Zamiana .lnk na .exe


(Mofame) #1

Otuż mam roblem z ikonami i w ogóle z .exe pewnego dna włączyłem komputer i znikły mi wszyskie ikony a zamiast nich pojawiły sie ikony z rozszerzeniem .lnk Pomyslałem sobie hmm.. poszukam na google.pl ok znlazlem takie cus

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT.exe]

@="exefile"

"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT.exe\PersistentHandler]

@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]

@="Application"

"EditFlags"=hex:38,07,00,00

"TileInfo"="prop:FileDescription;Company;FileVersion"

"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]

@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]

"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]

@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]

@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]

@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]

@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]

@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]

@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_CLASSES_ROOT\regfile]

@="Registration Entries"

"EditFlags"=dword:00100000

"BrowserFlags"=dword:00000008

[HKEY_CLASSES_ROOT\regfile\DefaultIcon]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,74,00,2e,00,65,00,78,00,65,00,\

2c,00,31,00,00,00

[HKEY_CLASSES_ROOT\regfile\shell]

@="open"

[HKEY_CLASSES_ROOT\regfile\shell\edit]

[HKEY_CLASSES_ROOT\regfile\shell\edit\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\

54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,25,00,31,00,00,\

00

[HKEY_CLASSES_ROOT\regfile\shell\open]

@="Mer≥"

[HKEY_CLASSES_ROOT\regfile\shell\open\command]

@="regedit.exe \"%1\""

[HKEY_CLASSES_ROOT\regfile\shell\print]

[HKEY_CLASSES_ROOT\regfile\shell\print\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\

54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,2f,00,70,00,20,\

00,25,00,31,00,00,00

[HKEY_CLASSES_ROOT.lnk]

@="lnkfile"

[HKEY_CLASSES_ROOT.lnk\ShellEx]

[HKEY_CLASSES_ROOT.lnk\ShellEx{000214EE-0000-0000-C000-000000000046}]

@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT.lnk\ShellEx{000214F9-0000-0000-C000-000000000046}]

@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT.lnk\ShellEx{00021500-0000-0000-C000-000000000046}]

@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT.lnk\ShellEx{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]

@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT.lnk\ShellNew]

"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"

[HKEY_CLASSES_ROOT\lnkfile]

@="Shortcut"

"EditFlags"=dword:00000001

"IsShortcut"=""

"NeverShowExt"=""

[HKEY_CLASSES_ROOT\lnkfile\CLSID]

@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex]

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\Offline Files]

@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers{00021401-0000-0000-C000-000000000046}]

[HKEY_CLASSES_ROOT\lnkfile\shellex\DropHandler]

@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler]

@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers\ShimLayer Property Page]

@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_CLASSES_ROOT\CLSID{00021401-0000-0000-C000-000000000046}]

@="Shortcut"

[HKEY_CLASSES_ROOT\CLSID{00021401-0000-0000-C000-000000000046}\InProcServer32]

@="shell32.dll"

"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID{00021401-0000-0000-C000-000000000046}\PersistentAddinsRegistered]

[HKEY_CLASSES_ROOT\CLSID{00021401-0000-0000-C000-000000000046}\PersistentAddinsRegistered{89BCB740-6119-101A-BCB7-00DD010655AF}]

@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\CLSID{00021401-0000-0000-C000-000000000046}\PersistentHandler]

@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\CLSID{00021401-0000-0000-C000-000000000046}\ProgID]

@="lnkfile"

[HKEY_CLASSES_ROOT\CLSID{00021401-0000-0000-C000-000000000046}\shellex]

[HKEY_CLASSES_ROOT\CLSID{00021401-0000-0000-C000-000000000046}\shellex\MayChangeDefaultMenu]

zapisąłem z odpowiednim foramtem i odpaliłem za pomoca regedit wszystko wporzadku wpis dodal sie do rejestru. Reset kompa i jest ok. Lecz niestety nie cieszylem sięza długo b opo 2 min znowu ikony się zanmieniły na .lnk pomyslałem nie no tak nie mozna... więc sprawdziełm to za pomoca Ad-Watch ku mojemu zdziwnieniu zobaczyłem kilka modyfikacji rejestru.Oto one

rejestryq3.jpg

Dodaje też loga z hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:46:31, on 2008-01-05

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\system32\svcprs32.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe

C:\Program Files\Spybot - Search Destroy\SpybotSD.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Spybot-SD IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll

O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll

O4 - HKCU..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Ad-Watch SE Professional.lnk = C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/pl/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 5240473687

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe

Czyli w skrócie pomożcie mi zrobić tak żeby mi nie zmieniały sięikony z .exe na .lnk

Z góry dziekuje i pozdrawiam

Bez głupich odp nie wnoszących nic do tematu..


(Mofame) #2

chyba już wiem o co chodzi... jest tam taki proces mdmcls32.exe chyba on jest odpowiedzialny zakończyłem proces ale po chwili i tak się pojawił. szukałem na google.pl ale nie znalazlem nic po polsku ale był tam taki program zainstalowałem go RegRun Reanimator się nazywa lecz nie usunał tego backdoora probowalem ręcznie z C:\WINDOWS\system32 ale pojawił się zpowrotem po restarcie .. pomożcie


(Leon$) #3

Aby ukryć rozszerzenie .lnk

otwórz notatnik i wklej

Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\lnkfile]

"NeverShowExt"=""

zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart Start >> uruchom >> cmd**** sc stop WinSvchostManager sc delete WinSvchostManagerwpis

O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe

usuń HijackThisem >> Fix checked

Pobierz Combofixa i daj log z niego

:slight_smile:


(Mofame) #4

nie moge zrobic tego z cmd jak wpisuje to pojawia sie [sC] OpenService FAILED 1060:

a tu log z COMBOFIXA


(Leon$) #5

Czy po dodaniu tego pliku.reg coś się zmienia?


(Mofame) #6

nie... tylko prze 4 sec po uruchomieni kompa potem ot samo ..


(Mofame) #7

niepokoji mnie tylko ten proces mdmcls32.exe to jest trojan i to on t orobi a nie wimn jak go usunąć .. żaden atywirus go nie usuwa..


(Leon$) #8

Wyłącz przywracanie systemu na wszystkich dyskach

Start >> uruchom >> cmd

sc stop mdmcls32

sc delete mdmcls32

Otwórz notatnik i wklej

File::

C:\WINDOWS\system32\svcprs32.exe

C:\WINDOWS\system32\mdmcls32.exe

zapisz jako CFScript (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe

http://img.wklej.org/images/88953CFScri ... iemoes.gif

na pytanie "1 or 2" - to wpisz 1 i naciśnij ENTER

Powinno rozpocząć się usuwanie

Potem daj log z usuwania

usuń ręcznie folder C: \Qoobox

Potem nowy log HijackThis

:slight_smile: