problem ze znikaniem paska zadań
Witam
no niestety znów mam problem i znów dotyczy on pojawienia się Spy Sheriffa/Win Fixa. Owych programów nie mam na komputerze ale mam inne problemy:
Oto one:
1) Gdy próbuję otworzyć róźne fora (np. Wasze, teraz piszę z innego kompa), strony allegro i jeszcze kilka innych to po prostu nie mogę. Pokazuje się biala strona i juź.
2) Co kilkanaście/kilkadziesiąt sekund znika pasek zadań, pulpit się odświeźa a co za tym idzie, folder lub plik który jest otwarty zostają zamknięte, przez co trudno mi walczyć z tymi wirusami, bo jak coś znajdę, od razu mi się wyłącza folder.
Oto mój log z HiJackIt!
Logfile of HijackThis v1.98.2
Scan saved at 19:12:53, on 2005–11–11
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\CyberLink\PowerVCRII\Agent.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Anti–Blaxx\Anti–Blaxx.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\windows\system32\mdms.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\User1\Moje dokumenty\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – C:\PROGRA~1\FLASHGET\jccatch.dll
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 – HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 – HKLM\..\Run: [Agent] C:\Program Files\CyberLink\PowerVCRII\Agent.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [Anti–Blaxx Manager] C:\Program Files\Anti–Blaxx\Anti–Blaxx.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 – Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 – Global Startup: BlueSoleil.lnk = ?
O8 – Extra context menu item: Ściągnij przy pomocy FlashGet'a – C:\Program Files\FlashGet\jc_link.htm
O8 – Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a – C:\Program Files\FlashGet\jc_all.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://acs.pandasoftware.com/activescan/as5free/asinst.cab
pozdrawiam
no niestety znów mam problem i znów dotyczy on pojawienia się Spy Sheriffa/Win Fixa. Owych programów nie mam na komputerze ale mam inne problemy:
Oto one:
1) Gdy próbuję otworzyć róźne fora (np. Wasze, teraz piszę z innego kompa), strony allegro i jeszcze kilka innych to po prostu nie mogę. Pokazuje się biala strona i juź.
2) Co kilkanaście/kilkadziesiąt sekund znika pasek zadań, pulpit się odświeźa a co za tym idzie, folder lub plik który jest otwarty zostają zamknięte, przez co trudno mi walczyć z tymi wirusami, bo jak coś znajdę, od razu mi się wyłącza folder.
Oto mój log z HiJackIt!
Logfile of HijackThis v1.98.2
Scan saved at 19:12:53, on 2005–11–11
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\CyberLink\PowerVCRII\Agent.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Anti–Blaxx\Anti–Blaxx.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\windows\system32\mdms.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\User1\Moje dokumenty\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – C:\PROGRA~1\FLASHGET\jccatch.dll
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 – HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 – HKLM\..\Run: [Agent] C:\Program Files\CyberLink\PowerVCRII\Agent.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [Anti–Blaxx Manager] C:\Program Files\Anti–Blaxx\Anti–Blaxx.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 – Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 – Global Startup: BlueSoleil.lnk = ?
O8 – Extra context menu item: Ściągnij przy pomocy FlashGet'a – C:\Program Files\FlashGet\jc_link.htm
O8 – Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a – C:\Program Files\FlashGet\jc_all.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://acs.pandasoftware.com/activescan/as5free/asinst.cab
pozdrawiam
Odpowiedzi: 18
Co do klawiatury to jeźeli ma przejsciówke na PS/2 (powinna być w komplecie) ni ma problemu z podłączeniem
USB. A ten program to WinFixer.
Nie kazałem przeciez konsoli instalować, wystarczyło uruchomić ja jednorazowo z płyty systemowej.
Żeby to teraz usunac musisz:
– Wprost z partycji systemowej usuń katalog Cmdcons i plik Cmldr.
– z boot.ini usuwasz linijkę z Recovery Console w nazwie.
Swoją drogą to trochę lipnie z tą klawiaturą, do biosu nie wejdziesz i nie przestawisz np. bootowania na CD–Rom, i pewnie dlatego instalowałeś ją.
Co to za klawiatura? USB czy inne cudo?
Ten program który się zamontował to WinFixer?
Żeby to teraz usunac musisz:
– Wprost z partycji systemowej usuń katalog Cmdcons i plik Cmldr.
– z boot.ini usuwasz linijkę z Recovery Console w nazwie.
Swoją drogą to trochę lipnie z tą klawiaturą, do biosu nie wejdziesz i nie przestawisz np. bootowania na CD–Rom, i pewnie dlatego instalowałeś ją.
Co to za klawiatura? USB czy inne cudo?
Ten program który się zamontował to WinFixer?
Nie kazałem przeciez konsoli instalować, wystarczyło uruchomić ja jednorazowo z płyty systemowej.
Żeby to teraz usunac musisz:
– Wprost z partycji systemowej usuń katalog Cmdcons i plik Cmldr.
– z boot.ini usuwasz linijkę z Recovery Console w nazwie.
Swoją drogą to trochę lipnie z tą klawiaturą, do biosu nie wejdziesz i nie przestawisz np. bootowania na CD–Rom, i pewnie dlatego instalowałeś ją.
Co to za klawiatura? USB czy inne cudo?
Ten program który się zamontował to WinFixer?
Żeby to teraz usunac musisz:
– Wprost z partycji systemowej usuń katalog Cmdcons i plik Cmldr.
– z boot.ini usuwasz linijkę z Recovery Console w nazwie.
Swoją drogą to trochę lipnie z tą klawiaturą, do biosu nie wejdziesz i nie przestawisz np. bootowania na CD–Rom, i pewnie dlatego instalowałeś ją.
Co to za klawiatura? USB czy inne cudo?
Ten program który się zamontował to WinFixer?
ok, juź swoimi sposobami coś zrobiłem – jest dobrze – przynajmniej explorer juź jest w porządku i się nie restartuje co chwile :)
Ale jest lipa... Zainstalowałem konsolę odzyskiwania, no i muszę wybrać podczas włączania się komputera w opcji wybierania systemu Win XP, albo konsolę odzyskiwania. I jest zonk, bo moja klawiatura ma to do siebie źe włącza się dopiero podczas załadowania się systemu, więc do tego czasu klawiatura jest martwa. Z trybem awaryjnym sobie jakoś poradziłem, bo ustawiam go poprzez uruchom–>msconfig ale nie wiem jak poradzić sobie z tą konsolą.
poza tym gdzieś mi się przypanoszył WinFix :( ale z tym to sobie jakoś poradzę.
ma ktoś jakąś propozyję rozwiązania tego?
pozdr
Ale jest lipa... Zainstalowałem konsolę odzyskiwania, no i muszę wybrać podczas włączania się komputera w opcji wybierania systemu Win XP, albo konsolę odzyskiwania. I jest zonk, bo moja klawiatura ma to do siebie źe włącza się dopiero podczas załadowania się systemu, więc do tego czasu klawiatura jest martwa. Z trybem awaryjnym sobie jakoś poradziłem, bo ustawiam go poprzez uruchom–>msconfig ale nie wiem jak poradzić sobie z tą konsolą.
poza tym gdzieś mi się przypanoszył WinFix :( ale z tym to sobie jakoś poradzę.
ma ktoś jakąś propozyję rozwiązania tego?
pozdr
Jest jeszcze ddatkowo Stydler i to on najprawdopodobnie na spólkę z Repsamo ubija explorera.
Otwórz notatnik i wklej do niego:
Zapisz w katalogu C:\Windows jako fix.bat
2. Jeszcze raz notatnik i tym razem wklejasz:
Zapisujess gdziekolwiek jako fix.reg
Uruchom konsole odzyskiwania i wpisz: batch fix.bat
Teraz startujesz do awaryjnego i dodajesz do rejestru tego rega.
To jak na razie jest usuwanie tych śmieci tak z grubsza. W rejestrze zapewne są jeszcze inne klucze przez nie stworzone, ale są niegrozne. Usuwaniem tych zajmiemy się pozniej jeśli to co powyźej pomoźe.
