musg
(Musg)
16 Czerwiec 2005 17:45
#22
Deus:
no, ale w hijacku niewiele sie zmienilo Język Jeden DNS z prawidlowymi IP zostal, bo pamietam, ze zasze tu byl.
to masz krotką pamiec ,bo go nie było
sciagasz program:
http://www.bleepingcomputer.com/files/killbox.php
sposob uzywania:
odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej scieżke:
C:\WINDOWS\system32\csgkd.exe
następnie program będzie pytał o restart (oczywiscie zgadzasz sie)
dajesz nowy log
Deus
(Deus)
16 Czerwiec 2005 18:01
#23
byl, nawet specjalnie sprawdzilem moje stare posty z logami i jest tam ten wpis.
“Silent Runners.vbs”, revision 38, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““H:\PROGRAMY\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “WheelMouse” = “C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [“A4Tech Co.,Ltd.”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “Desktop Tool” = ““E:\telefon\Alcatel One Touch 535-735\DesktopTool\DesktopTool.exe”” [“Developed by http://www.eDrogene.com ”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “E:\adobe\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{D0FAC080-AE1A-11ce-8016-CE90976DC901}” = “Picture Publisher File Viewer” -> {CLSID}\InProcServer32(Default) = “ppiv20.dll” [null data] “{0E6C58A9-F592-4862-B35F-CA45E24003B3}” = “CloneCD” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll” [“Elaborate Bytes”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ INFECTION WARNING! “{6AC3806F-8B39-4746-9C38-6B01CB7331FF}” = “Memory monitor” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\q2691015_disk.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{FBF23B40-E3F0-101B-8488-00AA003E56F8}” = “Skrót internetowy” [from CLSID] -> {CLSID}\InProcServer32(Default) = “shdocvw.dll” [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! “System” = “csgkd.exe” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] Group Policies [Description] {enabled Group Policy setting}: ------------------------------------------------------------ HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ HIJACK WARNING! “NoBandCustomize”=dword:00000001 [disables toolbar status changes in Internet Explorer|View|Toolbars] {User Configuration|Administrative Templates|Windows Components| Internet Explorer|Toolbars|Disable customizing browser toolbars} Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Proba\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Proba” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “TabUserW.exe” -> shortcut to: “C:\WINDOWS\system32\Wtablet\TabUserW.exe” [“Wacom Technology, Corp.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “H:\PROGRAMY\flashget\flashget.exe” [“Amaze Soft”] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): : ˙ţ[Version] : Signature="$CHICAGO$" : AdvancedINF=2.5,“You need a new version of advpack.dll” Missing lines (compared with English-language version): [Version]: 2 lines HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ HIJACK WARNING! “NavigationFailure” = “res://msaps.dll/index.html” [null data] HIJACK WARNING! “NavigationCanceled” = “res://msaps.dll/index.html” [null data] HIJACK WARNING! “OfflineInformation” = “res://msaps.dll/index.html” [null data] HIJACK WARNING! “blank” = “res://msaps.dll/index.html” [null data] HIJACK WARNING! “PostNotCached” = “res://msaps.dll/index.html” [null data] HIJACK WARNING! “MRU Update” = “1” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] TabletService, TabletService, “C:\WINDOWS\System32\Tablet.exe” [“Wacom Technology, Corp.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ----------
Logfile of HijackThis v1.99.1 Scan saved at 20:00:45, on 2005-06-16 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Tablet.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe E:\telefon\Alcatel One Touch 535-735\DesktopTool\DesktopTool.exe C:\WINDOWS\System32\ctfmon.exe H:\PROGRAMY\Gadu-Gadu\gg.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\Wtablet\TabUserW.exe H:\PROGRAMY\MOZILLA\mozilla.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Downloads\hijackthis1.99.1\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\adobe\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [Desktop Tool] “E:\telefon\Alcatel One Touch 535-735\DesktopTool\DesktopTool.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “H:\PROGRAMY\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - H:\PROGRAMY\flashget\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - H:\PROGRAMY\flashget\jc_all.htm O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\PROGRAMY\flashget\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\PROGRAMY\flashget\flashget.exe O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{B7D3A25A-6A98-484B-9770-19FD5472D788}: NameServer = 194.204.152.34,194.204.159.1 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
Problem z wydajnoscia przestal sie powtazac. teraz nadal nie moge odblokawac paska “łacza” itp. Mysle ze to gdzies w rejestrze jest. Moglby mi ktos powiedziec gdzie ?
musg
(Musg)
16 Czerwiec 2005 18:07
#24
raz jeszcze:
uruchamiasz killboxa:
wklepujesz:
C:\WINDOWS\system32\csgkd.exe
ale nie zgadzasz sie na restart
nastepnie do pustego okna wklepujesz kolejno:
C:\WINDOWS\system32\msaps.dll
teraz dopiero zgadzasz sie na restart i piszesz jak wyglada sprawa
masz usunac to w duecie
Następnie Start >>> Uruchom >>> regedit i przejdź do klucza:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
W prawym oknie kliknij prawym na wartość System i skasuj.
ps
pamietaj o wylaczonym przywracaniu systemu
Deus
(Deus)
16 Czerwiec 2005 18:14
#25
jeszcze nie usuwalem klucza, ale juz sie za to biore. Hijack bez zmian.
