Trojan

Dla specjalistów Bezpieczeństwo
#1

Ściągnęłam niby darmowy program do usuwania wirusów, ale tylko znalazł i napisał, ze żeby usunąć to muszę go kupić. Wykryła mi ponoć trojana - plik o nazwie rtb 666 i lokalizację podała HKLM\software\windows\current version\II zasobnik systemowy. Zupełnie nie wiem gdzie tego szukać i co z tym zrobić. Proszę o pomoc.

:?

#2

Daj log z Silent Runners – tu masz opis. i z HijackThis – tu masz opis.

#3

A co to kolega nie moze napisać nazwy tego “niby” programu ??

i z jakiej stronki ??

To nie wstyd.Troche się pośmiejemy i tyle.

To może wyjąśnić co nie co .

:smiley:

#4

nic z tego nie rozumiem - mozecie mnie nazwać bezmózgowcem, ale wyczytałam też gdzieś, ze Hijack też jest wirusem - zresztą pokazałao mi też plik detescop Hijacker - jako wirusa lokalizacja - HKU.default\software\microsoft\windows\current version\run\IIsrv 32 spool service.

Niepisałam wcześniej, bo nie mogłam się zalogować, więc stąd zmiana nicka :frowning:

#5

HijackThis - program- nie jest wirusem !!

jak nam nie wierzesz to po co tu zagladasz ???

Ps.

Czytaj i zastosuj sie do tego co napisał Myszak

Napiszesz czy mamy zgadywać ??

#6

Złączono Posta : 25.07.2006 (Wto) 9:35

wierzę wierzę i bardzo proszę o pomoc

====================================

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Proponuje poczytać TEN temat i zobacz jaka jest prośba do userów wklejających loga.

Pozdrawiam kuz5

#7

Co za program pobrałeś i z jakiej strony ??

Pytań nie umiesz czytać ?? !!

A log z Silent Runners to gdzie?? !!

.

#8

możesz mnie nie obrazać?? Nie znam się na tym nie wiem co wykasować i nie wiem po prostu co mam robić . Potrzebuję krok po kroku

Złączono Posta : 25.07.2006 (Wto) 9:49

jak weszłam na silen runners to pokazało mi to:

'Silent Runners.vbs – find out what programs start up with Windows!

'DO NOT REMOVE THIS HEADER!

'Copyright Andrew ARONOFF 19 June 2006, http://www.silentrunners.org/

'This script is provided without any warranty, either expressed or implied

'It may not be copied or distributed without permission

'** YOU RUN THIS SCRIPT AT YOUR OWN RISK! **

'HEADER ENDS HERE

Option Explicit

Dim strRevNo : strRevNo = “46”

Public flagTest : flagTest = False 'True if testing

'flagTest = True 'Uncomment to test

'This script is divided into 28 sections.

'malware launch points:

’ registry keys (I-XII, XV)

’ INI/INF-files (XVI-XVIII)

’ folders (XIX)

’ enabled scheduled tasks (XX)

’ Winsock2 service provider DLLs (XXI)

’ IE toolbars, explorer bars, extensions (XXII)

’ started services (XXVI)

’ keyboard driver filters (XXVII)

’ printer monitors (XXVIII)

'hijack points:

’ System/Group Policies (XIV)

’ prefixes for IE URLs (XXIII)

’ misc IE points (XXIV)

’ HOSTS file (XXV)

I DALEJ TAK STRASZNIE DUżO TEKSTU, ZE NIE CHCE MI WGRAć NA FORUM

#9

  1. Startujesz do trybu awaryjnego i wyłączasz przywracanie systemu.

  2. Pliki/foldery na czerwono ręcznie z dysku.

  3. Wpisy skasuj Hijackiem.

  4. Daj log z Silent Runners – tu masz opis.

#10

To po co w ogóle piszesz, że masz problem :evil: skoro nie pomagasz w jego rozwiązaniu :!:

Proszę zacząć używać polskiej pisowni.

Wszelkie logi umieszczaj w znaczniku quote

Wprowadzasz niepotrzebne zamieszanie

#11

TO SAMO - NIE MOGę

'Silent Runners.vbs – find out what programs start up with Windows!

'DO NOT REMOVE THIS HEADER!

