0wiec
20 Czerwiec 2007 17:15
#1
Dotychczas nie używałem firewalla, ale po problemach z malware zainstalowałem Outpost Firewall Pro (malware, pomimo wspólnych wysiłków avasta i różnych skanerów wykrywających spyware, nie koniecznie zostało usunięte, ale firewall zaraz na początku zablokował podejrzane połączenia (l.mezzicodec.net ) i jawne ataki, które odtąd się nie powtórzyły).
Co parę sekund w Blocked Connections pojawia się:
Direction: IN REFUSED
Reason: Packet to closed port, rzadziej Block Incoming RPC (TCP) lub Block NetBIOS traffic (najrzadziej)
W Allowed Connections stale pojawia się jakaś strona 194.204.159.1 (Direction: OUT; Protocol: UDP; Port: DNS)
To jest normalne, czy mam jakieś problemy?
Agaton
20 Czerwiec 2007 17:21
#2
Ważny komunikat dotyczący tytułowania tematów
Popraw tytuł na konkretny, mówiący o problemie.
W tym celu proszę użyć przycisku
Pobierz narzędzia dostępne w linku i po sporządzeniu wklej logiHijackThis, Silent Runners według podanego opisu - fachowcy od logów zajmą się problemem.
Więc czego się spodziewasz skoro ten syf nadal siedzi na kompie i próbuje nawiązywać połączenia z netem? Wrzuć logi i może uda się zwalczyć szkodniki do końca, chociaż osobiście proponował bym format, problemy na pewno ustaną, zwłaszcza jeżeli przed podłączeniem kompa do netu zainstalujesz firewalla
0wiec
23 Czerwiec 2007 13:29
#4
Logfile of HijackThis v1.99.1
Scan saved at 15:19:04, on 07-06-23
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NEOSTRADA TP\CNXMON.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\NEOSTRADA TP\TASKBARICON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQSTE08.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NEOSTRADA TP\NEOSTRADATP.EXE
C:\PROGRAM FILES\NEOSTRADA TP\COMCOMP.EXE
C:\PROGRAM FILES\NEOSTRADA TP\WATCH.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OP_VIEWER.EXE
C:\PROGRAM FILES\HIJACKTHIS 1.99.1\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~2.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WINOJN32] rundll32 WINOJN32.DLL,run
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\outpost.exe /service
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\PLUGINS\BROWSERBAR\IE_BAR.DLL
Z podejrzanych procesów próbujących się łączyć według firewalla z internetem tylko C:\WINDOWS\SYSTEM\RPCSS.EXE został odnaleziony. Po NETBIOS i n/a ani śladu w logu.
qrczak13
23 Czerwiec 2007 14:18
#5
Zajrzyj TU
W trybie awaryjnym użyj FixVundo + VirtmundoBeGone
Daj po tym nowe logi HJT SilentRunners
0wiec
23 Czerwiec 2007 17:39
#6
qrczak13:
Zajrzyj TU
I? To normalne, że to chce się łączyć w jakimś celu z siecią (choć gdy jest blokowane to nic złego się nie dzieje)?
qrczak13
23 Czerwiec 2007 18:57
#7
To jak się nic nie dzieje to możesz blokować. Przeskanowałeś progsami? znalazły coś?
0wiec
26 Czerwiec 2007 22:37
#8
FixVundo nic nie znalazł. Wklejam logi
Logfile of HijackThis v1.99.1
Scan saved at 00:20:18, on 07-06-27
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NEOSTRADA TP\CNXMON.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\NEOSTRADA TP\TASKBARICON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQSTE08.EXE
C:\PROGRAM FILES\NEOSTRADA TP\NEOSTRADATP.EXE
C:\PROGRAM FILES\NEOSTRADA TP\COMCOMP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\NEOSTRADA TP\WATCH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS 1.99.1\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~2.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WINOJN32] rundll32 WINOJN32.DLL,run
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\outpost.exe /service
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\PLUGINS\BROWSERBAR\IE_BAR.DLL
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5059/mcfscan.cab
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "ctfmon.exe" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"SystemTray" = "SysTray.ExE" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"Zasobnik systemowy" = "SysTray.Exe" [MS]
"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [","]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]
"avast! Web Scanner" = "C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE" ["ALWIL Software"]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."]
"WINOJN32" = "rundll32 WINOJN32.DLL,run" [MS]
"Outpost Firewall" = ""C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice" ["Agnitum Ltd."]
"OutpostFeedBack" = "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup" ["Agnitum Ltd."]
"ashMaiSv" = "C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe" ["ALWIL Software"]
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SchedulingAgent" = "mstask.exe" [MS]
"MOSearch" = "C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE" [MS]
"MDM7" = ""C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"" [MS]
"avast!" = "C:\Program Files\Alwil Software\Avast4\ashServ.exe" ["ALWIL Software"]
"Outpost Firewall" = "C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\outpost.exe /service" ["Agnitum Ltd."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {HKLM...CLSID} = "Nero Shell Extension Property Sheet"
\InProcServer32\(Default) = "C:\Program Files\Ahead\nero\neroshx.dll" ["Ahead Software AG"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
-> {HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OP_SHELL.DLL" ["Agnitum Ltd."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
-> {HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OP_SHELL.DLL" ["Agnitum Ltd."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
-> {HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OP_SHELL.DLL" ["Agnitum Ltd."]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
WIN.INI & SYSTEM.INI launch points:
-----------------------------------
SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\TEKST3~1.SCR" (Tekst 3W.scr) [MS]
Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------
C:\WINDOWS\Menu Start\Programy\Autostart
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]
Enabled Scheduled Tasks:
------------------------
"Rozpoczęcie aplikacji dostrajania" -> launches: "walign" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRAM FILES\NEOSTRADA TP\AUDIENCE\AUDIENCE.DLL" ["$"]
HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRAM FILES\NEOSTRADA TP\AUDIENCE\AUDIENCE.DLL" ["$"]
HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\(Default) = "ToolBand Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRAM FILES\NEOSTRADA TP\AUDIENCE\AUDIENCE.DLL" ["$"]
HKLM\Software\Classes\CLSID\{A1A7E22D-1587-4230-8F16-081C68D21448}\(Default) = "Outpost Firewall Pro Quick Tune"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\PLUGINS\BROWSERBAR\IE_BAR.DLL" ["Agnitum Ltd."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{44627E97-789B-40D4-B5C2-58BD171129A1}\
"ButtonText" = "Outpost Firewall Pro Quick Tune"
Miscellaneous IE Hijack Points
------------------------------
HKLM\Software\Microsoft\Internet Explorer\Version = (invalid data)
The Internet Explorer version cannot be found!
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
The contents of IERESET.INF cannot be reliably checked!
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
Missing lines (compared with English-language version):
[Strings]: 2 lines
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)
-> {HKLM...CLSID} = "Search Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~2.DLL" [","]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
usbmon\Driver = "usbmon.dll" [MS]
hpzs9x15\Driver = "hpzs9x15.dll" ["HP"]
usbmon.dll\Driver = "usbmon.dll" [MS]
----------
<>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 123 seconds.
---------- (total run time: 189 seconds)
Gutek
26 Czerwiec 2007 23:20
#9
Dokończyć skanerami online - Skanery do wyboru
