Siemka… znowu musiałem zrobić format przez jakiś głupi program…
Może wiecie jaki zestaw darmowych programów zabezpiecza i walczy przed robakami, wirusami i hakerami.
Słyszałem o AVG Free i combofix i HJT…
Mam problem z jednym programem Silent Runners.
Ściągnąłem go o takiej nazwie i rozszerzeniu Silent Runners.vbs i jak go chce włączyć to otwiera mi się normalny notatnik i takie coś zawiera:
'Silent Runners.vbs -- find out what starts up with Windows!
'(compatible with Windows 95/98/Millennium/NT 4.0/2000 Pro/XP Home & Pro/Vista)
'
'DO NOT REMOVE THIS HEADER!
'
'Copyright Andrew ARONOFF 07 December 2008, http://www.silentrunners.org/
'This script is provided without any warranty, either express or implied
'It may not be copied or distributed without permission
'
' **YOU RUN THIS SCRIPT AT YOUR OWN RISK!** (END OF HEADER)
Option Explicit
Dim strRevNo : strRevNo = "59"
Public flagTest : flagTest = False 'True if in testing mode
'flagTest = True 'Uncomment to put in testing mode
Public arSecTest : arSecTest = Array() 'array of section numbers to test
Public intSection : intSection = 0 'section counter
'This script is divided into 29 sections.
'malware launch points:
' registry keys (1-12, 15)
' INI/INF-files (16-18)
' folders (19)
' enabled scheduled tasks (20)
' Winsock2 service provider DLLs (21)
' IE toolbars, explorer bars, extensions (22)
' started services (26)
' accessibility tools (27)
' keyboard driver filters (28)
' printer monitors (29)
'hijack points:
' System/Group Policies (14)
' prefixes for IE URLs (23)
' misc IE points (24)
' HOSTS file (25)
'Output is suppressed if deemed normal unless the -all parameter is used
'Section XVIII is skipped unless the -supp/-all parameters are used or
'the first message box is answered "No" and the next message box "Yes"
' 1. HKCU/HKLM... Run/RunOnce/RunOnce\Setup/RunOnceEx
' HKLM... RunServices/RunServicesOnce
' HKCU/HKLM... Policies\Explorer\Run
' 2. HKLM... Active Setup\Installed Components\
' HKCU... Active Setup\Installed Components\
' (StubPath <> "" And HKLM version # > HKCU version #)
' 3. HKLM... Explorer\Browser Helper Objects\
' 4. HKLM... Shell Extensions\Approved\
' 5. HKLM... Explorer\DeviceNotificationCallbacks/SharedTaskScheduler/ShellExecuteHooks
' 6. HKCU/HKLM... ShellServiceObjectDelayLoad\
' 7. HKCU/HKLM... Command Processor\AutoRun
' HKCU... Policies\System\Shell (W2K/WXP/WVa only)
' HKCU... Windows\load & run
' HKLM... Windows\AppInit_DLLs
' HKLM... Windows NT... Aedebug\
' HKCU/HKLM... Windows NT... Winlogon\Shell
' HKLM... Windows NT... Winlogon\Userinit, System, Ginadll, Taskman, VmApplet
' HKLM... Control\BootVerificationProgram\ImagePath
' HKLM... Control\Lsa\Authentication Packages
' HKLM... Control\Lsa\Notification Packages
' HKLM... Control\SafeBoot\Option\UseAlternateShell
' HKLM... Control\SecurityProviders\SecurityProviders
' HKLM... Control\Session Manager\BootExecute
' HKLM... Control\Session Manager\Execute
' HKLM... Control\Session Manager\SetupExecute
' HKLM... Control\Session Manager\WOW\cmdline, wowcmdline
' 8. HKLM... Windows NT... Winlogon\Notify\ (subkey names/DLLName values <> O/S-specific dictionary data)
' 9. HKLM... Windows NT... Image File Execution Options ("Debugger" subkeys)
'10. HKCU/HKLM... Policies... Startup/Shutdown, Logon/Logoff scripts (W2K/WXP/WVa)