“Silent Runners.vbs”, revision 38, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““H:\PROGRAMY\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “WheelMouse” = “C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [“A4Tech Co.,Ltd.”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “Desktop Tool” = ““E:\telefon\Alcatel One Touch 535-735\DesktopTool\DesktopTool.exe”” [“Developed by http://www.eDrogene.com ”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “E:\adobe\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{D0FAC080-AE1A-11ce-8016-CE90976DC901}” = “Picture Publisher File Viewer” -> {CLSID}\InProcServer32(Default) = “ppiv20.dll” [null data] “{0E6C58A9-F592-4862-B35F-CA45E24003B3}” = “CloneCD” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll” [“Elaborate Bytes”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ INFECTION WARNING! “{6AC3806F-8B39-4746-9C38-6B01CB7331FF}” = “Memory monitor” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\q2691015_disk.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{FBF23B40-E3F0-101B-8488-00AA003E56F8}” = “Skrót internetowy” [from CLSID] -> {CLSID}\InProcServer32(Default) = “shdocvw.dll” [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! “System” = “csgkd.exe” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] Group Policies [Description] {enabled Group Policy setting}: ------------------------------------------------------------ HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ HIJACK WARNING! “NoBandCustomize”=dword:00000001 [disables toolbar status changes in Internet Explorer|View|Toolbars] {User Configuration|Administrative Templates|Windows Components| Internet Explorer|Toolbars|Disable customizing browser toolbars} Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Proba\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Proba” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “TabUserW.exe” -> shortcut to: “C:\WINDOWS\system32\Wtablet\TabUserW.exe” [“Wacom Technology, Corp.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “H:\PROGRAMY\flashget\flashget.exe” [“Amaze Soft”] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): : ˙ţ[Version] : Signature="$CHICAGO$" : AdvancedINF=2.5,“You need a new version of advpack.dll” Missing lines (compared with English-language version): [Version]: 2 lines HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ HIJACK WARNING! “NavigationFailure” = “res://msaps.dll/index.html” [file not found] HIJACK WARNING! “NavigationCanceled” = “res://msaps.dll/index.html” [file not found] HIJACK WARNING! “OfflineInformation” = “res://msaps.dll/index.html” [file not found] HIJACK WARNING! “blank” = “res://msaps.dll/index.html” [file not found] HIJACK WARNING! “PostNotCached” = “res://msaps.dll/index.html” [file not found] HIJACK WARNING! “MRU Update” = “1” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] TabletService, TabletService, “C:\WINDOWS\System32\Tablet.exe” [“Wacom Technology, Corp.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ----------
Deus
(Deus)
16 Czerwiec 2005 18:20
#26
no to jeszcze log po skasowaniu tej linijki w HKLM
“Silent Runners.vbs”, revision 38, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““H:\PROGRAMY\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “WheelMouse” = “C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [“A4Tech Co.,Ltd.”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “Desktop Tool” = ““E:\telefon\Alcatel One Touch 535-735\DesktopTool\DesktopTool.exe”” [“Developed by http://www.eDrogene.com ”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “E:\adobe\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{D0FAC080-AE1A-11ce-8016-CE90976DC901}” = “Picture Publisher File Viewer” -> {CLSID}\InProcServer32(Default) = “ppiv20.dll” [null data] “{0E6C58A9-F592-4862-B35F-CA45E24003B3}” = “CloneCD” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll” [“Elaborate Bytes”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ INFECTION WARNING! “{6AC3806F-8B39-4746-9C38-6B01CB7331FF}” = “Memory monitor” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\q2691015_disk.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{FBF23B40-E3F0-101B-8488-00AA003E56F8}” = “Skrót internetowy” [from CLSID] -> {CLSID}\InProcServer32(Default) = “shdocvw.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] Group Policies [Description] {enabled Group Policy setting}: ------------------------------------------------------------ HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ HIJACK WARNING! “NoBandCustomize”=dword:00000001 [disables toolbar status changes in Internet Explorer|View|Toolbars] {User Configuration|Administrative Templates|Windows Components| Internet Explorer|Toolbars|Disable customizing browser toolbars} Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Proba\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Proba” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “TabUserW.exe” -> shortcut to: “C:\WINDOWS\system32\Wtablet\TabUserW.exe” [“Wacom Technology, Corp.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “H:\PROGRAMY\flashget\flashget.exe” [“Amaze Soft”] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): : ˙ţ[Version] : Signature="$CHICAGO$" : AdvancedINF=2.5,“You need a new version of advpack.dll” Missing lines (compared with English-language version): [Version]: 2 lines HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ HIJACK WARNING! “NavigationFailure” = “res://msaps.dll/index.html” [file not found] HIJACK WARNING! “NavigationCanceled” = “res://msaps.dll/index.html” [file not found] HIJACK WARNING! “OfflineInformation” = “res://msaps.dll/index.html” [file not found] HIJACK WARNING! “blank” = “res://msaps.dll/index.html” [file not found] HIJACK WARNING! “PostNotCached” = “res://msaps.dll/index.html” [file not found] HIJACK WARNING! “MRU Update” = “1” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] TabletService, TabletService, “C:\WINDOWS\System32\Tablet.exe” [“Wacom Technology, Corp.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ----------
Odblokwanie paska nadal nie jest mozliwe.