Otwórz notatnik i wklej do niego:
cd C:\Windows\system32
attrib –r –s –h mdms.exe
attrib –r –s –h st3.dll
attrib –r –s –h winacpi.dll
attrib –r –s –h lsd_f3.dll
attrib –r –s –h nuclabdll.dll
attrib –r –s –h tcpG4T.dll
del mdms.exe
del st3.dll
del winacpi.dll
del lsd_f3.dll
del nuclabdll.dll
del tcpG4T.dll
cd C:\Windows
attrib –r –s –h adsldpbd.dll
attrib –r –s –h q43912062.dll
attrib –r –s –h q4433062.dll
del adsldpbd.dll
del q43912062.dll
del q4433062.dll
exit
Zapisz w katalogu C:\Windows jako fix.bat
2. Jeszcze raz notatnik i tym razem wklejasz:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysMemory manager"=–
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{1B68470C–2DEF–493B–8A4A–8E2D81BE4EA5}"=–
"{826B2228–BC09–49F2–B5F8–42CE26B1B712}"=–
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell] Extensions\Approved]
"{5E2121EE–0300–11D4–8D3B–444553540000}"=–
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{B212D577–05B7–4963–911E–4A8588160DFA}"
"{7A7E6D97–B492–4884–9ABB–C31281DCC4F2}"
"{1B68470C–2DEF–493B–8A4A–8E2D81BE4EA5}"
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl]
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gggg]
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nuclabdll]
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3]
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\style2]
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\style32]
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tcpG4T]
[–HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\
sysacpildap]
Zapisujess gdziekolwiek jako fix.reg
Uruchom konsole odzyskiwania i wpisz: batch fix.bat
Teraz startujesz do awaryjnego i dodajesz do rejestru tego rega.
To jak na razie jest usuwanie tych śmieci tak z grubsza. W rejestrze zapewne są jeszcze inne klucze przez nie stworzone, ale są niegrozne. Usuwaniem tych zajmiemy się pozniej jeśli to co powyźej pomoźe.
usuwają się tylko jakies pojedyncze pliki, a reszty nie moźna :( próbowałem tym programem, wyskakuje mi okienko z "x"
pomóźcie mi, bo juź szlag mnie trafia jak widzę źe 3/4 stron sie nie uruchamia a explrorem ciągle sie restartuje :( nie wiem co mogę jeszcze zrobić... próbowałem usuwać w awaryjnym, nie idzie, próbowalem na 100 sposobów innymi środkami, teź nie idzie.
PendingFileRenameOperations Registry Data has been removed by External process!
pomóźcie mi, bo juź szlag mnie trafia jak widzę źe 3/4 stron sie nie uruchamia a explrorem ciągle sie restartuje :( nie wiem co mogę jeszcze zrobić... próbowałem usuwać w awaryjnym, nie idzie, próbowalem na 100 sposobów innymi środkami, teź nie idzie.
Dalej pojawił się tylko iMeshBar który wylatuje.
Widzisz w ramce nazwy bibliotek *.dll? Wszystkie tam wymienione wyszukujesz na dysku i usuwasz je. W razie problemów pomagasz sobie programem Pocket Killbox z opcją "delete on reboot"
Przechodzisz sobie po kolei do kluczy widocznych między odstępami jako pierwsze i z nich usuwasz podklucze/wartosci. W razie problemów pisz to zrobi się jakiego fixa... moźe.
Widzisz w ramce nazwy bibliotek *.dll? Wszystkie tam wymienione wyszukujesz na dysku i usuwasz je. W razie problemów pomagasz sobie programem Pocket Killbox z opcją "delete on reboot"
Przechodzisz sobie po kolei do kluczy widocznych między odstępami jako pierwsze i z nich usuwasz podklucze/wartosci. W razie problemów pisz to zrobi się jakiego fixa... moźe.
no ale jak mam to usunąć? bo chyba ten Silent Runners generuje tylko loga? sorry, ale jestem trochę zielony w tych sprawach :/
aha, oto pełny log:
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu–Gadu" = ""C:\Program Files\Gadu–Gadu\gg.exe" /tray" ["sms–express.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HydarVisionDesktopManager" = (empty string)
"SoundMan" = "SOUNDMAN.EXE" ["Avance Logic, Inc."]
"CloneCDElbyCDFL" = ""C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL" ["Elaborate Bytes AG"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe" ["HP"]
"Agent" = "C:\Program Files\CyberLink\PowerVCRII\Agent.exe" ["CyberLink"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 –k" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"Anti–Blaxx Manager" = "C:\Program Files\Anti–Blaxx\Anti–Blaxx.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"SysMemory manager" = "c:\windows\system32\mdms.exe" [MS]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{1B68470C–2DEF–493B–8A4A–8E2D81BE4EA5}\(Default) = "C:\WINDOWS\system32\st3.dll" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\st3.dll" [null data]
{826B2228–BC09–49F2–B5F8–42CE26B1B712}\(Default) = "C:\WINDOWS\adsldpbd.dll" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\adsldpbd.dll" [null data]
{A5366673–E8CA–11D3–9CD9–0090271D075B}\(Default) = "IeCatch2 Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\jccatch.dll" ["Amaze Soft"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9–F592–4862–B35F–CA45E24003B3}" = "CloneCD"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{32020A01–506E–484D–A2A8–BE3CF17601C3}" = "AlcoholShellEx"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{F0CB00CD–5A07–4D91–97F5–A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\K–Lite Codec Pack\Real\rpshell.dll" ["RealNetworks, Inc."]
