VT100 i wiele, wiele innych :-)

Dla specjalistów Bezpieczeństwo
#1

Witajcie! Mam bardzo duzo smiecia na kompie, ale juz wole nie robic nic na wlasna reke. Wiem ze jest tam vt100, ale kij z nim, juz sie do niego przyzwyczailem…prosilbym tylko, zeby jakos doprowadzic tego kompa do uzywalnosci, bo pisze tego posta resztka sil po pol godzinnych mekach z przegladarkach :slight_smile:

oto logi:

silent:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "D:\WINDOWS\System32\ctfmon.exe" [file not found]

"Atss" = ""D:\DOCUME~1\PAWE~1\MOJEDO~1\ECURIT~1\chkntfs.exe" -vt yazr" [null data]

"kkqw" = "D:\PROGRA~1\COMMON~1\kkqw\kkqwm.exe" [empty string]

"Evipxm" = "D:\Program Files\Common Files\W*nSxS\w*nword.exe" (unwritable string) [null data]

"Microsoft DNT Service" = "c:\windows\system32\msdntsrv.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"VT100 Emulator" = "D:\WINDOWS\System32\VT100.EXE" [null data]

"Windows Network Firewall" = "D:\WINDOWS\System32\firewall.exe" [file not found]

"NvCplDaemon" = "RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]

"Microsoft DNT Service" = "c:\windows\system32\msdntsrv.exe" [MS]

"WinDLL (csmss.exe)" = "rundll32.exe D:\WINDOWS\System32\csmss.exe,start" [MS]

"defender" = "c:\\dfndrc_2.exe" ["."]

"keyboard" = "c:\\kybrdc_2.exe" ["."]

"newname" = "c:\\nwnmb_2.exe" ["mudes"]

"utasvc" = "rundll32.exe D:\WINDOWS\System32\utasvc.dll,start" [MS]

"Microsoft (R) Windows Update Manager Tool" = "D:\WINDOWS\update\updmangr.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\mllii.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{28FB393A-2A9B-4B70-BC8E-8133F4EB2D69}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\myutb.dll" [file not found]

"{4D2E3E6F-2C79-4D46-B6DE-03DA2036AAD1}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\apl.dll" [file not found]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "c:\Program Files\WinRAR\rarext.dll" [null data]

"{7B0CF7F8-897A-41BB-A9F9-464CB1C81A45}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\whnsta.dll" [file not found]

"{4D6C8563-B154-4969-87AB-C8A470141BB8}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\dfdskmgr.dll" [file not found]

"{D4CA4B08-FE72-44A5-A104-987C1C28F978}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\mkjint40.dll" [null data]

"{294F9489-5226-4D51-A296-AAF4F3D41567}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\mvtvgs.dll" [null data]

"{6DFE875C-68D0-4CA2-98B7-4A2ACA409856}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\dsmasf.dll" [null data]

"{4808758C-4AAE-482C-A84B-0029AD46F7E2}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\ufrvpa.dll" [null data]

"{A984F9B5-E0CC-49C7-90EF-E1801C09B2B9}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\mucsubs.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" = "*\" (unwritable string)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\mllii.dll" [null data]


HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "autocheck autochk * aswBoot.exe /M:456c33ed" [file not found], [MS], [file not found], [file not found], [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! App Management\DLLName = "D:\WINDOWS\system32\fp2403fqe.dll" [null data]

INFECTION WARNING! mllii\DLLName = "mllii.dll" [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "c:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "c:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "c:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "D:\Documents and Settings\Paweł\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):

---------------------------------------------------------------------------


Command Service, cmdService, "D:\WINDOWS\eHh4dnZ2\command.exe" [null data]

Karta wydajności WMI, WmiApSrv, "D:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]

NVIDIA Display Driver Service, NVSvc, "D:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Usługa administracyjna Menedżera dysków logicznych, dmadmin, "D:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]

Windows Update Manager Tool, UpdateManagerTool, "D:\WINDOWS\update\updmangr.exe /updatemgr" [null data]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 60 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 32 seconds.

---------- (total run time: 345 seconds)

a to hijack:

Logfile of HijackThis v1.99.1

Scan saved at 22:53:19, on 2006-06-29

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\rundll32.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\NOTEPAD.EXE

D:\Documents and Settings\Paweł\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - D:\WINDOWS\System32\mllii.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [VT100 Emulator] D:\WINDOWS\System32\VT100.EXE

O4 - HKLM\..\Run: [Windows Network Firewall] D:\WINDOWS\System32\firewall.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Microsoft DNT Service] c:\windows\system32\msdntsrv.exe

O4 - HKLM\..\Run: [WinDLL (csmss.exe)] rundll32.exe D:\WINDOWS\System32\csmss.exe,start

O4 - HKLM\..\Run: [defender] c:\\dfndrc_2.exe

O4 - HKLM\..\Run: [keyboard] c:\\kybrdc_2.exe

O4 - HKLM\..\Run: [newname] c:\\nwnmb_2.exe

O4 - HKLM\..\Run: [utasvc] rundll32.exe D:\WINDOWS\System32\utasvc.dll,start

O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager Tool] D:\WINDOWS\update\updmangr.exe

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Atss] "D:\DOCUME~1\PAWE~1\MOJEDO~1\ECURIT~1\chkntfs.exe" -vt yazr

