proszę o sprawdzenie loga i moźliwą diagnoze problemu
Witam,
Z oprogramowaniem szkodliwym nie mialem problemu od 2 lat aź do wczoraj...Sciagnełem jakiegos cracka do programu i zaczal mi sie robic syf...Skanowałem skanerami online i oprogramowanei antyspyware–caly czas cos znajduja i wywalaja, ale jak włacze po pewnym czasei to znowu jest to samo. wyskakuje mi mase okienek IE. Dziwną sprawą jest to, źe większośc aplikacji jakby sie wyzerowało,po ich włączeniu wpisywac spowrotem keya (moźe jakas ingerencja w rejestr).Oprócz tego kazda aplikacja która odpalam odpala sie na pełnym ekranie,tak ze nawet nie widze paska na dole–niewiem gdzie to zmienic. SpySweeper którego uźywam,wywala non stop komunikat,źe zostało zablokowane połaczenie ze strona a.d.a.w.a.r.e.com czy cos w tym stylu. Będe bardzo wdzięczny za jakakolwiek pomoc. Dzieki. Poniźej wklejam log'a
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Serv–U\ServUDaemon.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wuauclt.exe
C:\torrent\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: Search Class – {08C06D61–F1F3–4799–86F8–BE1A89362C85} – C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)
F2 – REG:system.ini: UserInit=userinit.exe
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: Easy–WebPrint – {327C2873–E90D–4c37–AA9D–10AC9BABA46C} – C:\Program Files\Canon\Easy–WebPrint\Toolband.dll
O4 – HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 – HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [Easy–PrintToolBox] C:\Program Files\Canon\Easy–PrintToolBox\BJPSMAIN.EXE /logon
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 – HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [BgMonitor_{79662E04–7C6C–4d9f–84C7–88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 – Global Startup: BlueSoleil.lnk = ?
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 – Extra context menu item: Easy–WebPrint Add To Print List – res://C:\Program Files\Canon\Easy–WebPrint\Resource.dll/RC_AddToList.html
O8 – Extra context menu item: Easy–WebPrint High Speed Print – res://C:\Program Files\Canon\Easy–WebPrint\Resource.dll/RC_HSPrint.html
O8 – Extra context menu item: Easy–WebPrint Preview – res://C:\Program Files\Canon\Easy–WebPrint\Resource.dll/RC_Preview.html
O8 – Extra context menu item: Easy–WebPrint Print – res://C:\Program Files\Canon\Easy–WebPrint\Resource.dll/RC_Print.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 – Extra button: (no name) – {85d1f590–48f4–11d9–9669–0800200c9a66} – %windir%\bdoscandel.exe (file missing)
O9 – Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 – {85d1f590–48f4–11d9–9669–0800200c9a66} – %windir%\bdoscandel.exe (file missing)
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: (no name) – SolidConverterPDF – (no file) (HKCU)
O16 – DPF: {31B7EB4E–8B4B–11D1–A789–00A0CC6651A8} (Cult3D ActiveX Player) – http://www.cult3d.com/download/cult.cab
O16 – DPF: {5D86DDB5–BDF9–441B–9E9E–D4730F4EE499} (BDSCANONLINE Control) – http://www.netsecure.pl/scan8/oscan8.cab
O16 – DPF: {86A88967–7A20–11D2–8EDA–00600818EDB1} (ParallelGraphics Cortona Control) – http://www.parallelgraphics.com/bin/cortvrml.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://www.mks.com.pl/skaner/SkanerOnline.cab
O20 – Winlogon Notify: Mixer – sndmixex.dll (file missing)
O20 – Winlogon Notify: msupdate – msupdate32.dll (file missing)
O20 – Winlogon Notify: WRNotifier – C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 – SSODL: SysTray.Exgl – {636821FC–6F5C–2f1b–B164–E67214F678E2} – (no file)
O23 – Service: AntiVir Service (AntiVirService) – H+BEDV Datentechnik GmbH – C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
O23 – Service: Autodata Limited License Service – Unknown owner – C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 – Service: AntiVir Update (AVWUpSrv) – H+BEDV Datentechnik GmbH, Germany – C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 – Service: BlueSoleil Hid Service – Unknown owner – C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 – Service: Network Monitor – Unknown owner – C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 – Service: O&O CleverCache Pro (OOCleverCache) – O&O Software GmbH – C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
O23 – Service: ScsiAccess – Unknown owner – C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 – Service: Serv–U FTP Server (Serv–U) – Cat Soft – C:\Program Files\Serv–U\ServUDaemon.exe
O23 – Service: StarWind iSCSI Service (StarWindService) – Rocket Division Software – C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 – Service: Webroot Spy Sweeper Engine (svcWRSSSDK) – Webroot Software, Inc. – C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Z oprogramowaniem szkodliwym nie mialem problemu od 2 lat aź do wczoraj...Sciagnełem jakiegos cracka do programu i zaczal mi sie robic syf...Skanowałem skanerami online i oprogramowanei antyspyware–caly czas cos znajduja i wywalaja, ale jak włacze po pewnym czasei to znowu jest to samo. wyskakuje mi mase okienek IE. Dziwną sprawą jest to, źe większośc aplikacji jakby sie wyzerowało,po ich włączeniu wpisywac spowrotem keya (moźe jakas ingerencja w rejestr).Oprócz tego kazda aplikacja która odpalam odpala sie na pełnym ekranie,tak ze nawet nie widze paska na dole–niewiem gdzie to zmienic. SpySweeper którego uźywam,wywala non stop komunikat,źe zostało zablokowane połaczenie ze strona a.d.a.w.a.r.e.com czy cos w tym stylu. Będe bardzo wdzięczny za jakakolwiek pomoc. Dzieki. Poniźej wklejam log'a
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Serv–U\ServUDaemon.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wuauclt.exe
C:\torrent\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: Search Class – {08C06D61–F1F3–4799–86F8–BE1A89362C85} – C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)
F2 – REG:system.ini: UserInit=userinit.exe
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: Easy–WebPrint – {327C2873–E90D–4c37–AA9D–10AC9BABA46C} – C:\Program Files\Canon\Easy–WebPrint\Toolband.dll
O4 – HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 – HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [Easy–PrintToolBox] C:\Program Files\Canon\Easy–PrintToolBox\BJPSMAIN.EXE /logon
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 – HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [BgMonitor_{79662E04–7C6C–4d9f–84C7–88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 – Global Startup: BlueSoleil.lnk = ?
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 – Extra context menu item: Easy–WebPrint Add To Print List – res://C:\Program Files\Canon\Easy–WebPrint\Resource.dll/RC_AddToList.html
O8 – Extra context menu item: Easy–WebPrint High Speed Print – res://C:\Program Files\Canon\Easy–WebPrint\Resource.dll/RC_HSPrint.html
O8 – Extra context menu item: Easy–WebPrint Preview – res://C:\Program Files\Canon\Easy–WebPrint\Resource.dll/RC_Preview.html
O8 – Extra context menu item: Easy–WebPrint Print – res://C:\Program Files\Canon\Easy–WebPrint\Resource.dll/RC_Print.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 – Extra button: (no name) – {85d1f590–48f4–11d9–9669–0800200c9a66} – %windir%\bdoscandel.exe (file missing)
O9 – Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 – {85d1f590–48f4–11d9–9669–0800200c9a66} – %windir%\bdoscandel.exe (file missing)
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: (no name) – SolidConverterPDF – (no file) (HKCU)
O16 – DPF: {31B7EB4E–8B4B–11D1–A789–00A0CC6651A8} (Cult3D ActiveX Player) – http://www.cult3d.com/download/cult.cab