musg
(Musg)
16 Czerwiec 2005 18:20
#27
Deus:
Hijack bez zmian.
zostaw go w spokoju i zacznij działac killboxem i regedit–do roboty
Deus
(Deus)
16 Czerwiec 2005 18:29
#28
no ale co ja mam jeszcze zrobic ? usunalem to co pisales - przynajmniej tak mi sie wydaje.
musg
(Musg)
16 Czerwiec 2005 18:36
#29
wlasnie to co zrobiles
i napisz jak wyglada sytuacja
daj raz jeszcze log z silent i powiedz jak jest
Deus
(Deus)
16 Czerwiec 2005 18:41
#30
przy probie restartu z usunieciem wyskoczylo to:
http://img196.echo.cx/img196/7549/1110we.jpg
musg
(Musg)
16 Czerwiec 2005 18:49
#31
cos robisz nie tak :
do usuniecia masz:
C:\WINDOWS\system32\csgkd.exe
C:\WINDOWS\system32\msaps.dll
C:\WINDOWS\system32\q2691015_disk.dll
uzywasz raz jeszcze killbox i wklepujesz kolejno na koncu wciskajac ok i restart
to musi zadziałac
Deus
(Deus)
16 Czerwiec 2005 18:58
#32
robie tak:
wpisuje sciezke pliku do “full path of file to delete”, zaznaczam “delete on reboot” i kilkam czerwony X potem Yes i restart No
Dodaje w taki sposob kolejny plik, a przy trzecim klikam Yes na restart i wyskakuje blad.
musg
(Musg)
16 Czerwiec 2005 19:04
#33
ok
usuwasz tylko dwa pierwsze wpisy --killbox musi zadziałac
nie ma innej obcji
czy robisz to w trybie awaryjnym f 8?
(Podczas uruchamiania systemu wciskasz pulsacyjnie klawisz f 8 )-wejdziesz w tryb awaryjny
Deus
(Deus)
16 Czerwiec 2005 19:15
#34
no coz, w trybie awaryjnym niestety to samo
musg
(Musg)
16 Czerwiec 2005 19:18
#35
szybki jestes
napisz jakie pozostały problemy z kompem
czy cos sie pojawia na ekranie monitora?
Jakies dziwne ikony w pasku zadan?
Podaj wiecej szczegolow
Deus
(Deus)
16 Czerwiec 2005 19:25
#36
nie, nie ma nic dziwnego oprocz tego, ze nie moge sobie przeciagnac zakladki “łącza” tak, aby byla ona na nizszym poziomie. Wyglada to tak, jakby bylo to zablokowane, jednak dalem w rejestrze wartosc 0 w “toolbar lock” (czy cos takiego). Pokazaly sie kreski do przeciagania, jednak po najechaniu na nie kursor nie zmienia sie tak, jak powinien. Poprostu widac tak jak powinno byc, al enie dziala
Wszystko pokazane bylo na obrazku kilka postow wczesniej.
musg
(Musg)
16 Czerwiec 2005 19:38
#37
no to jeszcze jeden trik:
start>>uruchom>>regedit>>>
wchodzisz w sciezki:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP
szukasz:
“NameServer” = “69.50.184.84,195.225.176.37”
i usuwasz z prawokliku
sprawdz jeszcze tą sciezke:
HKEY_CURRENT_USER\RemoteAccess\Profile
jesli bedzie tam:
“IP” = “02,00,00,00,00,00,00,00,c4,b0,32,45,25,b0,e1,c3,00,00,00,00,00,00,00,00,00,00,00,00”
usuwasz z prawokliku
Deus
(Deus)
16 Czerwiec 2005 19:56
#38
zadnego z tych wpisow nie znalazlem
Ofkoz nadal mam problem z zakladkami
Deus
(Deus)
17 Czerwiec 2005 12:11
#39
dobra, widze ze nikt nie wie jak mi pomoc z tym paskiem… jakos sobie poradze. W kazdym razie wielkie dzieki dla osob, ktore mi pomogly