'Copyright Andrew ARONOFF 19 June 2006, http://www.silentrunners.org/

'This script is provided without any warranty, either expressed or implied

'It may not be copied or distributed without permission

'** YOU RUN THIS SCRIPT AT YOUR OWN RISK! **

'HEADER ENDS HERE

Option Explicit

Dim strRevNo : strRevNo = “46”

Public flagTest : flagTest = False 'True if testing

'flagTest = True 'Uncomment to test

'This script is divided into 28 sections.

#12

pati1 zrób co napisałem i daj nowy log z hijacka.

#13

Mogę . A ty widzę ż dalej mnie olewasz bo nie podałeś odpowiedzi na pytanie

Nie znasz sie ?? to nie znaczy ze mamy Ci wszystko dać na tacy . Trochę szacunku tu wymagamy .

#14

Logfile of HijackThis v1.99.1

Scan saved at 10:04:49, on 25-07-2006

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\NOVELL\CLIENT32\NWRECMSG.EXE

C:\PROGRAM FILES\ESET\NOD32KRN.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\PROGRAM FILES\ESET\NOD32KUI.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\PROGRAM FILES\MYWEBSEARCH\BAR\3.BIN\MWSOEMON.EXE

C:\PROGRAM FILES\GADU-GADU\GG.EXE

C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

C:\PMAIL\WINPM-32.EXE

C:\WINDOWS\PULPIT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 CE\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\3.BIN\MWSBAR.DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\3.BIN\MWSSRCAS.DLL (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\3.BIN\MWSBAR.DLL

O4 - HKLM…\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM…\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM…\Run: [Zasobnik systemowy] SysTray.Exe

O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE

O4 - HKLM…\Run: [internat.exe] internat.exe

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM…\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\BAR\3.BIN\MWSBAR.DLL,S

O4 - HKLM…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\3.BIN\MWSOEMON.EXE

O4 - HKLM…\RunServices: [drukarka] c:\novell\client32\nptwin95.exe /exit

O4 - HKLM…\RunServices: [NOD32kernel] “C:\Program Files\Eset\nod32krn.exe”

O4 - HKLM…\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKCU…\Run: [srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe

O4 - HKCU…\Run: [NBJ] “C:\PROGRAM FILES\AHEAD\NERO BACKITUP\NBJ.EXE”

O4 - HKCU…\Run: [Gadu-Gadu] “C:\PROGRAM FILES\GADU-GADU\GG.EXE” /tray

O4 - HKCU…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\3.BIN\MWSOEMON.EXE

O4 - HKCU…\Run: [Malware Sweeper] C:\PROGRAM FILES\MALWARESWEEPER.COM\MALWARE SWEEPER\MALSWEP.exe /STARTUP

O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Uruchamianie pakietu Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … p=ZCFOX000

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002 Plk\AcPreview.ocx

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday) - file://C:\Program Files\AutoCAD LT 2002 Plk\AcDcToday.ocx

O16 - DPF: {AE56372C-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - http://pointa.autodesk.com/portal/lang/plk/InstBanr.Ocx

O16 - DPF: {1F831FAC-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - http://pointa.autodesk.com/portal/lang/plk/InstFred.Ocx

O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - http://pointa.autodesk.com/portal/lang/ … VerChk.ocx

O16 - DPF: {D7F0F5E7-0CCC-4F00-B733-FAD4757D7EC4} (Neurosoft BipView Control (3.2)) - http://www.neurosoft.pl/downloads/bip/bipvw32.cab

O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://digitalid.verisign.com/xenroll.cab

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)

#15

pati1 o co ja prosiłem :

:?

#16

Słuchaj Phylby - ja naprawdę się nie znam. Dosyć, ze mnie cały czas wyrzuca z forum - to nie mogę wkleić ci wszystkiego - nie dlatego, że ja nie chcę - tylko dlatego, że wyskoczyło mi, ze jest ograniczenie ilości znaków. Nie mam pojęcia skąd mi się coś wzięło nie tak, a hijacka ściągnęłam z tej strony, którą mi podał Myszak.

#17

pati usuniesz to o co prosiłem czy nie :!: :?

#18

A młotka nie ??

Czytaj i to ze zrozumiemiem !!

Nerwy zostaw na koniec

#19

pati proszę wykonać polecenia kolegów, bo nie będziemy się bawić w kotka i myszkę :?

#20

W C:program files\mywebsearch\srchastt\3.bin\ nie ma tego pliku mussrcas.dll, spoolsrv32.exe - wyskoczył mi komunikat, ze windows uzywa tego pliku i nie mogę go skasować.