O16 – DPF: {5D86DDB5–BDF9–441B–9E9E–D4730F4EE499} (BDSCANONLINE Control) – http://www.netsecure.pl/scan8/oscan8.cab
O16 – DPF: {86A88967–7A20–11D2–8EDA–00600818EDB1} (ParallelGraphics Cortona Control) – http://www.parallelgraphics.com/bin/cortvrml.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://www.mks.com.pl/skaner/SkanerOnline.cab
O20 – Winlogon Notify: Mixer – sndmixex.dll (file missing)
O20 – Winlogon Notify: msupdate – msupdate32.dll (file missing)
O20 – Winlogon Notify: WRNotifier – C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 – SSODL: SysTray.Exgl – {636821FC–6F5C–2f1b–B164–E67214F678E2} – (no file)
O23 – Service: AntiVir Service (AntiVirService) – H+BEDV Datentechnik GmbH – C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
O23 – Service: Autodata Limited License Service – Unknown owner – C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 – Service: AntiVir Update (AVWUpSrv) – H+BEDV Datentechnik GmbH, Germany – C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 – Service: BlueSoleil Hid Service – Unknown owner – C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 – Service: Network Monitor – Unknown owner – C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 – Service: O&O CleverCache Pro (OOCleverCache) – O&O Software GmbH – C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
O23 – Service: ScsiAccess – Unknown owner – C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 – Service: Serv–U FTP Server (Serv–U) – Cat Soft – C:\Program Files\Serv–U\ServUDaemon.exe
O23 – Service: StarWind iSCSI Service (StarWindService) – Rocket Division Software – C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 – Service: Webroot Spy Sweeper Engine (svcWRSSSDK) – Webroot Software, Inc. – C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Odpowiedzi: 7
odpaliłem tego fixa w trybie awaryjnym i problem znikł :lol: A juz myslalem,ze bez reinstalacji systemu nie przejdzie. Coprawda tak to bede musial przy okazji zrobic,bo chyba został naruszony rejestr,poniewaź jak wcześniej wspominalem ustawienia aplikacji uległy jakby wyzerowaniu i kazda aplikacja otwiera mi sie na pełnym ekranie pomijajac pasek którego nie widac – strasznie mnie to draźni.W kaźdym bardzo Wam dziękuje EL NINO i MR. Anderson !! Po raz kolejny nie zawiodłem sie na tym forum. Pozdrawiam
Otwórz notatnik, wklej w nim to:
Zapisz jako>>>zmień rozszerzenie z .txt na wszystkie pliki, zapisz pod nazwą FIX.REG , start do trybu awaryjnego, odpalasz FIX.REG
REGEDIT4
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Mixer]
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msupdate]
Zapisz jako>>>zmień rozszerzenie z .txt na wszystkie pliki, zapisz pod nazwą FIX.REG , start do trybu awaryjnego, odpalasz FIX.REG
Widzisz to ?
Zarowno sndmixex.dll, jak i msupdate32.dll. Wykasuj to z rejestru. Usun pliki z dysku – jesli nie umiesz w trybie awaryjnym, uzyj jakiegos KillBoxa.
Sprawdz rowniez czy masz:
enl8l13u1.dll
i4600ejmehoa0.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Mixer]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"StartShell"="Entry"
"DllName"="sndmixex.dll"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msupdate]
"DllName"="msupdate32.dll"
"Startup"="WinlogonStartupEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
Zarowno sndmixex.dll, jak i msupdate32.dll. Wykasuj to z rejestru. Usun pliki z dysku – jesli nie umiesz w trybie awaryjnym, uzyj jakiegos KillBoxa.
Sprawdz rowniez czy masz:
enl8l13u1.dll
i4600ejmehoa0.dll
Zeby było jasniej wkleje Ci tutaj ten log. Dodam tylko,źe jest log z przeprowadzonego 2–giego scanu,pierwszy zrobilem zanim mi napisales i niemam loga do niego.Ten jest zrobione dzień później.
