rafiks
(Rb01)
14 Marzec 2007 17:07
#1
Ostatnio strrrrrrrrrrasznie wydłużył mi się czas otwierania stron internetowych. Poniewaz sam jestem komputerowym ignorantem moje własne próby uporania się z problemem spełzły na niczym. Korzystałem z rad zawartych na łamach niniejszych stron(skanowanie przy użyciu różnych progamów antywirusowych, konfiguracja ręczna połączenia z neostradą) nie przyniosły one jednak rzadnego rezultatu. Proszę zatem o sprawdzenie poniższego loga może on zna dla mnie sekretną tajemnicę.
Logfile of HijackThis v1.99.1 Scan saved at 17:47:23, on 2007-03-14 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\msasvc.exe D:\Program Files\MetaTrader Data Center\mtdcsrv.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe D:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\ctfmon.exe D:\gadu-gadu\gg.exe C:\WINDOWS\system32\regscan.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\nowy\Pulpit\multi\d\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\nowy\USTAWI~1\Temp\Rar$EX00.578\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe O4 - HKLM…\Run: [WinampAgent] d:\Program Files\Winamp\winampa.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “D:\gadu-gadu\gg.exe” /tray O4 - HKCU…\Run: [Regscan] C:\WINDOWS\system32\regscan.exe O4 - HKCU…\Run: [userinit] C:\WINDOWS\system32\ntos.exe O4 - Global Startup: DSLMON.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{21122791-1E4F-4D0D-9E09-999DF131A24C}: NameServer = 194.204.159.1 217.98.63.164 O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe O23 - Service: MetaTrader Data Center (mtdcsrv) - Unknown owner - D:\Program Files\MetaTrader Data Center\mtdcsrv.exe" /start (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: RvscomSv - Living Byte Software GmbH, Munich - C:\Program Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE O23 - Service: RVS Installer (RVSINST) - Living Byte Software GmbH, Munich - C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
kuz5
(Kuz5)
14 Marzec 2007 20:21
#2
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O4 - HKCU…\Run: [Regscan] C:\WINDOWS\system32\regscan.exe O4 - HKCU…\Run: [userinit] C:\WINDOWS\system32\ntos.exe O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
Pliki i foldery na czerwono usuń ręcznie z dysku a wpisy W HijackThis (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)
Start => Uruchom => wpisz services.msc => zatrzymaj i wyłącz usługę Microsoft authenticate service
następnie odpalasz HijackThis Misc Tools => Delete NT service => wpisz MsaSvc => Ok i zresetuj komputer.
Jeżeli będzie problem w usunięciu któregos pliku użyj programu Pocket Killbox czyli odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżke:
C:\WINDOWS\system32* * regscan.exe**
następnie program będzie pytał o restart (oczywiście zgadzasz sie)
I to samo robisz z resztą plików
Po wykonaniu w/w czynności prosze wkleić dwa logi HijackThis oraz SilentRunners
rafiks
(Rb01)
15 Marzec 2007 10:06
#3
kuz5, wielkie dzięki za poświęcenie mi swojego czasu i wiedzy,
zastosowałem sie do twoich zaleceń(mam nadzieje, że wykonałem je poprawnie); poniżej dołączam dwa logi o których wspominałeś.
p.s. internet dostał wigoru.
Logfile of HijackThis v1.99.1 Scan saved at 10:38:54, on 2007-03-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe D:\Program Files\MetaTrader Data Center\mtdcsrv.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe D:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe D:\gadu-gadu\gg.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\nowy\Pulpit\multi\d\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\nowy\USTAWI~1\Temp\Rar$EX02.063\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe O4 - HKLM…\Run: [WinampAgent] d:\Program Files\Winamp\winampa.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “D:\gadu-gadu\gg.exe” /tray O4 - HKCU…\Run: [Regscan] C:\WINDOWS\system32\regscan.exe O4 - HKCU…\Run: [userinit] C:\WINDOWS\system32\ntos.exe O4 - Global Startup: DSLMON.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{21122791-1E4F-4D0D-9E09-999DF131A24C}: NameServer = 194.204.159.1 217.98.63.164 O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: MetaTrader Data Center (mtdcsrv) - Unknown owner - D:\Program Files\MetaTrader Data Center\mtdcsrv.exe" /start (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: RvscomSv - Living Byte Software GmbH, Munich - C:\Program Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE O23 - Service: RVS Installer (RVSINST) - Living Byte Software GmbH, Munich - C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““D:\gadu-gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “Regscan” = “C:\WINDOWS\system32\regscan.exe” [file not found] “userinit” = “C:\WINDOWS\system32\ntos.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “Smapp” = “C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [“Analog Devices, Inc.”] “HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Development Company, L.P.”] “SunJavaUpdateSched” = “C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe” [null data] “WinampAgent” = “d:\Program Files\Winamp\winampa.