'11. HKCU/HKLM Protocols\Filter
'12. Context menu shell extensions
'13. HKCU/HKLM executable file type (bat/cmd/com/exe/hta/pif/scr)
'14. System/Group Policies
'15. Enabled Wallpaper & Screen Saver
'16. WIN.INI load/run, SYSTEM.INI shell/scrnsave.exe, WINSTART.BAT, IniFileMapping
'17. AUTORUN.INF in root directory of local fixed disks
'18. HKLM... Explorer\AutoplayHandlers\Handlers
'19. DESKTOP.INI in any local fixed disk directory (section skipped by default)
'20. Startup Directories
'21. Enabled Scheduled Tasks
'22. Winsock2 Service Provider DLLs
'23. Internet Explorer Toolbars, Explorer Bars, Extensions
'24. Internet Explorer URL Prefixes
'25. Misc. IE Hijack Points
'26. HOSTS file
'27. Started Services
'28. Accessibility Tools
'29. Keyboard Driver Filters
'30. Print Monitors
Dim Wshso : Set Wshso = WScript.CreateObject("WScript.Shell")
Dim WshoArgs : Set WshoArgs = WScript.Arguments
Dim intErrNum, intMB, intMB1 'Err.Number, MsgBox return value x 2
Const DQ = """"
'Configuration Detection Section
' FileSystemObject creation error (117)
' CScript/WScript (155)
' Dim (171)
' GetFileVersion(WinVer.exe) (VBScript 5.1) (186)
' OS version (233)
' WMI (294)
' Dim (390)
' command line arguments (463)
' supplementary search MsgBox (561)
' startup MsgBox (598)
' CreateTextFile error (627)
' output file header (663)
' WXP SP2 (677)
On Error Resume Next
Dim Fso : Set Fso = CreateObject("Scripting.FileSystemObject")
intErrNum = Err.Number : Err.Clear
On Error Goto 0
If intErrNum <> 0 Then
strURL = "http://tinyurl.com/7nn6"
intMB = MsgBox (DQ & "Silent Runners" & DQ &_
" cannot access file services critical to" & vbCRLF &_
"proper script operation." & vbCRLF & vbCRLF &_
"If you are running Windows XP, make sure that the" &_
vbCRLF & DQ & "Cryptographic Services" & DQ &_
" service is started." & vbCRLF & vbCRLF &_
"You can also try reinstalling the latest version of the MS" &_
vbCRLF & "Windows Script Host." & vbCRLF & vbCRLF &_
"Press " & DQ & "OK" & DQ & " to direct your browser to " &_
"the download site or" & vbCRLF & Space(10) & DQ & "Cancel" &_
DQ & " to quit.", vbOKCancel + vbCritical, _
"Can't access the FileSystemObject!")
'if dl wanted now, send browser to dl site
If intMB = 1 Then Wshso.Run strURL
WScript.Quit
End If
Dim oNetwk : Set oNetwk = WScript.CreateObject("WScript.Network")
Const HKLM = &H80000002, HKCU = &H80000001
Const strHKLM = "HKLM", strHKCU = "HKCU"
Const REG_SZ=1, REG_EXPAND_SZ=2, REG_BINARY=3, REG_DWORD=4, REG_MULTI_SZ=7
Const REG_SZ_NO_CN=9 'create this reg value type to avoid CoName
'search for strings that are not file names
Const REG_QWORD = 11
Const MS = " [MS]"
Const LBr = "{"
Const IWarn = "<> ", HWarn = "<> "
'determine whether output is via MsgBox/PopUp or Echo
Dim flagOut
If InStr(LCase(WScript.FullName),"wscript.exe") > 0 Then
flagOut = "W" 'WScript
ElseIf InStr(LCase(WScript.FullName),"cscript.exe") > 0 Then
flagOut = "C" 'CScript
Else 'echo and continue if it works
flagOut = "C" 'assume CScript-compatible
WScript.Echo "Neither " & DQ & "WSCRIPT.EXE" & DQ & " nor " &_
DQ & "CSCRIPT.EXE" & DQ & " was detected as " &_
"the script host." & vbCRLF & DQ & "Silent Runners" & DQ &_
" will assume that the script host is CSCRIPT-compatible and will" & vbCRLF &_
"use WScript.Echo for all messages."