L2mfix 010406
Creating Account.
Polecenie zostaˆo wykonane pomy˜lnie.
Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002–2003 Craig.Peacock@beyondlogic.org
Killing PID 540 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002–2003 Craig.Peacock@beyondlogic.org
Killing PID 620 'winlogon.exe'
Killing PID 620 'winlogon.exe'
Killing PID 620 'winlogon.exe'
Killing PID 620 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002–2003 Craig.Peacock@beyondlogic.org
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002–2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administratorzy ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Mixer]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"StartShell"="Entry"
"DllName"="sndmixex.dll"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msupdate]
"DllName"="msupdate32.dll"
"Startup"="WinlogonStartupEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"
The following are the files found:
****************************************************************************
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4
[–HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/enl8l13u1.dll (188 bytes security) (deflated 6%)
adding: dlls/i4600ejmehoa0.dll (188 bytes security) (deflated 4%)
adding: backregs/4C0DC44D–5628–4F93–B7DF–B3A034E705BF.reg (212 bytes security) (deflated 70%)
adding: backregs/659DBA15–D32E–4253–8C90–CF8253F4541A.reg (212 bytes security) (deflated 70%)
adding: backregs/D9BCAB42–4646–436F–BA8C–9C803A4CDECA.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (188 bytes security) (deflated 88%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)
L2mfix 010406
Creating Account.
Polecenie zostaˆo wykonane pomy˜lnie.
Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002–2003 Craig.Peacock@beyondlogic.org
Killing PID 540 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002–2003 Craig.Peacock@beyondlogic.org
Killing PID 620 'winlogon.exe'
Killing PID 620 'winlogon.exe'
Killing PID 620 'winlogon.exe'
Killing PID 620 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002–2003 Craig.Peacock@beyondlogic.org
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Killing PID 1416 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002–2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administratorzy ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Mixer]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"StartShell"="Entry"
"DllName"="sndmixex.dll"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msupdate]
"DllName"="msupdate32.dll"
"Startup"="WinlogonStartupEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"
The following are the files found:
****************************************************************************
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4
[–HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/enl8l13u1.dll (188 bytes security) (deflated 6%)
adding: dlls/i4600ejmehoa0.dll (188 bytes security) (deflated 4%)
adding: backregs/4C0DC44D–5628–4F93–B7DF–B3A034E705BF.reg (212 bytes security) (deflated 70%)
adding: backregs/659DBA15–D32E–4253–8C90–CF8253F4541A.reg (212 bytes security) (deflated 70%)
adding: backregs/D9BCAB42–4646–436F–BA8C–9C803A4CDECA.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (188 bytes security) (deflated 88%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)
Sprawdzales log z l2mfix ? Porownywales go z opisem Bobiego ?
Jest w linkowanym wyzej temacie "silent runners". Moze w jego logu bedzie widac wiecej ?
Jest w linkowanym wyzej temacie "silent runners". Moze w jego logu bedzie widac wiecej ?
pliki o których wspomniales rzeczywiscie byly w systemie ale z rozszerzeniem *.VIR. Programem l2mfix robilem juz wczesniej i cos tam pousuwał,niestety problemy moje nie zniknęły...
Sprawdz dokladnie (pliki ukryte i systemowe), czy rzeczywiscie nie masz na dysku dwoch pierwszych plikow z wpisow O20. Moglbys zastosowac rowniez "l2mfix" z wyborem "Run fix", ktorego znajdziesz w przyklejonym temacie –> http://forum.centrumxp.pl/viewtopic.php?t=33140
Jesli program C:\Program Files\Network Monitor\netmon.exe nie zostal zainstalowany przez Ciebie, usun rowniez.
Jesli program C:\Program Files\Network Monitor\netmon.exe nie zostal zainstalowany przez Ciebie, usun rowniez.
Strona 1 / 1