Sys Fader jak usunąć?


(Slayer32) #1

Mam sys Fadera próbowałem już chyba wszystkiego :confused: rejestr,skan anty wirusem :/,wie ktoś jak się go pozbyć na dobre ? z gówy thx :evil: .


(Dawidex11) #2

Bez Logow nic nikt ci nie pomoze podaj logi z Hijack i Slient Runners http://forum.dobreprogramy.pl/viewtopic.php?t=36654

Podaj dokladna sciezke gdzie siedzi ten plik/folder napisz cos wiecej o tym czy cos sie dziwnego dzieje... :slight_smile:

Ps. To jest chyba problem z grafika NVidia albo z muzyka SoundBlaster http://www.liutilities.com/products/wintaskspro/processlibrary/sysfader/


(Slayer32) #3

Hijack This :

Silent Runners:

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""D:\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

"NVIDIA nTune" = ""C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear" ["NVIDIA"]

"Uniblue RegistryBooster 2" = "C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"razer" = "D:\Program Files2\Rehjzer\razerhid.exe" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = "flashget urlcatch"

-> {HKLM...CLSID} = "FGCatchUrl"

\InProcServer32(Default) = "C:\Program Files\FlashGet\jccatch.dll" ["www.flashget.com"]

{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

{F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided)

-> {HKLM...CLSID} = "FlashGet GetFlash Class"

\InProcServer32(Default) = "C:\Program Files\FlashGet\getflash.dll" ["www.flashget.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

-> {HKLM...CLSID} = "avast"

\InProcServer32(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

avast(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

ALSongContext(Default) = "{CBE49257-71F8-44B4-B536-FF5359F0AEAA}"

-> {HKLM...CLSID} = "ALContextMenu Class"

\InProcServer32(Default) = "D:\ALSong\ALSongSh.dll" ["Copyright © 2005 ESTsoft corp."]

avast(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Group Policies {GPedit.msc branch and setting}:


Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"Homepage" = (REG_DWORD) hex:0x00000001

{User Configuration|Administrative Templates|Windows Components|Internet Explorer|

Disable changing home page settings}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\CoOl-T\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 14

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{215940F1-E7E0-4801-BEE3-44D045534106}\

"ButtonText" = "Wyslij SMS'a"

"Script" = "C:\Program Files\Common Files\moje.js" [null data]

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "FlashGet"

"Exec" = "C:\Program Files\FlashGet\FlashGet.exe" ["FlashGet.com"]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\

"MenuText" = "Spybot - Search & Destroy Configuration"

"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

Miscellaneous IE Hijack Points


HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

<> "Tabs" = "res://ieframe.dll/tabswelcome.htm" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):


avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

nTune Service, nTuneService, "C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService" ["NVIDIA"]

PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

---------- (launch time: 2007-10-25 23:15:05)

<>: Suspicious data at a browser hijack point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 40 seconds, including 22 seconds for message boxes)


(jessica) #4

W sprawie "sys Fader" - @Dawidek11 ma chyba rację...

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Nic tu więcej podejrzanego nie widzę.

Możesz dać jeszcze log z ComboFix (na dole tej strony z linku) -

Log wklej na http://wklej.org/, a w poście daj tylko link.(czyli skopiuj adres z paska adresów).

jessi


(Slayer32) #5

Zrobione :stuck_out_tongue: (Combofix)

http://wklej.org/id/e2c67df757


(jessica) #6

Znasz te?

Nic tu więcej podejrzanego nie widzę.

jessi


(Slayer32) #7

fs2 to folder do gry "Freespace 2" :mrgreen:

fgfg skasowałem

Chyba już po kłopocie. . .

Jedyna ciekawostka to jak skanowalem rejestr jakims programem anispyware (microsoftu) znalazło ponad 560 wpisów/błędów/spyware z czego mogłem usunąc tylko 15 bo dalej trzebabyło sie rejestrowac ;/


(Dawidex11) #8

:expressionless: Dziwne .... a co do spyware'ow to skan AVG Anti-Spyware 7.5 po update + raport wklej na forum :wink: +

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

lub

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509