End If 'script host
Dim strflagTest : strflagTest = ""
If flagTest Then
strflagTest = "TEST "
If flagOut = "W" Then
Wshso.Popup "Silent Runners is in testing mode.",1, _
"Testing, testing, 1-2-3...", vbOKOnly + vbExclamation
Else
WScript.Echo "Silent Runners is in testing mode." & vbCRLF
End If 'flagOut?
End If 'flagTest?
Const SysFolder = 1 : Const WinFolder = 0
Public strOS : strOS = "Unknown"
Public strOSLong : strOSLong = "Unknown"
Public strOSXP : strOSXP = "Windows XP Home" 'XP Home or Pro
Public strWinDir : strWinDir = Wshso.ExpandEnvironmentStrings("%WINDIR%")
Public strPgmFilesDir : strPgmFilesDir = Wshso.ExpandEnvironmentStrings("%PROGRAMFILES%")
Public strFPSF : strFPSF = Fso.GetSpecialFolder(SysFolder).Path 'FullPathSystemFolder
Public strFPWF : strFPWF = Fso.GetSpecialFolder(WinFolder).Path 'FullPathWindowsFolder
Public strExeBareName 'bare file name w/o windows or system folder prefixes
Dim strSysVer 'Winver.exe version number
Dim intErrNum1, intErrNum2, intErrNum3, intErrNum4, intErrNum5, intErrNum6 'error number
Dim intLenValue 'value length
Dim strURL 'download URL
'assume Group Policies cannot be set in the O/S
Dim flagGP : flagGP = False
'HKCU/HKLM CLSID Lower Limit, default is HKLM for O/S <= NT4
Dim intCLL : intCLL = 1
'Winver.exe is in \Windows under W98, but in \System32 for other O/S's
'trap GetFileVersion error for VBScript version < 5.1
On Error Resume Next
If Fso.FileExists (strFPSF & "\Winver.exe") Then
strSysVer = Fso.GetFileVersion(strFPSF & "\Winver.exe")
Else
strSysVer = Fso.GetFileVersion(strFPWF & "\Winver.exe")
End If
intErrNum = Err.Number : Err.Clear
On Error Goto 0
'if GetFileVersion returns error due to old WSH version
If intErrNum <> 0 Then
'store dl URL
strURL = "http://tinyurl.com/7zh0"
'if using WScript
If flagOut = "W" Then
'explain the problem
intMB = MsgBox ("This script requires Windows Script Host (WSH) 5.1 " &_
"or higher to run." & vbCRLF & vbCRLF & "Press " & DQ & "OK" &_
DQ & " to direct your browser to the WSH download site or " &_
DQ & "Cancel" & DQ & " to quit." & vbCRLF & vbCRLF &_
"(WMI is also required. If it's missing, download instructions " &_
"will appear later.)", vbOKCancel + vbExclamation, _
"Unsupported Windows Script Host Version!")
'if dl wanted now, send browser to dl site
If intMB = 1 Then Wshso.Run strURL
'if using CScript
Else 'flagOut = "C"
'explain the problem
WScript.Echo DQ & "Silent Runners" & DQ & " requires " &_
"Windows Script Host 5.1 or higher to run." & vbCRLF & vbCRLF &_
"It can be downloaded at: " & strURL
End If 'WScript or CScript?
'quit the script
WScript.Quit
End If 'VBScript version error encountered?
'use WINVER.EXE file version to determine O/S
If Instr(Left(strSysVer,3),"4.1") > 0 Then
strOS = "W98" : strOSLong = "Windows 98"
ElseIf Instr(Left(strSysVer,5),"4.0.1") > 0 Then
strOS = "NT4" : strOSLong = "Windows NT 4.0"
ElseIf Instr(Left(strSysVer,8),"4.0.0.95") > 0 Then
strOS = "W98" : strOSLong = "Windows 95"
ElseIf Instr(Left(strSysVer,8),"4.0.0.11") > 0 Then
strOS = "W98" : strOSLong = "Windows 95 SR2 (OEM)"
ElseIf Instr(Left(strSysVer,3),"5.0") > 0 Then
strOS = "W2K" : strOSLong = "Windows 2000" : : intCLL = 0 : flagGP = True
ElseIf Instr(Left(strSysVer,3),"5.1") > 0 Then
'SP0 & SP1 = 5.1.2600.0, SP2 = 5.1.2600.2180
strOS = "WXP" : strOSLong = "Windows XP" : intCLL = 0
If Instr(strSysVer,".2180") > 0 Then strOSLong = "Windows XP SP2"
ElseIf Instr(Left(strSysVer,3),"4.9") > 0 Then
strOS = "WME" : strOSLong = "Windows Me (Millennium Edition)"
ElseIf Instr(Left(strSysVer,3),"5.2") > 0 Then
strOS = "WXP" : strOSLong = "Windows Server 2003 (interpreted as Windows XP)"
flagGP = True : intCLL = 0
ElseIf Instr(Left(strSysVer,3),"6.0") > 0 Then
strOS = "WVA" : strOSLong = "Windows Vista"
flagGP = True : intCLL = 0
Else 'unknown strSysVer
If flagOut = "W" Then
intMB = MsgBox ("The " & DQ & "Silent Runners" & DQ &_
" script cannot determine the operating system." & vbCRLF & vbCRLF &_
"Click " & DQ & "OK" & DQ & " to send an e-mail to the " &_
"author, providing the following information:" & vbCRLF & vbCRLF &_
"WINVER.EXE file version = " & strSysVer & vbCRLF & vbCRLF &_
"or click " & DQ & "Cancel" & DQ & " to quit.", _
49,"O/S Unknown!")
If intMB = 1 Then Wshso.Run "mailto:Andrew%20Aronoff%20" &_
"<%6F%73.%76%65%72.%65%72%72%6F%72@%73%69%6C%65%6E%74%72%75%6E%6E%65%72%73.%6F%72%67>?" &_
"subject=Silent%20Runners%20OS%20Version%20Error&body=WINVER.EXE" &_
"%20file%20version%20=%20" & strSysVer
Else 'flagOut = "C"
WScript.Echo DQ & "Silent Runners" & DQ & " cannot " &_
"determine the operating system." & vbCRLF & vbCRLF & "This script will exit."
End If 'flagOut?
WScript.Quit
End If 'OS id'd from strSysVer?
'use WMI to connect to the registry
On Error Resume Next
Dim oReg : Set oReg = GetObject("winmgmts:\root\default:StdRegProv")
intErrNum = Err.Number : Err.Clear
On Error Goto 0
'detect WMI connection error
If intErrNum <> 0 Then
strURL = ""
'for W98/NT4, assume WMI not installed and direct to d/l URL
If strOS = "W98" Or strOS = "NT4" Then
If strOS = "W98" Then strURL = "http://tinyurl.com/jbxe"
If strOS = "NT4" Then strURL = "http://tinyurl.com/7wd7"
'invite user to download WMI & quit
If flagOut = "W" Then
intMB = MsgBox ("This script requires " & DQ & "WMI" &_
DQ & ", Windows Management Instrumentation, to run." &_
vbCRLF & vbCRLF & "It can be downloaded at: " & strURL &_
vbCRLF & vbCRLF & "Press " & DQ & "OK" & DQ &_
" to direct your browser to the download site or " &_
DQ & "Cancel" & DQ & " to quit.",_
vbOKCancel + vbCritical,"WMI Not Installed!")