O4 - HKCU\..\Run: [kkqw] D:\PROGRA~1\COMMON~1\kkqw\kkqwm.exe

O4 - HKCU\..\Run: [Evipxm] D:\Program Files\Common Files\W?nSxS\w?nword.exe

O4 - HKCU\..\Run: [Microsoft DNT Service] c:\windows\system32\msdntsrv.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C4BDBDF5-3C92-40D9-8926-27509C687941}: NameServer = 217.30.129.149,217.30.137.200

O20 - Winlogon Notify: App Management - D:\WINDOWS\system32\fp2403fqe.dll

O20 - Winlogon Notify: mllii - D:\WINDOWS\SYSTEM32\mllii.dll

O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\eHh4dnZ2\command.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Windows Update Manager Tool (UpdateManagerTool) - Unknown owner - D:\WINDOWS\update\updmangr.exe

Z góry dziekuje za pomoc, chociaz wiem ze sytuacja jest beznadziejna :stuck_out_tongue:

pozdrawiam!

P.S. Dodam jeszcze, ze niemam jak zrobic formata(zepsuty cdrom), a poza tym i tak to by chyba nie wiele dalo, biorac pod uwage ze obydwa moje dyski sa zarazone, ale ja sie tam nie znam…

#2

użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.

Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz Command Service i Windows Update Manager Tool

  1. Wyłączyć Przywracanie systemu w XP TU

  2. Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).

  3. Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.

  4. Skasować z dysku pliki i foldery, które podkreśliłem na czerwono

  5. Dokończyć skanerami online - Skanery do wyboru

  6. Pokazać nowe logi - wtedy zajmiemy się rejestrem :stuck_out_tongue:

Użyj Look2Me-Destroyer.exe - opis w przyklejonym temacie.

Wpis R3 nie usuwasz hijackiem tylko usuniesz Registrar Lite, opis masz TUTAJ

#3

Zrobilem wszystko co mowiles, ale zostalo jeszcze tego duzo i wiekszosc tego co usunalem spowrotem sie wkrecilo :frowning:

hjt:

Logfile of HijackThis v1.99.1

Scan saved at 01:38:46, on 2006-06-30

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\System32\RunDLL32.exe

C:\windows\system32\msdntsrv.exe

D:\WINDOWS\System32\nvsvc32.exe

D:\WINDOWS\System32\WScript.exe

D:\WINDOWS\system32\NOTEPAD.EXE

D:\Documents and Settings\Paweł\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - D:\WINDOWS\system32\mllii.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Microsoft DNT Service] c:\windows\system32\msdntsrv.exe

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Atss] "D:\DOCUME~1\PAWE~1\MOJEDO~1\ECURIT~1\chkntfs.exe" -vt yazr

O4 - HKCU\..\Run: [kkqw] D:\PROGRA~1\COMMON~1\kkqw\kkqwm.exe

O4 - HKCU\..\Run: [Evipxm] D:\Program Files\Common Files\W?nSxS\w?nword.exe

O4 - HKCU\..\Run: [Microsoft DNT Service] c:\windows\system32\msdntsrv.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C4BDBDF5-3C92-40D9-8926-27509C687941}: NameServer = 217.30.129.149,217.30.137.200

O20 - Winlogon Notify: mllii - D:\WINDOWS\SYSTEM32\mllii.dll

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe

silent runners, nie jestem pewien czy pelny:/ :

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "D:\WINDOWS\System32\ctfmon.exe" [file not found]

"Atss" = ""D:\DOCUME~1\PAWE~1\MOJEDO~1\ECURIT~1\chkntfs.exe" -vt yazr" [file not found]

"kkqw" = "D:\PROGRA~1\COMMON~1\kkqw\kkqwm.exe" [file not found]

"Evipxm" = "D:\Program Files\Common Files\W*nSxS\w*nword.exe" (unwritable string) [file not found]

"Microsoft DNT Service" = "c:\windows\system32\msdntsrv.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]

"Microsoft DNT Service" = "c:\windows\system32\msdntsrv.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\mllii.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "c:\Program Files\WinRAR\rarext.dll" [null data]

"{CCA60260-A2C9-11D2-BA62-0020188191B2}" = "Registrar Registry Manager SHell Extension"

  -> {HKLM...CLSID} = "Registrar Registry Manager SHell Extension"

                   \InProcServer32\(Default) = "rrShellX.dll" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" = "*\" (unwritable string)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\mllii.dll" [null data]


HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "autocheck autochk * aswBoot.exe /M:456c33ed" [file not found], [MS], [file not found], [file not found], [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! mllii\DLLName = "mllii.dll" [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "c:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "c:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "c:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "D:\Documents and Settings\Paweł\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
#4

Wyłączasz przywracanie systemu:

Włączasz tryb awaryjny:

Wpisy w Hijacku, a pliki/foldery na czerwono ręcznie z dysku.

Te wpisy z kreseczką “_” usuniesz edytorem rejestru Registrar Lite

Uruchom edytor w pole Address wklej ścieżke

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks i kliknij Go poczym zostaniesz przeniesiony do tego

klucza. Po prawej stronie będzie widoczny wpis _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} wszystkie inne wpisy z taką samą kreseczką także kasujesz z prawokliku.

Natomiast Silent jest ucięty - poczekaj aż program skończy poinformuje cię stosownym komunikatem :slight_smile:

#5

Po hijacku zrób tak: -Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa