]
"WinVNC" = ""C:\Program Files\TightVNC\WinVNC.exe" –servicehelper" ["AT&T Research Labs Cambridge"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{63542C48–9552–494A–84F7–73AA6A7C99C1}" = "OpenOffice Property Sheet Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org1.1.0\program\shlxthdl.dll" ["Sun Microsystems, Inc."]
"{5CDEF874–B193–11D5–9C8F–0020AF16D64A}" = "PROInfTip Object"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\PCSCHE~1\PROinf.dll" ["DpS CAD–center ApS"]
"{B39B63C3–B26B–11D5–9C92–0020AF16D64A}" = "TPROProp Object"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\PCSCHE~1\PROprop.dll" ["DpS CAD–center ApS"]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{596AB062–B4D2–4215–9F74–E9109B0A8153}" = "Previous Versions Property Page"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{9DB7A13C–F208–4981–8353–73CC61AE2783}" = "Previous Versions"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2–3396–4527–9D27–04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Startup items in "centrala" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

C:\Documents and Settings\centrala\Menu Start\Programy\Autostart
"TERMINARZ" –> shortcut to: "C:\Program Files\CONTEC\Telbaza2\Sched.exe" [null data]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE –b –l" [MS]

Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05

Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Message Queuing, MSMQ, "C:\WINDOWS\System32\mqsvc.exe" [MS]
Message Queuing Triggers, MSMQTriggers, "C:\WINDOWS\System32\mqtgsvc.exe" [MS]
Publikowanie za pomocą usługi FTP, MSFtpsvc, "C:\WINDOWS\System32\inetsrv\inetinfo.exe" [MS]
VNC Server, winvnc, ""C:\Program Files\TightVNC\WinVNC.exe" –service" ["AT&T Research Labs Cambridge"]

Print Monitors:
–––––––––––––––

HKLM\System\CurrentControlSet\Control\Print\Monitors\
LPR Port\Driver = "lprmon.dll" [MS]

––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 50 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 26 seconds.
–––––––––– (total run time: 126 seconds)

awja

Dodano: 28.01.2006 07:55:28

Niestety to samo, data path poprawiłem na C:windows\system32\drivers\etc.
Logi

Logfile of HijackThis v1.99.1
Scan saved at 06:42:07, on 2006–01–28
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\centrala\Ustawienia lokalne\temp\Katalog tymczasowy 12 dla hijackthis.zip\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.pl
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 – HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\system32\msdxm.ocx
O4 – HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 – HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" –servicehelper
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – Startup: TERMINARZ.lnk = C:\Program Files\CONTEC\Telbaza2\Sched.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\MSMSGS.EXE
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=39204
O16 – DPF: {3D8700FB–86A4–4CB4–B738–6F0FC016AC7D} (MainControl Class) – http://arcaonline.arcabit.com/ArcaOnline.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135187544437
O16 – DPF: {92ECE6FA–AC2E–4042–BFAE–0C8608E52A43} (SignActivX Control) – https://www.bph.pl/pi/components/SignActivX.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{3F72CABE–FFAD–4761–96D4–01CA1772A789}: NameServer = 192.168.174.20
O23 – Service: VNC Server (winvnc) – Unknown owner – C:\Program Files\TightVNC\WinVNC.exe" –service (file missing)

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"

Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsmqIntCert" = "regsvr32 /s mqrt.dll" [MS]
"WinVNC" = ""C:\Program Files\TightVNC\WinVNC.exe" –servicehelper" ["AT&T Research Labs Cambridge"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{63542C48–9552–494A–84F7–73AA6A7C99C1}" = "OpenOffice Property Sheet Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org1.1.0\program\shlxthdl.dll" ["Sun Microsystems, Inc."]
"{5CDEF874–B193–11D5–9C8F–0020AF16D64A}" = "PROInfTip Object"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\PCSCHE~1\PROinf.dll" ["DpS CAD–center ApS"]
"{B39B63C3–B26B–11D5–9C92–0020AF16D64A}" = "TPROProp Object"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\PCSCHE~1\PROprop.dll" ["DpS CAD–center ApS"]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{596AB062–B4D2–4215–9F74–E9109B0A8153}" = "Previous Versions Property Page"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{9DB7A13C–F208–4981–8353–73CC61AE2783}" = "Previous Versions"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2–3396–4527–9D27–04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Startup items in "centrala" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

C:\Documents and Settings\centrala\Menu Start\Programy\Autostart
"TERMINARZ" –> shortcut to: "C:\Program Files\CONTEC\Telbaza2\Sched.exe" [null data]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE –b –l" [MS]

Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05

Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Message Queuing, MSMQ, "C:\WINDOWS\System32\mqsvc.exe" [MS]
Message Queuing Triggers, MSMQTriggers, "C:\WINDOWS\System32\mqtgsvc.exe" [MS]
Publikowanie za pomocą usługi FTP, MSFtpsvc, "C:\WINDOWS\System32\inetsrv\inetinfo.exe" [MS]
VNC Server, winvnc, ""C:\Program Files\TightVNC\WinVNC.exe" –service" ["AT&T Research Labs Cambridge"]

Print Monitors:
–––––––––––––––

HKLM\System\CurrentControlSet\Control\Print\Monitors\
LPR Port\Driver = "lprmon.dll" [MS]

––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 50 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 26 seconds.
–––––––––– (total run time: 126 seconds)

awja

Dodano: 28.01.2006 07:55:28

Dzieki, ale sprswdze dopiero po urlopie, bo to komp w pracy ;).
Ale znowu jest nadzieja!! :D

awja

Dodano: 07.01.2006 13:25:36

Następujące wejścia nadają się do usunięcia/poprawienia:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"1" = "C:\WINDOWS\System32\service\explorer.exe" [MS]

"{AD142906–7DFF–4D29–A33B–C9D870E38E99}" = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\cUrds.dll" [file not found]
"{909AE410–F579–4021–9601–8198FF1CCFAA}" = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\guard.tmp" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
gyssq\(Default) = "{0dc149b4–c31e–410a–ade3–b021127f9423}"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\gmqql.dll" [file not found]

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
HIJACK WARNING! "DataBasePath" = "C:\WINDOWS\nsdb"

O tym w jaki sposób poprawić DataBasePath była parokrotnie na forum.
Explorera moze wywalać biblioteka gmqql podpięta do menu kontekstowego. Usun więc cały klucz HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
gyssq
Jaką scieźke wpisałeś w Shell'u? Powinno być samo Explorer.exe
FAłszywego Explorera z katalogu service usuwasz, zresztą tak samo jak i inne wyboldowane pliki.

Bobi

Dodano: 07.01.2006 10:40:22

Nieuruchamiający się explorer po starcie systemu, co jeszcze

Odpowiedzi: 7