Z Hijacka

Logfile of HijackThis v1.99.1

Scan saved at 10:45:19, on 25-07-2006

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\NOVELL\CLIENT32\NWRECMSG.EXE

C:\PROGRAM FILES\ESET\NOD32KRN.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\PROGRAM FILES\ESET\NOD32KUI.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\PROGRAM FILES\MYWEBSEARCH\BAR\3.BIN\MWSOEMON.EXE

C:\PROGRAM FILES\GADU-GADU\GG.EXE

C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\PULPIT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 CE\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\3.BIN\MWSBAR.DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\3.BIN\MWSSRCAS.DLL (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\3.BIN\MWSBAR.DLL

O4 - HKLM…\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM…\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM…\Run: [Zasobnik systemowy] SysTray.Exe

O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE

O4 - HKLM…\Run: [internat.exe] internat.exe

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM…\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\BAR\3.BIN\MWSBAR.DLL,S

O4 - HKLM…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\3.BIN\MWSOEMON.EXE

O4 - HKLM…\RunServices: [drukarka] c:\novell\client32\nptwin95.exe /exit

O4 - HKLM…\RunServices: [NOD32kernel] “C:\Program Files\Eset\nod32krn.exe”

O4 - HKLM…\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKCU…\Run: [NBJ] “C:\PROGRAM FILES\AHEAD\NERO BACKITUP\NBJ.EXE”

O4 - HKCU…\Run: [Gadu-Gadu] “C:\PROGRAM FILES\GADU-GADU\GG.EXE” /tray

O4 - HKCU…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\3.BIN\MWSOEMON.EXE

O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Uruchamianie pakietu Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … p=ZCFOX000

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002 Plk\AcPreview.ocx

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday) - file://C:\Program Files\AutoCAD LT 2002 Plk\AcDcToday.ocx

O16 - DPF: {AE56372C-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - http://pointa.autodesk.com/portal/lang/plk/InstBanr.Ocx

O16 - DPF: {1F831FAC-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - http://pointa.autodesk.com/portal/lang/plk/InstFred.Ocx

O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - http://pointa.autodesk.com/portal/lang/ … VerChk.ocx

O16 - DPF: {D7F0F5E7-0CCC-4F00-B733-FAD4757D7EC4} (Neurosoft BipView Control (3.2)) - http://www.neurosoft.pl/downloads/bip/bipvw32.cab

O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://digitalid.verisign.com/xenroll.cab

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)

a Silen Runners znów to samo:

Silent Runners.vbs – find out what programs start up with Windows!

'DO NOT REMOVE THIS HEADER!

'Copyright Andrew ARONOFF 19 June 2006, http://www.silentrunners.org/

'This script is provided without any warranty, either expressed or implied

'It may not be copied or distributed without permission

'** YOU RUN THIS SCRIPT AT YOUR OWN RISK! **

'HEADER ENDS HERE

Option Explicit

Dim strRevNo : strRevNo = “46”

Public flagTest : flagTest = False 'True if testing

'flagTest = True 'Uncomment to test

'This script is divided into 28 sections.

'malware launch points:

’ registry keys (I-XII, XV)

’ INI/INF-files (XVI-XVIII)

’ folders (XIX)

’ enabled scheduled tasks (XX)

’ Winsock2 service provider DLLs (XXI)

’ IE toolbars, explorer bars, extensions (XXII)

’ started services (XXVI)

’ keyboard driver filters (XXVII)

’ printer monitors (XXVIII)

'hijack points:

’ System/Group Policies (XIV)

’ prefixes for IE URLs (XXIII)

’ misc IE points (XXIV)

’ HOSTS file (XXV)

'Output is suppressed if deemed normal unless the -all parameter is used

'Sections XVIII & XXII-dormant Explorer Bars are skipped unless the -supp/-all

’ parameters are used or the first message box is answered “No”

’ I. HKCU/HKLM… Run/RunOnce/RunOnce\Setup

’ HKLM… RunOnceEx/RunServices/RunServicesOnce

’ HKCU/HKLM… Policies\Explorer\Run

’ II. HKLM… Active Setup\Installed Components\

’ HKCU… Active Setup\Installed Components\

’ (StubPath <> “” And HKLM version # > HKCU version #)

’ III. HKLM… Explorer\Browser Helper Objects\

’ IV. HKLM… Shell Extensions\Approved\

’ V. HKLM… Explorer\SharedTaskScheduler/ShellExecuteHooks

’ VI. HKCU/HKLM… ShellServiceObjectDelayLoad\

’ VII. HKCU… Command Processor\AutoRun ((default) <> “”)

’ HKCU… Policies\System\Shell (W2K & WXP only)

’ HKCU… Windows\load & run ((default) <> “”)

’ HKCU… Command Processor\AutoRun ((default) <> “”)

’ HKLM… Windows\AppInit_DLLs ((default) <> “”)

’ HKLM… Winlogon\Shell/Userinit/System/Ginadll/Taskman

’ ((default) <> explorer.exe, userinit.exe, “”, “”, “”)

’ HKLM… Control\SafeBoot\Option\UseAlternateShell

’ HKLM… Control\Session Manager\BootExecute

’ HKLM… Control\Session Manager\WOW\cmdline, wowcmdline

’ VIII. HKLM… Winlogon\Notify\ (subkey names/DLLName values <> O/S-specific dictionary data)

’ IX. HKLM… Image File Execution Options\ (subkeys with name = “Debugger”)

’ X. HKCU/HKLM… Policies… Startup/Shutdown, Logon/Logoff

’ XI. HKCU/HKLM Protocols\Filter

’ XII. Context menu shell extensions

’ XIII. HKCR executable file type (bat/cmd/com/exe/hta/pif/scr)

’ (shell\open\command data <> “%1” %*; hta <> mshta.exe “%1” %*; scr <> “%1” /S)

’ XIV. System/Group Policies

’ XV. Enabled Wallpaper & Screen Saver

’ XVI. WIN.INI (load/run <> “”), SYSTEM.INI (shell <> explorer.exe, scrnsave.exe), WINSTART.BAT

’ XVII. AUTORUN.INF in root of fixed drive (open/shellexecute <> “”)

’ XVIII. DESKTOP.INI in any local fixed disk directory (section skipped by default)

’ XIX. %WINDIR%… Startup & All Users… Startup (W98/WME) or

’ %USERNAME%… Startup & All Users… Startup folder contents

’ XX. Scheduled Tasks

’ XXI. Winsock2 Service Provider DLLs

’ XXII. Internet Explorer Toolbars, Explorer Bars, Extensions (dormant

’ Explorer Bars section skipped by default)

’ XXIII. Internet Explorer URL Prefixes

’ XXIV. Misc. IE Hijack Points

’ XXV. HOSTS file

’ XXVI. Started Services

’ XXVII. Keyboard Driver Filters

'XXVIII. Printer Monitors

Dim Wshso : Set Wshso = WScript.CreateObject(“WScript.Shell”)

Dim WshoArgs : Set WshoArgs = WScript.Arguments

Dim intErrNum, intMB 'Err.Number, MsgBox return value

Dim strflagTest : strflagTest = “”

If flagTest Then

strflagTest = "TEST "

Wshso.Popup “Silent Runners is in testing mode.”,1, _

“Testing, testing, 1-2-3…”, vbOKOnly + vbExclamation

End If

'Configuration Detection Section

’ FileSystemObject creation error (112)

’ CScript/WScript (147)

’ Dim (161)

’ GetFileVersion(WinVer.exe) (VBScript 5.1) (182)

’ OS version (223)

’ WMI (279)

’ Dim (364)

’ command line arguments (440)

’ supplementary search MsgBox (532)

’ startup MsgBox (557)

’ CreateTextFile error (583)

’ output file header (625)

’ WXP SP2 (629)

On Error Resume Next

Dim Fso : Set Fso = CreateObject(“Scripting.FileSystemObject”)

intErrNum = Err.Number : Err.Clear

On Error Goto 0

If intErrNum <> 0 Then

strURL = “http://tinyurl.com/7nn6

intMB = MsgBox (Chr(34) & “Silent Runners” & Chr(34) &_

" cannot access file services critical to" & vbCRLF &_

“proper script operation.” & vbCRLF & vbCRLF &_

“If you are running Windows XP, make sure that the” &_

vbCRLF & Chr(34) & “Cryptographic Services” & Chr(34) &_

" service is started." & vbCRLF & vbCRLF &_

“You can also try reinstalling the latest version of the MS” &_

vbCRLF & “Windows Script Host.” & vbCRLF & vbCRLF &_

"Press " & Chr(34) & “OK” & Chr(34) & " to direct your browser to " &_

“the download site or” & vbCRLF & Space(10) & Chr(34) & “Cancel” &_

Chr(34) & " to quit.", vbOKCancel + vbCritical, _

“Can’t access the FileSystemObject!”)

