Marcin511
(Marcin Obala)
23 Maj 2006 15:04
#1
Kilka dni temu mój głupi brat wyłączył komputer bezpośrednio z listwy nie wyłączając windowsa. Po ponownym włączeniu na pulpicie nic się nie pojawia. Pomaga jedynie to gdy wyłącze explorer.exe i ponownie go włącze. Co jest?? Logowanie na użytkownika Administrator przebiega bez problemów.
kuz5
(Kuz5)
23 Maj 2006 15:17
#2
Odpala konsole odzyskiwania z cd xp i użyj polecenia:
expand X:\i386\explorer.ex_ C:\Windows\explorer.exe
Gdzie X - to litera napędu
A C - to litera dysku systemowego
Piotr_P
(Piotr P.)
23 Maj 2006 15:25
#3
Wejdz do edytora rejestru i przejdz do klucza:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
wartosc ciagu “Shell” = wpisz Explorer.exe
Marcin511
(Marcin Obala)
23 Maj 2006 15:26
#4
Nie pomaga
Jest tam wpisane
Złączono Posta : 23.05.2006 (Wto) 17:30
Dorzucę logi z HiJack i SilentRunners
Hijackthis
Logfile of HijackThis v1.99.1 Scan saved at 17:30:20, on 2006-05-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\oodag.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\explorer.exe C:\copy\ch.exe E:\Windows Uptime\Windows Uptime.exe C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe C:\Program Files\Opera\Opera.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\OBAA~1\USTAWI~1\Temp\Rar$EX00.140\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.sie.vectranet.pl:8080 O4 - HKLM…\Run: [Copy Handler] C:\copy\ch.exe O4 - HKCU…\Run: [WindowsUptime] “E:\Windows Uptime\Windows Uptime.exe” /i O4 - HKCU…\Run: [AtiTrayTools] “C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe” O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
SilentRunners
“Silent Runners.vbs”, revision 45, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “WindowsUptime” = ““E:\Windows Uptime\Windows Uptime.exe” /i” [" “] “AtiTrayTools” = ““C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe”” [“Ray Adams”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Copy Handler” = “C:\copy\ch.exe” [” "] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}” = “OODefrag” -> {HKLM…CLSID} = “OODShellExtObj Class” \InProcServer32(Default) = “C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll” [“O&O Software GmbH”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll” [“Alcohol Soft Development Team”] “{e82a2d71-5b2f-43a0-97b8-81be15854de8}” = “ShellLink for Application References” -> {HKLM…CLSID} = “ShellLink for Application References” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}” = “Shell Icon Handler for Application References” -> {HKLM…CLSID} = “Shell Icon Handler for Application References” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] HKLM\System\CurrentControlSet\Control\Session Manager\ INFECTION WARNING! “BootExecute” = “autocheck autochk * OODBS” [file not found], [MS], [file not found], [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ CopyHandlerShellExt(Default) = “{E7A4C2DA-F3AF-4145-AC19-E3B215306A54}” -> {HKLM…CLSID} = “MenuExt Class” \InProcServer32(Default) = “c:\copy\chext.dll” [empty string] OODefrag(Default) = “{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}” -> {HKLM…CLSID} = “OODShellExtObj Class” \InProcServer32(Default) = “C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll” [“O&O Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ CopyHandlerShellExt(Default) = “{E7A4C2DA-F3AF-4145-AC19-E3B215306A54}” -> {HKLM…CLSID} = “MenuExt Class” \InProcServer32(Default) = “c:\copy\chext.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ CopyHandlerShellExt(Default) = “{E7A4C2DA-F3AF-4145-AC19-E3B215306A54}” -> {HKLM…CLSID} = “MenuExt Class” \InProcServer32(Default) = “c:\copy\chext.dll” [empty string] OODefrag(Default) = “{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}” -> {HKLM…CLSID} = “OODShellExtObj Class” \InProcServer32(Default) = “C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll” [“O&O Software GmbH”] UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”
adam9870
(adam9870)
23 Maj 2006 15:34
#5
Log z HijackThis jest ok. Ale coś Mi się nie podoba, że jest taki mały :? Jesteś pewnien, że cały wkleiłeś :roll:
Natomiast z silenta jest ucięty. Poczkaj aż skończy (poinformuje wtedy odpowiednim komunikatem) i dopiero potem wklej go na forum.
Gutek
(Gutek)
23 Maj 2006 15:35
#6
HKLM\System\CurrentControlSet\Control\Session Manager\ INFECTION WARNING! “BootExecute” = “autocheck autochk * OODBS” [file not found], [MS], [file not found], [file not found]
Proszę otworzyć edytor rejestru Start >>> Uruchom >>> regedit i przejść do klucza HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Tam kliknąć podwójnie na wartość BootExecute i z okienka usunąć wszystko z wyjątkiem autocheck autochk *.
ale to nie to
Marcin511
(Marcin Obala)
23 Maj 2006 15:41
#7
Druga część logu. Kilka razy mi jakiś błąd wyświetliło i dlatego był niepełny. Teraz wygenerowało. Co do HiJack to jest cały log. Nie zaśmiecam windowsa niepotrzebnymi rzeczami.
Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] O&O Defrag, O&O Defrag, “C:\WINDOWS\system32\oodag.exe” [“O&O Software GmbH”] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt05\Driver = “hpzlnt05.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 172 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 56 seconds. ---------- (total run time: 278 seconds)
Gutek
(Gutek)
23 Maj 2006 17:07
#8
to ważne jaki? Związany z Silentem? Napisz jaśniej
Marcin511
(Marcin Obala)
23 Maj 2006 18:45
#9
Temat nieaktualny. Nie chciało mi się więcej z tym bawić