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Spybot - Search & Destroy\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview” -> {HKLM…CLSID} = “ACTHUMBNAIL” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll” [“Autodesk”] “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “Uchwyt nakładania ikony podpisu cyfrowego” -> {HKLM…CLSID} = “AcSignIcon” \InProcServer32(Default) = “C:\WINDOWS\system32\AcSignIcon.dll” [“Autodesk”] “{6DEA92E9-8682-4b6a-97DE-354772FE5727}” = “Autodesk DWF Preview” -> {HKLM…CLSID} = “ACDWFTHMBPRXY” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll” [“Autodesk”] “{BB7DF450-F119-11CD-8465-00AA00425D90}” = “Microsoft Access Custom Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office\soa800.dll” [MS] “{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Explode” -> {HKLM…CLSID} = “Microsoft Office Binder Explode” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office\UNBIND.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Documents and Settings\nowy\Pulpit\multi\d\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ <> “Userinit” = “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,” [MS], [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> mszsrn32\DLLName = “C:\WINDOWS\system32\mszsrn32.dll” [file not found] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Documents and Settings\nowy\Pulpit\multi\d\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Documents and Settings\nowy\Pulpit\multi\d\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Documents and Settings\nowy\Pulpit\multi\d\Program Files\WinRAR\rarext.dll” [null data] Default executables: -------------------- HKCU\Software\Classes.scr(Default) = “AutoCADScriptFile” <> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command(Default) = "“C:\Program Files\Windows NT\Accessories\WORDPAD.EXE” “%1"” [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “nowy” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” -> {HKLM…CLSID} = “Web Browser Applet Control” \InProcServer32(Default) = “C:\WINDOWS\system32\msjava.dll” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] MetaTrader Data Center, mtdcsrv, ““D:\Program Files\MetaTrader Data Center\mtdcsrv.exe” /start” [“MetaQuotes Software Corp.”] Pml Driver HPZ12, Pml Driver HPZ12, “C:\WINDOWS\system32\HPZipm12.exe” [“HP”] RVS Installer, RVSINST, ““C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE”” [“Living Byte Software GmbH, Munich”] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”] LIDIL hpzll054\Driver = “hpzll054.dll” [“Hewlett-Packard Company”] RVS Fax Monitor\Driver = “RVSMONNT.DLL” [“Living Byte Software GmbH, Munich”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 63 seconds. ---------- (total run time: 141 seconds)
adam9870
(adam9870)
15 Marzec 2007 12:28
#4
Otwórz Notatnik i wklej w nim to:
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “Regscan”=- “userinit”=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] “Userinit”=“C:\WINDOWS\system32\userinit.exe,” [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mszsrn32]
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O4 - HKCU…\Run: [Regscan] C:\WINDOWS\system32\regscan.exe O4 - HKCU…\Run: [userinit] C:\WINDOWS\system32\ntos.exe O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll (file missing)
Usuń wpisy HJT jeśli będą.
Po wykonaniu możesz wkleić dla pewności nowe logi.
rafiks
(Rb01)
15 Marzec 2007 14:25
#5
witaj Adamie, postąpiłem zgodnie z twoimi wskazówkami, a oto rezultaty moich poczynań
Logfile of HijackThis v1.99.1 Scan saved at 15:14:06, on 2007-03-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe D:\Program Files\MetaTrader Data Center\mtdcsrv.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe D:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\ctfmon.exe D:\gadu-gadu\gg.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\nowy\Pulpit\multi\d\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\nowy\USTAWI~1\Temp\Rar$EX00.406\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe O4 - HKLM…\Run: [WinampAgent] d:\Program Files\Winamp\winampa.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “D:\gadu-gadu\gg.exe” /tray O4 - Global Startup: DSLMON.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{21122791-1E4F-4D0D-9E09-999DF131A24C}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: MetaTrader Data Center (mtdcsrv) - Unknown owner - D:\Program Files\MetaTrader Data Center\mtdcsrv.exe" /start (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: RvscomSv - Living Byte Software GmbH, Munich - C:\Program Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE O23 - Service: RVS Installer (RVSINST) - Living Byte Software GmbH, Munich - C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““D:\gadu-gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “Smapp” = “C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [“Analog Devices, Inc.”] “HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Development Company, L.P.”] “SunJavaUpdateSched” = “C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe” [null data] “WinampAgent” = “d:\Program Files\Winamp\winampa.