'if dl wanted now, send browser to dl site

If intMB = 1 Then Wshso.Run strURL

WScript.Quit

End If

Dim oNetwk : Set oNetwk = WScript.CreateObject(“WScript.Network”)

Const HKLM = &H80000002, HKCU = &H80000001

Const REG_SZ=1, REG_EXPAND_SZ=2, REG_BINARY=3, REG_DWORD=4, REG_MULTI_SZ=7

Const MS = " [MS]"

Const DQ = “”""

'determine whether output is via MsgBox/PopUp or Echo

Dim flagOut

If InStr(LCase(WScript.FullName),“wscript.exe”) > 0 Then

flagOut = “W” 'WScript

ElseIf InStr(LCase(WScript.FullName),“cscript.exe”) > 0 Then

flagOut = “C” 'CScript

Else 'echo and continue if it works

flagOut = “C” 'assume CScript-compatible

WScript.Echo "Neither " & Chr(34) & “WSCRIPT.EXE” & Chr(34) & " nor " &_

Chr(34) & “CSCRIPT.EXE” & Chr(34) & " was detected as " &_

“the script host.” & vbCRLF & Chr(34) & “Silent Runners” & Chr(34) &_

" will assume that the script host is CSCRIPT-compatible and will" & vbCRLF &_

“use WScript.Echo for all messages.”

End If 'script host

Const SysFolder = 1 : Const WinFolder = 0

Dim strOS : strOS = “Unknown”

Dim strOSLong : strOSLong = “Unknown”

Dim strOSXP : strOSXP = “Windows XP Home” 'XP Home or Pro

Public strFPSF : strFPSF = Fso.GetSpecialFolder(SysFolder).Path 'FullPathSystemFolder

Public strFPWF : strFPWF = Fso.GetSpecialFolder(WinFolder).Path 'FullPathWindowsFolder

Public strExeBareName 'bare file name w/o windows or system folder prefixes

Dim strSysVer 'Winver.exe version number

Dim intErrNum1, intErrNum2, intErrNum3, intErrNum4, intErrNum5, intErrNum6 'error number

Dim intLenValue 'value length

Dim strURL 'download URL

Dim flagGP : flagGP = False 'assume Group Policies cannot be set in the O/S

Dim intCLL : intCLL = 1 'CLSID Lower Limit, default is for O/S <= NT4

'Winver.exe is in \Windows under W98, but in \System32 for other O/S’s

'trap GetFileVersion error for VBScript version < 5.1

On Error Resume Next

If Fso.FileExists (strFPSF & “\Winver.exe”) Then

strSysVer = Fso.GetFileVersion(strFPSF & “\Winver.exe”)

Else

strSysVer = Fso.GetFileVersion(strFPWF & “\Winver.exe”)

End If

intErrNum = Err.Number : Err.Clear

On Error Goto 0

'if old VBScript version

If intErrNum <> 0 Then

'store dl URL

strURL = “http://tinyurl.com/7zh0

'if using WScript

If flagOut = “W” Then

'explain the problem

intMB = MsgBox ("This script requires VBScript 5.1 or higher " &_

“to run.” & vbCRLF & vbCRLF & "The latest version of VBScript can " &_

"be downloaded at: " & strURL & vbCRLF & vbCRLF &_

"Press " & Chr(34) & “OK” & Chr(34) & " to direct your browser to " &_

"the download site or " & Chr(34) & “Cancel” & Chr(34) &_

" to quit." & vbCRLF & vbCRLF & "(WMI is also required. If it’s " &_

“missing, download instructions will appear later.)”, _

vbOKCancel + vbExclamation,“Unsupported VBScript Version!”)

'if dl wanted now, send browser to dl site

If intMB = 1 Then Wshso.Run strURL

'if using CScript

Else 'flagOut = “C”

'explain the problem

WScript.Echo Chr(34) & “Silent Runners” & Chr(34) & " requires " &_

“VBScript 5.1 or higher to run.” & vbCRLF & vbCRLF &_

"It can be downloaded at: " & strURL

End If 'WScript or CScript?

'quit the script

WScript.Quit

to nie jest całe - za duże- mogę ewentualnie podzielić na części, ale to chyba nie o to chodziło??