Spybot [Problem]
Od kilku dni za kaźdym razem jak skanuje pojawia mi się ten sam wpis i mimo źe go wywalam to przy następnym skanie znowu się pojawia.Jak się go pozbyć na stałe.Bardzo proszę o pomoc.
Odpowiedzi: 20
Co to za pliki ? Albo przepisz nazwy, albo pokaz zrzut z nazwami znalezionych plikow.JARO33:
Wpisałem "mchInjDrv" i znalazło mi trochę plików i nie wiem czy mam to wywalić.Jak to zapisać źeby przesłać na forum.
Usun caly cache firefoxa.Jak wpisałem "mshost.exe" to mi znalazł piki w C:\Documents and Settings\Useer\Dane aplikacji\Mozilla\Firefox\Profiles\6nixru9d.default\Cache.
Po wpisniu "xpcore.dll" znalazło mi w C:\Documents and Settings\Useer\Dane aplikacji\Mozilla\Firefox\Profiles\6nixru9d.default\Cache
Z tym juz gorzej :P . Moze zastap go plikiem z Twojego profilu ?i w C:\Documents and Settings\Administrator\ntuser.dat
Zostawiasz.Otworzyłem rejestr/F3/i wisałem "mshost.exe" i znalazło mi jakieś wpisy w folderze o nazwie "Agent_EXE".Cy one są od tego programu "Agent Ransack:?Czy mam je wywalić?
Z rejestru tylko to:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000]
"Service"="mchInjDrv"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000]
"DeviceDesc"="mchInjDrv"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mchInjDrv]
To są wyniki wyszukiwania:
REGEDIT4
; RegSrch.vbs Bill James
; Registry search results for string "mchInjDrv" 2005–12–15 14:48:33
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000]
"Service"="mchInjDrv"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000]
"DeviceDesc"="mchInjDrv"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mchInjDrv]
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentContains]
"2"="mchInjDrv"
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentFileName]
"1"="mchInjDrv"
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentFileName]
"5"="HKEY_LOCAL_MACHINE/SYSTEM/Enum/Root/LEGACY_MCHINJDRV/ "
REGEDIT4
; RegSrch.vbs Bill James
; Registry search results for string "xpcore.dll" 2005–12–15 14:51:54
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentContains]
"3"="xpcore.dll"
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentFileName]
"2"="xpcore.dll "
REGEDIT4
; RegSrch.vbs Bill James
; Registry search results for string "COMGP32LOG.DLL" 2005–12–15 14:54:12
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentFileName]
"3"="COMGP32LOG.DLL"
REGEDIT4
; RegSrch.vbs Bill James
; Registry search results for string "mshost.exe" 2005–12–15 14:56:11
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentContains]
"4"="mshost.exe"
REGEDIT4
; RegSrch.vbs Bill James
; Registry search results for string "mchInjDrv" 2005–12–15 14:48:33
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000]
"Service"="mchInjDrv"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000]
"DeviceDesc"="mchInjDrv"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mchInjDrv]
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentContains]
"2"="mchInjDrv"
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentFileName]
"1"="mchInjDrv"
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentFileName]
"5"="HKEY_LOCAL_MACHINE/SYSTEM/Enum/Root/LEGACY_MCHINJDRV/ "
REGEDIT4
; RegSrch.vbs Bill James
; Registry search results for string "xpcore.dll" 2005–12–15 14:51:54
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentContains]
"3"="xpcore.dll"
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentFileName]
"2"="xpcore.dll "
REGEDIT4
; RegSrch.vbs Bill James
; Registry search results for string "COMGP32LOG.DLL" 2005–12–15 14:54:12
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentFileName]
"3"="COMGP32LOG.DLL"
REGEDIT4
; RegSrch.vbs Bill James
; Registry search results for string "mshost.exe" 2005–12–15 14:56:11
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S–1–5–21–1004336348–838170752–839522115–1003\Software\Agent_EXE\Agent Ransack\RecentContains]
"4"="mshost.exe"
Sciągnij sobie skrypt Registry Search Tool i przeprowadz szukanie na: mchInjDrv, mshost oraz xpcore
Wyniki dolącz tutaj.
Wyniki dolącz tutaj.
Czekam na szybką reakcje.
Jaro, chocby nie wiem w ktora strone patrzec, nic nie widac. Zostaje Ci jeszcze jedno – AgentRansack.
Ten temat –> http://forum.centrumxp.pl/viewtopic.php?p=175254#175254 i wyszukujesz ciag "mchInjDrv". Na wszelki wypadek kaz mu wyszukac pliki o ktorych system gada ze ich nie ma: "mshost.exe" oraz "xpcore.dll".
Jak juź coś znajdzie to co mam z tym zrobić.Wpisałem "mchInjDrv" i znalazło mi trochę plików i nie wiem czy mam to wywalić.Jak to zapisać źeby przesłać na forum.
Jak wpisałem "mshost.exe" to mi znalazł piki w C:\Documents and Settings\Useer\Dane aplikacji\Mozilla\Firefox\Profiles\6nixru9d.default\Cache.
Po wpisniu "xpcore.dll" znalazło mi w C:\Documents and Settings\Useer\Dane aplikacji\Mozilla\Firefox\Profiles\6nixru9d.default\Cache
i w C:\Documents and Settings\Administrator\ntuser.dat
Jeszcz pytanie.Otworzyłem rejestr/F3/i wisałem "mshost.exe" i znalazło mi jakieś wpisy w folderze o nazwie "Agent_EXE".Cy one są od tego programu "Agent Ransack:?Czy mam je wywalić?
Jaro, chocby nie wiem w ktora strone patrzec, nic nie widac. Zostaje Ci jeszcze jedno – AgentRansack.
Ten temat –> http://forum.centrumxp.pl/viewtopic.php?p=175254#175254 i wyszukujesz ciag "mchInjDrv". Na wszelki wypadek kaz mu wyszukac pliki o ktorych system gada ze ich nie ma: "mshost.exe" oraz "xpcore.dll".
Ten temat –> http://forum.centrumxp.pl/viewtopic.php?p=175254#175254 i wyszukujesz ciag "mchInjDrv". Na wszelki wypadek kaz mu wyszukac pliki o ktorych system gada ze ich nie ma: "mshost.exe" oraz "xpcore.dll".
Sciagnij programik StartDreck, uruchom, otworz Config, kliknij "Unmark all", zaznacz jedynie "Run Keys" –> OK i nacisnij Refresh. Wrzuc tutaj wynik.
http://members.chello.at/nikolaus.rameis/_data/startdreck217.zip
Dalszy ciąg walki.
StartDreck (build 2.1.7 public stable) – 2005–12–14 @ 06:12:46 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 Dodatek Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Jarek at JARO
Registry
Run Keys
Current User
Run
*AutoConnect=C:\Program Files\AutoConnect\AutoConnect.exe
*SkinClock=C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
*IncrediMail=C:\Program Files\IncrediMail\bin\IncMail.exe /c
RunOnce
Default User
Run
*CTFMON.EXE=C:\WINDOWS\system32\CTFMON.EXE
RunOnce
Local Machine
Run
*SystemTray=SysTray.Exe
*SoundMan=SOUNDMAN.EXE
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
*NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
*BDMCon=C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
*BDOESRV="C:\Program Files\Softwin\BitDefender8\bdoesrv.exe"
*BDNewsAgent="C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
*cFosSpeed=C:\Program Files\cFosSpeed\LoveSpeed.exe
*TrayFactory=C:\Program Files\PS Tray Factory\PSTrayFactory.EXE /silent
*tguard=C:\Program Files\Beniamin\tguard.exe
*gcasServ="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
*NeroFilterCheck=C:\WINDOWS\system32\NeroCheck.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
RunOnce
*TrayFactory=C:\Program Files\PS Tray Factory\PSTrayFactory.exe /start
RunServices
RunServicesOnce
RunOnceEx
RunServicesOnceEx
Files
System/Drivers
Application specific
Sciagnij programik StartDreck, uruchom, otworz Config, kliknij "Unmark all", zaznacz jedynie "Run Keys" –> OK i nacisnij Refresh. Wrzuc tutaj wynik.
http://members.chello.at/nikolaus.rameis/_data/startdreck217.zip
http://members.chello.at/nikolaus.rameis/_data/startdreck217.zip
Ten klucz w rejestrze wywalam ale po restarcie znowu się pojawia.Czy jest jeszcze jakiś sposób na to dziadostwo?
Ja nic nie widze po logu. Wyczyściłeś cały folder c:\windows\temp ?? Profilaktycznie wklej ścieźki plików wymienionych w linkach podrzuconych przez EL NINO do KillBoxa. A ten klucz co go znalazłes to teź bym usunął ...
Szczerze mówjąc nigdy jeszcz nie robiłem nic KillBoxem,czymoźesz mi powiedzieć co mam tam wpisać i co nacisnąć.Z góry dziękuje.
:oops:
Ja nic nie widze po logu. Wyczyściłeś cały folder c:\windows\temp ?? Profilaktycznie wklej ścieźki plików wymienionych w linkach podrzuconych przez EL NINO do KillBoxa. A ten klucz co go znalazłes to teź bym usunął ...
Przeszukując rejestr dzisiaj,natrafiłem na coś takiego:HKEY_LOCAL_MACHINE/SYSTEM/Enum/Root/LEGACY_MCHINJDRV/
Moźe to jest przyczyna tego dziadostwa z którym nie mogę sobie poradzić.
A to są sccreny z rejestru:
Moźe to jest przyczyna tego dziadostwa z którym nie mogę sobie poradzić.
A to są sccreny z rejestru:
Wrzuć loga Silent Runners
Czy chodzi o to:
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AutoConnect" = "C:\Program Files\AutoConnect\AutoConnect.exe" ["http://autoconnect.prv.pl"]
"SkinClock" = "C:\Program Files\Clock Tray Skins\ClockTraySkins.exe" [null data]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]
"IncrediMail" = "C:\Program Files\IncrediMail\bin\IncMail.exe /c" ["IncrediMail, Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"BDMCon" = "C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" ["SOFTWIN S.R.L."]
"BDOESRV" = ""C:\Program Files\Softwin\BitDefender8\bdoesrv.exe"" ["SOFTWIN SRL"]
"BDNewsAgent" = ""C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"" [null data]
"cFosSpeed" = "C:\Program Files\cFosSpeed\LoveSpeed.exe" ["Copyright @ 2000 – 2005 =NF=LOVE[BCG]"]
"TrayFactory" = "C:\Program Files\PS Tray Factory\PSTrayFactory.EXE /silent" ["PS Soft Lab"]
"tguard" = "C:\Program Files\Beniamin\tguard.exe" ["AKKORP"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"TrayFactory" = "C:\Program Files\PS Tray Factory\PSTrayFactory.exe /start" ["PS Soft Lab"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{31FF080D–12A3–439A–A2EF–4BA95A3148E8}\(Default) = "bho2gr Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "F:\TATA\PROGRAMY [instalki]\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
{53707962–6F74–2D53–2644–206D7942484F}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB–D6F0–462C–B6EB–D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5b4dae26–b807–11d0–9815–00c04fd91972}" = "Menu Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8278F931–2A3E–11d2–838F–00C04FD918D0}" = "Tracking Shell Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4–D2F2–11d0–9816–00C04FD91972}" = "Menu Site"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{ECD4FC4F–521C–11D0–B792–00A0C90312E1}" = "Menu Desk Bar"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0–5764–11D0–A96E–00C04FD705A2}" = "IShellFolderBand"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{0E5CBF21–D15F–11d0–8301–00AA005B4383}" = "Łą&cza"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30–f71a–11d0–9ea7–00805f714772}" = "Thumbnail Image"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "F:\TATA\PROGRAMY [instalki]\WinRAR\rarext.dll" [null data]
"{D653647D–D607–4DF6–A5B8–48D2BA195F7B}" = "BitDefender Antivirus v8"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
"{51131DA7–1D24–40e5–AE07–5E3750F5DE3C}" = "ContextMenuExt Extension"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\ContextMenuExt.dll" [null data]
"{DDE4BEEB–DDE6–48fd–8EB5–035C09923F83}" = "UnlockerShellExtension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
"{e82a2d71–5b2f–43a0–97b8–81be15854de8}" = "ShellLink for Application References"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028–CE1A–4f42–AF05–6CEABC4E5D75}" = "Shell Icon Handler for Application References"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{00DF1F20–0849–A4D1–0239–00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
–> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
"{ABC70703–32AF–11d4–90C4–D483A70F4825}" = "CMenuExtender"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\BricoPacks\Vista Inspirat\iColorFolder\CMExt.dll" ["Revenger inc."]
"{32020A01–506E–484D–A2A8–BE3CF17601C3}" = "AlcoholShellEx"
–> {CLSID}\InProcServer32\(Default) = "F:\TATA\PROGRA~2\Alcochol\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{F0CB00CD–5A07–4D91–97F5–A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
"{2B3453E4–49DF–11D3–8229–0080BE509050}" = "GMail Drive"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{2B3453E4–49DF–11D3–8229–0080BE509052}" = "GMailFS Property Sheet"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{2B3453E4–49DF–11D3–8229–0080BE509054}" = "GMailFS Drop Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{2B3453E4–49DF–11D3–8229–0080BE509056}" = "GMailFS Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "F:\TATA\PROGRAMY [instalki]\Microsoft Office Pro 2003\OFFICE11\msohev.dll" [MS]
"{640167b4–59b0–47a6–b335–a6b3c0695aea}" = "Portable Media Devices"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a–b60a–48e6–996b–41d25ed39a1e}" = "Portable Media Devices Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{19F500E0–9964–11cf–B63D–08002B317C03}" = "Desktop Icon Layout"
–> {CLSID}\InProcServer32\(Default) = "Layout.dll" ["Microsoft"]
"{7C9D5882–CB4A–4090–96C8–430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2–3396–4527–9D27–04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = " sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll" [null data]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5–5146–11D5–A672–00B0D022E945}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
BitDefender Antivirus v8\(Default) = "{D653647D–D607–4DF6–A5B8–48D2BA195F7B}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
CopyMoveTo\(Default) = "{51131DA7–1D24–40e5–AE07–5E3750F5DE3C}"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\ContextMenuExt.dll" [null data]
IMMenuShellExt\(Default) = "{F8984111–38B6–11D5–8725–0050DA2761C4}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IncrediMail\bin\IMShExt.dll" ["IncrediMail, Ltd."]
TuneUp Shredder\(Default) = "{00DF1F20–0849–A4D1–0239–00D0AF3E9CB0}"
–> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "F:\TATA\PROGRAMY [instalki]\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
CMenuExtender\(Default) = "{ABC70703–32AF–11d4–90C4–D483A70F4825}"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\BricoPacks\Vista Inspirat\iColorFolder\CMExt.dll" ["Revenger inc."]
CopyMoveTo\(Default) = "{51131DA7–1D24–40e5–AE07–5E3750F5DE3C}"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\ContextMenuExt.dll" [null data]
TuneUp Shredder\(Default) = "{00DF1F20–0849–A4D1–0239–00D0AF3E9CB0}"
–> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "F:\TATA\PROGRAMY [instalki]\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
BitDefender Antivirus v8\(Default) = "{D653647D–D607–4DF6–A5B8–48D2BA195F7B}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
CopyMoveTo\(Default) = "{51131DA7–1D24–40e5–AE07–5E3750F5DE3C}"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\ContextMenuExt.dll" [null data]
IconLayout\(Default) = "{19F500E0–9964–11cf–B63D–08002B317C03}"
–> {CLSID}\InProcServer32\(Default) = "Layout.dll" ["Microsoft"]
SpySweeper\(Default) = "{7C9D5882–CB4A–4090–96C8–430BFE8B795B}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
UnlockerShellExtension\(Default) = "{DDE4BEEB–DDE6–48fd–8EB5–035C09923F83}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "F:\TATA\PROGRAMY [instalki]\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Jarek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Startup items in "Jarek" & "All Users" startup folders:
–––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\Jarek\Menu Start\Programy\Autostart
"Rainlendar" –> shortcut to: "C:\Program Files\Rainlendar\Rainlendar.exe" ["Rainy"]
"Stardock ObjectDock" –> shortcut to: "C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe" ["Stardock"]
"UberIcon" –> shortcut to: "C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe" [null data]
"Y'z ToolBar" –> shortcut to: "C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe" ["Y'z@Home"]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" –> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe" [empty string]
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"Rozpoczęcie aplikacji dostrajania" –> launches: "walign" [file not found]
"Przypomnienie o wygaśnięciu dezinstalacji" –> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /u /n:1" [MS]
"1–Click Maintenance" –> launches: "C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SYSTEMROOT%\system32\bnmndrv.dll [null data], 01 – 06, 13
%SystemRoot%\system32\mswsock.dll [MS], 07 – 10
%SystemRoot%\system32\rsvpsp.dll [MS], 11 – 12
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0–4FCB–11CF–AAA5–00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC–0015–0000–0006–ABCDEFFEDCBC}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{92780B25–18CC–41C8–B9BE–3C9C571A8263}\
"ButtonText" = "Badanie"
Miscellaneous IE Hijack Points
––––––––––––––––––––––––––––––
HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
Missing lines (compared with English–language version):
HIJACK WARNING! "TuneUp" = "file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css" [file not found]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]
BitDefender Scan Server, bdss, ""C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
BitDefender Virus Shield, VSSERV, ""C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service" ["SOFTWIN S.R.L."]
cFosSpeed System Service, cFosSpeedS, ""C:\Program Files\cFosSpeed\spd.exe" –service" ["cFos Software GmbH"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
TuneUp WinStyler Theme Service, TUWinStylerThemeSvc, ""C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe"" ["TuneUp Software GmbH"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
–––––––––––––––
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the –supp parameter or answer "No" at the first message box.
–––––––––– (total run time: 39 seconds, including 14 seconds for message boxes)
Wrzuć loga Silent Runners
Oczywiście, ze masz usunąć.
Tylko problem jest taki źe ja go wywalam,ale po restarcie kompa on znowu się pojawia.
Oczywiście, ze masz usunąć.
Tu rowniez troche jest –> http://www.symantec.com/avcenter/venc/data/dialer.iccontrol.html
Pliki i wpisy w rejestrze trzeba usunac – te opisane w pkt "4. To delete the value from the registry".
Niczego z tych wpisów nie mam w rejestrze.
Dzisiaj rono skanowałem "Spy Sweeper" potem po restarcie kompa przeskanowałem "Spybotem"i tego wpisu "Command Service"
juź nie było.
Tylko nie wiem czy mam z rejestru wywalić cały ten katalog [mchInjDrv]:
Tu rowniez troche jest –> http://www.symantec.com/avcenter/venc/data/dialer.iccontrol.html
Pliki i wpisy w rejestrze trzeba usunac – te opisane w pkt "4. To delete the value from the registry".
Pliki i wpisy w rejestrze trzeba usunac – te opisane w pkt "4. To delete the value from the registry".
Usun wiec z rejestru mchInjDrv i z dysku plik mc21.tmp. Widac go we wpisie "ImagePath" na Twoim obrazku w drugim poscie.
Z rejestru usunąłem[ale po restarcie znowu wraca] a na dysku nie widze tego pliku "mc21.tmp." w "Temp"
Jesli nakazales systemowi pokazywanie plikow ukrytych oraz systemowych i rzeczywiscie nic nie ma, to dobrze. Z tym ze opis na Sophos mowi o folderze \Windows a nie \Windows\system32.Szukałem tych pików "mshost.exe" oraz "xpcore.dll",ale tego nie ma.
Usun wiec z rejestru mchInjDrv i z dysku plik mc21.tmp. Widac go we wpisie "ImagePath" na Twoim obrazku w drugim poscie.