"{5E2121EE–0300–11D4–8D3B–444553540000}" = "st"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
"{A5110426–177D–4e08–AB3F–785F10B4439C}" = "My Phones"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{B212D577–05B7–4963–911E–4A8588160DFA}" = "Memory monitor"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q43912062.dll" [file not found]
INFECTION WARNING! "{7A7E6D97–B492–4884–9ABB–C31281DCC4F2}" = "style 2"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q4433062.dll" [null data]
INFECTION WARNING! "{1B68470C–2DEF–493B–8A4A–8E2D81BE4EA5}" = "st3"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\st3.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! f3dsl\DLLName = "lsd_f3.dll" [file not found]
INFECTION WARNING! gggg\DLLName = "C:\WINDOWS\adsldpbd.dll" [null data]
INFECTION WARNING! nuclabdll\DLLName = "nuclabdll.dll" [** WMI GetObject error **]
INFECTION WARNING! st3\DLLName = "C:\WINDOWS\system32\st3.dll" [null data]
INFECTION WARNING! style2\DLLName = "C:\WINDOWS\q43912062.dll" [file not found]
INFECTION WARNING! style32\DLLName = "C:\WINDOWS\q4433062.dll" [null data]
INFECTION WARNING! tcpG4T\DLLName = "tcpG4T.dll" [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
sysacpildap\(Default) = "{5E2121EE–0300–11D4–8D3B–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\User1\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\SKYROC~1.SCR" (SKYROCKET.SCR) [null data]
Startup items in "User1" & "All Users" startup folders:
–––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE –b –l" [MS]
"ZoneAlarm Pro" –> shortcut to: "C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe –nopopup" [file not found]
"BlueSoleil" –> shortcut to: "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" ["IVT Corporation"]
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"FRU Task #Hewlett–Packard#Deskjet#5550" –> launches: "C:\Program Files\Hewlett–Packard\upapp\hpqfruv.exe –I "#Hewlett–Packard#Deskjet#5550"" [file not found]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{5345A7A9–805A–4923–B505–86B2FEBA3FE0}" = "iMeshBar" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL" ["iMesh"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{E0E899AB–F487–11D5–8D29–0050BA6940E3}" = "FlashGet Bar"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\fgiebar.dll" ["Amaze Soft"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0–4FCB–11CF–AAA5–00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0–4FCB–11CF–AAA5–00401C608501}"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\System32\UAService7.exe" [null data]
Print Monitors:
–––––––––––––––
HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt06\Driver = "hpzlnt06.dll" ["HP"]
––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the –supp parameter or answer "No" at the first message box.
–––––––––– (total run time: 146 seconds, including 4 seconds for message boxes)
aha, oto pełny log:
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu–Gadu" = ""C:\Program Files\Gadu–Gadu\gg.exe" /tray" ["sms–express.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HydarVisionDesktopManager" = (empty string)
"SoundMan" = "SOUNDMAN.EXE" ["Avance Logic, Inc."]
"CloneCDElbyCDFL" = ""C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL" ["Elaborate Bytes AG"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe" ["HP"]
"Agent" = "C:\Program Files\CyberLink\PowerVCRII\Agent.exe" ["CyberLink"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 –k" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"Anti–Blaxx Manager" = "C:\Program Files\Anti–Blaxx\Anti–Blaxx.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"SysMemory manager" = "c:\windows\system32\mdms.exe" [MS]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{1B68470C–2DEF–493B–8A4A–8E2D81BE4EA5}\(Default) = "C:\WINDOWS\system32\st3.dll" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\st3.dll" [null data]
{826B2228–BC09–49F2–B5F8–42CE26B1B712}\(Default) = "C:\WINDOWS\adsldpbd.dll" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\adsldpbd.dll" [null data]
{A5366673–E8CA–11D3–9CD9–0090271D075B}\(Default) = "IeCatch2 Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\jccatch.dll" ["Amaze Soft"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9–F592–4862–B35F–CA45E24003B3}" = "CloneCD"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{32020A01–506E–484D–A2A8–BE3CF17601C3}" = "AlcoholShellEx"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{F0CB00CD–5A07–4D91–97F5–A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\K–Lite Codec Pack\Real\rpshell.dll" ["RealNetworks, Inc."]
"{5E2121EE–0300–11D4–8D3B–444553540000}" = "st"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
"{A5110426–177D–4e08–AB3F–785F10B4439C}" = "My Phones"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{B212D577–05B7–4963–911E–4A8588160DFA}" = "Memory monitor"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q43912062.dll" [file not found]
INFECTION WARNING! "{7A7E6D97–B492–4884–9ABB–C31281DCC4F2}" = "style 2"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q4433062.dll" [null data]
INFECTION WARNING! "{1B68470C–2DEF–493B–8A4A–8E2D81BE4EA5}" = "st3"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\st3.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! f3dsl\DLLName = "lsd_f3.dll" [file not found]
INFECTION WARNING! gggg\DLLName = "C:\WINDOWS\adsldpbd.dll" [null data]
INFECTION WARNING! nuclabdll\DLLName = "nuclabdll.dll" [** WMI GetObject error **]
INFECTION WARNING! st3\DLLName = "C:\WINDOWS\system32\st3.dll" [null data]
INFECTION WARNING! style2\DLLName = "C:\WINDOWS\q43912062.dll" [file not found]
INFECTION WARNING! style32\DLLName = "C:\WINDOWS\q4433062.dll" [null data]
INFECTION WARNING! tcpG4T\DLLName = "tcpG4T.dll" [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
sysacpildap\(Default) = "{5E2121EE–0300–11D4–8D3B–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\User1\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\SKYROC~1.SCR" (SKYROCKET.SCR) [null data]
Startup items in "User1" & "All Users" startup folders:
–––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE –b –l" [MS]
"ZoneAlarm Pro" –> shortcut to: "C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe –nopopup" [file not found]
"BlueSoleil" –> shortcut to: "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" ["IVT Corporation"]
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"FRU Task #Hewlett–Packard#Deskjet#5550" –> launches: "C:\Program Files\Hewlett–Packard\upapp\hpqfruv.exe –I "#Hewlett–Packard#Deskjet#5550"" [file not found]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{5345A7A9–805A–4923–B505–86B2FEBA3FE0}" = "iMeshBar" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL" ["iMesh"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{E0E899AB–F487–11D5–8D29–0050BA6940E3}" = "FlashGet Bar"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\fgiebar.dll" ["Amaze Soft"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0–4FCB–11CF–AAA5–00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0–4FCB–11CF–AAA5–00401C608501}"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\System32\UAService7.exe" [null data]
Print Monitors:
–––––––––––––––
HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt06\Driver = "hpzlnt06.dll" ["HP"]
––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the –supp parameter or answer "No" at the first message box.
–––––––––– (total run time: 146 seconds, including 4 seconds for message boxes)
Skrypt nie skonczył produkowac loga i mam wraźenie źe dalej tez coś się pojawi, na teraz:
Chyba nie musze tłumaczyć co ma się stać z wpisami i plikami wymienionymi wyźej?
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"SysMemory manager" = "c:\windows\system32\mdms.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{1B68470C–2DEF–493B–8A4A–8E2D81BE4EA5}\(Default) = "C:\WINDOWS\system32\st3.dll" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\st3.dll" [null data]
{826B2228–BC09–49F2–B5F8–42CE26B1B712}\(Default) = "C:\WINDOWS\adsldpbd.dll" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\adsldpbd.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{5E2121EE–0300–11D4–8D3B–444553540000}" = "st"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{B212D577–05B7–4963–911E–4A8588160DFA}" = "Memory monitor"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q43912062.dll" [file not found]
INFECTION WARNING! "{7A7E6D97–B492–4884–9ABB–C31281DCC4F2}" = "style 2"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q4433062.dll" [null data]
INFECTION WARNING! "{1B68470C–2DEF–493B–8A4A–8E2D81BE4EA5}" = "st3"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\st3.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! f3dsl\DLLName = "lsd_f3.dll" [file not found]
INFECTION WARNING! gggg\DLLName = "C:\WINDOWS\adsldpbd.dll" [null data]
INFECTION WARNING! nuclabdll\DLLName = "nuclabdll.dll" [** WMI GetObject error **]
INFECTION WARNING! st3\DLLName = "C:\WINDOWS\system32\st3.dll" [null data]
INFECTION WARNING! style2\DLLName = "C:\WINDOWS\q43912062.dll" [file not found]
INFECTION WARNING! style32\DLLName = "C:\WINDOWS\q4433062.dll" [null data]
INFECTION WARNING! tcpG4T\DLLName = "tcpG4T.dll" [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
sysacpildap\(Default) =
"{5E2121EE–0300–11D4–8D3B–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
Chyba nie musze tłumaczyć co ma się stać z wpisami i plikami wymienionymi wyźej?
Tego najpierw uzyj –> http://forum.centrumxp.pl/viewtopic.php?p=217572#217572
okejj... w takim razie oto rezultaty szukania:
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu–Gadu" = ""C:\Program Files\Gadu–Gadu\gg.exe" /tray" ["sms–express.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HydarVisionDesktopManager" = (empty string)
"SoundMan" = "SOUNDMAN.EXE" ["Avance Logic, Inc."]
"CloneCDElbyCDFL" = ""C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL" ["Elaborate Bytes AG"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe" ["HP"]
"Agent" = "C:\Program Files\CyberLink\PowerVCRII\Agent.exe" ["CyberLink"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 –k" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"Anti–Blaxx Manager" = "C:\Program Files\Anti–Blaxx\Anti–Blaxx.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"SysMemory manager" = "c:\windows\system32\mdms.exe" [MS]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{1B68470C–2DEF–493B–8A4A–8E2D81BE4EA5}\(Default) = "C:\WINDOWS\system32\st3.dll" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\st3.dll" [null data]
{826B2228–BC09–49F2–B5F8–42CE26B1B712}\(Default) = "C:\WINDOWS\adsldpbd.dll" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\adsldpbd.dll" [null data]
{A5366673–E8CA–11D3–9CD9–0090271D075B}\(Default) = "IeCatch2 Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\jccatch.dll" ["Amaze Soft"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9–F592–4862–B35F–CA45E24003B3}" = "CloneCD"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{32020A01–506E–484D–A2A8–BE3CF17601C3}" = "AlcoholShellEx"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{F0CB00CD–5A07–4D91–97F5–A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\K–Lite Codec Pack\Real\rpshell.dll" ["RealNetworks, Inc."]
"{5E2121EE–0300–11D4–8D3B–444553540000}" = "st"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
"{A5110426–177D–4e08–AB3F–785F10B4439C}" = "My Phones"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{B212D577–05B7–4963–911E–4A8588160DFA}" = "Memory monitor"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q43912062.dll" [file not found]
INFECTION WARNING! "{7A7E6D97–B492–4884–9ABB–C31281DCC4F2}" = "style 2"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q4433062.dll" [null data]
INFECTION WARNING! "{1B68470C–2DEF–493B–8A4A–8E2D81BE4EA5}" = "st3"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\st3.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! f3dsl\DLLName = "lsd_f3.dll" [file not found]
INFECTION WARNING! gggg\DLLName = "C:\WINDOWS\adsldpbd.dll" [null data]
INFECTION WARNING! nuclabdll\DLLName = "nuclabdll.dll" [** WMI GetObject error **]
INFECTION WARNING! st3\DLLName = "C:\WINDOWS\system32\st3.dll" [null data]
INFECTION WARNING! style2\DLLName = "C:\WINDOWS\q43912062.dll" [file not found]
INFECTION WARNING! style32\DLLName = "C:\WINDOWS\q4433062.dll" [null data]
INFECTION WARNING! tcpG4T\DLLName = "tcpG4T.dll" [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
sysacpildap\(Default) = "{5E2121EE–0300–11D4–8D3B–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Bardzo proszę o pomoc...
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu–Gadu" = ""C:\Program Files\Gadu–Gadu\gg.exe" /tray" ["sms–express.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HydarVisionDesktopManager" = (empty string)
"SoundMan" = "SOUNDMAN.EXE" ["Avance Logic, Inc."]