If intMB = 1 Then Wshso.Run strURL
'at command line, explain & quit
Else 'flagOut = "C"
WScript.Echo DQ & "Silent Runners" & DQ & " requires " &_
DQ & "WMI" & DQ & ", Windows Management Instrumentation, " &_
"to run." & vbCRLF & vbCRLF & "It can be downloaded at: " & strURL
End If
'for W2K/WXP/WVa, explain how to start the WMI service
ElseIf strOS = "W2K" Or strOS = "WXP" or strOS = "WVA" Then
If strOS = "W2K" Then strLine = "Settings | Control Panel | "
If strOS = "WXP" Then strLine = "Control Panel | "
If strOS = "WVA" Then strLine = "Control Panel | Classic View | "
'explain how to turn on WMI service
If flagOut = "W" Then
MsgBox "This script requires Windows Management Instrumentation" &_
" to run." & vbCRLF & vbCRLF & "Click on Start | " & strLine &_
"Administrative Tools | Services," & vbCRLF &_
"and start the " & DQ & "Windows Management Instrumentation" &_
DQ & " service.",vbOKOnly + vbCritical,"WMI Service not running!"
'at command line, explain & quit
Else 'flagOut = "C"
WScript.Echo DQ & "Silent Runners" & DQ & " requires " &_
"Windows Management Instrumentation to run." & vbCRLF & vbCRLF &_
"Click on Start | " & strLine & "Administrative " &_
"Tools | Services" & vbCRLF & "and start the " & DQ &_
"Windows Management Instrumentation" & DQ & " service."
End If 'flagOut?
Else 'WMe
'say there's a WMI problem
If flagOut = "W" Then
MsgBox "This script requires WMI (Windows Management Instrumentation)" &_
" to run," & vbCRLF & "but WMI is not running correctly.", _
vbOKOnly + vbCritical,"WMI problem!"
'at command line, explain & quit
Else 'flagOut = "C"
WScript.Echo DQ & "Silent Runners" & DQ & " requires " &_
"WMI (Windows Management Instrumentation) to run," & vbCRLF &_
"but WMI is not running correctly."
End If 'flagOut?
End If 'which O/S?
WScript.Quit
End If 'WMI execution error
'array of Run keys, counter x 10, hive member, startup folder file,
'startup file shortcut, IERESET.INF file
Dim arRunKeys, i, j, k, l, ii, jj, kk, ll, mm, nn, oHiveElmt, oSUFi, oSUSC
'dictionary, keys, items, hard disk collection
Dim arSK, arSKk, arSKi, colDisks
'arrays: Run key names, keys, sub-keys, value type, SecurityProviders,
' Protocol filters, values
Dim arNames(), arKeys(), arSubKeys(), arType, arSP, arFilter(), arValues
'Sub-Directory DeskTop.Ini array, Sub-Directory Error array, Error array
'Recognized GP names, allowed GP names, accessibility tools
Public arSDDTI(), arSDErr(), arErr(), arRecNames(), arAllowedNames(), arAcc()
'DeskTop.Ini counter, Error counter x 2, Classes data Hive counter
Public ctrArDTI, ctrArErr, ctrErr, ctrCH
Public ctrFo : ctrFo = 0 'folder counter
'name member, key array member x 4, O/S, drive root directory, work file
Dim oName, oKey, oKey2, strMemKey, strMemSubKey, oOS, oRoot, oFileWk
'values x 11
Dim strValue, strValue1, strValue2, strValue3, strValue4, strValue5, strValue6
Dim strVal, intValue, intValue1, intValue2, strCmd
'name, single character, startup folder name & display name,
'startup folder, array member, temp var
Dim strName, strChr, arSUFN, arSUFDN, oSUF, strArMember, strTmp, strTmp2
'output string x 3
Public strOut, strOut1, strOut2
'output file msg x 2, warning string, title line
Dim strLine, strLine1, strLine2, strWarn, strTitleLine
'infection/hijack warning detection flags -- add footer note if True
Public flagIWarn : flagIWarn = False
Public flagHWarn : flagHWarn = False
'register key x 4, sub-key, CLSID key
Dim strKey, strKey1, strKey2, strKey3, strSubKey, strCLSIDKey
'output file name string (incl. path), file name (wo path),