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Spybot - Search & Destroy\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview” -> {HKLM…CLSID} = “ACTHUMBNAIL” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll” [“Autodesk”] “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “Uchwyt nakładania ikony podpisu cyfrowego” -> {HKLM…CLSID} = “AcSignIcon” \InProcServer32(Default) = “C:\WINDOWS\system32\AcSignIcon.dll” [“Autodesk”] “{6DEA92E9-8682-4b6a-97DE-354772FE5727}” = “Autodesk DWF Preview” -> {HKLM…CLSID} = “ACDWFTHMBPRXY” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll” [“Autodesk”] “{BB7DF450-F119-11CD-8465-00AA00425D90}” = “Microsoft Access Custom Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office\soa800.dll” [MS] “{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Explode” -> {HKLM…CLSID} = “Microsoft Office Binder Explode” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office\UNBIND.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Documents and Settings\nowy\Pulpit\multi\d\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Documents and Settings\nowy\Pulpit\multi\d\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Documents and Settings\nowy\Pulpit\multi\d\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Documents and Settings\nowy\Pulpit\multi\d\Program Files\WinRAR\rarext.dll” [null data] Default executables: -------------------- HKCU\Software\Classes.scr(Default) = “AutoCADScriptFile” <> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command(Default) = "“C:\Program Files\Windows NT\Accessories\WORDPAD.EXE” “%1"” [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “nowy” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” -> {HKLM…CLSID} = “Web Browser Applet Control” \InProcServer32(Default) = “C:\WINDOWS\system32\msjava.dll” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] MetaTrader Data Center, mtdcsrv, ““D:\Program Files\MetaTrader Data Center\mtdcsrv.exe” /start” [“MetaQuotes Software Corp.”] Pml Driver HPZ12, Pml Driver HPZ12, “C:\WINDOWS\system32\HPZipm12.exe” [“HP”] RVS Installer, RVSINST, ““C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE”” [“Living Byte Software GmbH, Munich”] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”] LIDIL hpzll054\Driver = “hpzll054.dll” [“Hewlett-Packard Company”] RVS Fax Monitor\Driver = “RVSMONNT.DLL” [“Living Byte Software GmbH, Munich”] ----------
<>: Suspicious data at a malware launch point.
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
The search for DESKTOP.INI DLL launch points on all local fixed drives
took 69 seconds.
---------- (total run time: 145 seconds)
adam9870
(adam9870)
15 Marzec 2007 15:03
#6
Już jest Ok.
Kosmetyka:
Start => uruchom => msconfig => zakładka Uruchamianie => możesz odznaczyć w/w.
Panel sterowania => Java Plug-in => Update => odznacz opcję Check for updates automatically.
Jeśli nie korzystasz z zaawansowanych usług tekstowych to je wyłącz: Panel sterowania => Opcje regionalne => Języki => Szczegóły => Zaawansowane => zaznacz wyłącz zaawansowane usługi tekstowe.
W opcjach komunikatora możesz wyłączyć uruchamianie przy starcie systemu jeśli nie jest Ci potrzebne.
Jeśli nie używasz Messenger’a to go usuń: start => uruchom => wpisz polecenie:
RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove
rafiks
(Rb01)
15 Marzec 2007 15:29
#7
adam 9870, dzięki za odpowiedz, ale jedna ważna rzecz o której nie napisałem w ostatnim poście
adam9870:
Cytat: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “Regscan”=- “userinit”=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] “Userinit”=“C:\WINDOWS\system32\userinit.exe,” [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mszsrn32] Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Otóż jeśli chcę potwierdzić dodanie do rejestru otrzymuje odpowiedz:
Nie można zaimportować C:dokuments and Settings\Nowy\FIX.REG
Określony plik nie jest skryptem rejestrów. Można importować tylko binarne pliki rejestru z wewnątrz Edytora rejestru.
I moje pytanie-Co począć z tym fantem?
adam9870
(adam9870)
15 Marzec 2007 15:34
#8
Nic ponieważ skasowanie poniżej podanych wpisów w HijackThis zrobiło dokładnie to samo, co FIX.REG, który podałem.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O4 - HKCU…\Run: [Regscan] C:\WINDOWS\system32\regscan.exe O4 - HKCU…\Run: [userinit] C:\WINDOWS\system32\ntos.exe O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll (file missing)
kuz5
(Kuz5)
15 Marzec 2007 15:43
#9
Ten komunikat może być spowodowany źle zapisanym fixem
Taki bład może być spowodowany brakiem nagłówka w fixie lub np. brak odstępów miedzy kluczami
Chodź fix wydaje się być wporzadku
Ważne że syfu się pozbyłeś, wiec nie ma co szukać dziury
Możesz spróbować zaimpletować fixa z nagłówkiem
Zamiast
Dodatkowo sprawdz przy tworzeniu fixa odstępy miedzy linijkami kodu
rafiks
(Rb01)
15 Marzec 2007 15:49
#10
panowie adam9870, kuz5
ogromne dzięki za zaangażowanie i okazaną pomoc.
Naprawdę pomogło. Aha kosmetyką już się zająłem.
jeszcze raz dzięki.