"CloneCDElbyCDFL" = ""C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL" ["Elaborate Bytes AG"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe" ["HP"]
"Agent" = "C:\Program Files\CyberLink\PowerVCRII\Agent.exe" ["CyberLink"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 –k" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"Anti–Blaxx Manager" = "C:\Program Files\Anti–Blaxx\Anti–Blaxx.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"SysMemory manager" = "c:\windows\system32\mdms.exe" [MS]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{1B68470C–2DEF–493B–8A4A–8E2D81BE4EA5}\(Default) = "C:\WINDOWS\system32\st3.dll" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\st3.dll" [null data]
{826B2228–BC09–49F2–B5F8–42CE26B1B712}\(Default) = "C:\WINDOWS\adsldpbd.dll" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\adsldpbd.dll" [null data]
{A5366673–E8CA–11D3–9CD9–0090271D075B}\(Default) = "IeCatch2 Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\jccatch.dll" ["Amaze Soft"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0E6C58A9–F592–4862–B35F–CA45E24003B3}" = "CloneCD"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{32020A01–506E–484D–A2A8–BE3CF17601C3}" = "AlcoholShellEx"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{F0CB00CD–5A07–4D91–97F5–A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\K–Lite Codec Pack\Real\rpshell.dll" ["RealNetworks, Inc."]
"{5E2121EE–0300–11D4–8D3B–444553540000}" = "st"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
"{A5110426–177D–4e08–AB3F–785F10B4439C}" = "My Phones"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{B212D577–05B7–4963–911E–4A8588160DFA}" = "Memory monitor"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q43912062.dll" [file not found]
INFECTION WARNING! "{7A7E6D97–B492–4884–9ABB–C31281DCC4F2}" = "style 2"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q4433062.dll" [null data]
INFECTION WARNING! "{1B68470C–2DEF–493B–8A4A–8E2D81BE4EA5}" = "st3"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\st3.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! f3dsl\DLLName = "lsd_f3.dll" [file not found]
INFECTION WARNING! gggg\DLLName = "C:\WINDOWS\adsldpbd.dll" [null data]
INFECTION WARNING! nuclabdll\DLLName = "nuclabdll.dll" [** WMI GetObject error **]
INFECTION WARNING! st3\DLLName = "C:\WINDOWS\system32\st3.dll" [null data]
INFECTION WARNING! style2\DLLName = "C:\WINDOWS\q43912062.dll" [file not found]
INFECTION WARNING! style32\DLLName = "C:\WINDOWS\q4433062.dll" [null data]
INFECTION WARNING! tcpG4T\DLLName = "tcpG4T.dll" [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
sysacpildap\(Default) = "{5E2121EE–0300–11D4–8D3B–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Bardzo proszę o pomoc...
To jest to co opisane zostalo w wielu tematach –> http://forum.centrumxp.pl/viewtopic.php?t=33140
właśnie próbowalem w awaryjnym... 3 pliki, mdms.exe, winacpi.dll i... jeszcze jeden, który wiem źe jest niepotrzebny... i cały czas nie moźna tego usunąć :(
A Silent Runner... co to jest? :P
A Silent Runner... co to jest? :P
mdms.exe – Repsamo. Padanie explorera to włąśnie jego "zasługa"
Rzuć logiem z Silent Runners bo są jeszcze inne niespodzianki w rejestrze.
MarcinX, kupe lat. Gdzies się podziewał jak Cię nie było? :wink:
BTW, chyba trzeba będzie do bezpieczenstwa przenieść.
Rzuć logiem z Silent Runners bo są jeszcze inne niespodzianki w rejestrze.
MarcinX, kupe lat. Gdzies się podziewał jak Cię nie było? :wink:
BTW, chyba trzeba będzie do bezpieczenstwa przenieść.
Fyllin:
znów dotyczy on pojawienia się Spy Sheriffa/Win Fixa.
Coś mi na oczy padło i zrozumiałe źe Anti–Blaxx.exe teź chcesz się pozbyć :wink:
A co do mdms.exe to ręcznie w awaryjnym teź się nie da ?
Musi.
no tak ale Anti–Blaxx to program który sobie sam zainstalowałem i działa juź kawał czasu i nikomu nie wadzi. Natomiast mdms.exe z dysku nie da się usunąć, a zastopowanie go w hiJacku nie daje efektu – ten plik ciągle powraca.
Pozbądź się tego
C:\windows\system32\mdms.exe
C:\Program Files\Anti–Blaxx\Anti–Blaxx.exe
O4 – HKLM\..\Run: [Anti–Blaxx Manager] C:\Program Files\Anti–Blaxx\Anti–Blaxx.exe
O4 – HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
Strona 1 / 1