'PIF path string, single binary character
Dim strFN, strFNNP, strPIFTgt, bin1C
Public datLaunch : datLaunch = Now 'script launch time
Public intCnt 'counter
'ref time, time taken by 2 pop-up boxes
Public datRef : datRef = 0
Public datPUB1 : datPUB1 = 0 : Public datPUB2 : datPUB2 = 0
'TRUE if show all output (default values not filtered)
Public flagShowAll : flagShowAll = False
Dim strRptOutput : strRptOutput = "Output limited to non-default values, " &_
"except where indicated by " & DQ & "{++}" & DQ 'output file string
Public strTitle : strTitle = ""
Public strSubTitle : strSubTitle = ""
Public strSubSubTitle : strSubSubTitle = ""
Public flagNVP : flagNVP = False 'existence of name/value pairs in a key
Public flagInfect : flagInfect = False 'flag infected condition
Dim flagMatch 'flag matching keys
Dim flagAllow 'flag key on approved list
Dim flagFound 'flag something that exists
Public flagValueFound 'flag value that exists in Registry
Dim flagDirArg : flagDirArg = False 'presence of output directory argument
Dim flagIsCLSID : flagIsCLSID = False 'true if argument in CLSID format
Dim flagTitle 'True if title has already been written
Dim flagAllArg : flagAllArg = False 'presence of all output argument
Dim flagArray 'flag array containing elements
Public flagSupp : flagSupp = False 'do *not* check for DESKTOP.INI in all
'directories of local fixed disks
Dim intLBSP 'Last BackSlash Position in path string
Dim intSS 'lowest sort subscript
Dim intType 'value type
Dim strDLL, strCN 'DLL name, company name
'string to signal all output by default
Public strAllOutDefault : strAllOutDefault = ""
Dim ScrPath : ScrPath = Fso.GetParentFolderName(WScript.ScriptFullName)
If Right(ScrPath,1) <> "\" Then ScrPath = ScrPath & "\"
'initialize Path of Output File Folder to script path
Dim strPathOFFo : strPathOFFo = ScrPath
'hive array
Public arHives(1,1)
arHives(0,0) = "HKCU" : arHives(1,0) = "HKLM"
arHives(0,1) = &H80000001 : arHives(1,1) = &H80000002
'set up argument usage message string
Dim strLSp, strCSp 'Leading Spaces, Centering Spaces
strLSp = Space(4) : strCSp = Space(33) 'WScript spacing
If flagOut = "C" Then 'CScript spacing
strLsp = Space(3) : strCSp = Space(28)
End If
Dim strMsg : strMsg = "Only two arguments are permitted:" &_
vbCRLF & vbCRLF &_
"1. the name of an existing directory for the output report" &_
vbCRLF & strLSp & "(embed in quotes if it contains spaces)" &_
vbCRLF & vbCRLF & strCSp & "AND:" & vbCRLF & vbCRLF &_
"2. " & DQ & "-supp" & DQ & " to search " &_
"all directories for DESKTOP.INI DLL" & vbCRLF &_
strLSp & "launch points" &_
vbCRLF & vbCRLF & strCSp & "-OR-" & vbCRLF & vbCRLF &_
"3. " & DQ & "-all" & DQ & " to output all non-empty " &_
"values and all launch" & vbCRLF & strLSp & "points checked"
'check if output directory or "-all" or "-supp" was supplied as argument
If WshoArgs.length > 0 And WshoArgs.length <= 2 Then
For i = 0 To WshoArgs.length-1
'if directory arg not already passed and arg directory exists
If Not flagDirArg And Fso.FolderExists(WshoArgs(i)) Then
'get the path & toggle the directory arg flag
Dim oOFFo : Set oOFFo = Fso.GetFolder(WshoArgs(i))
strPathOFFo = oOFFo.Path : flagDirArg = True
If Right(strPathOFFo,1) <> "\" Then strPathOFFo = strPathOFFo & "\"
Set oOFFo=Nothing
'if -all arg not already passed and is this arg
ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-all" Then
Więcej nie mogłem skopiować. Max 60 000 znaków
Jeśli wiecie jak włączyć poprawnie ten program, proszę pomóżcie…