Wykryty backdoor.wi32.agent.arb

pomózcie kasperski wykrył backdoor.win32.agent.arb

o to logi do sprawdzenia i raport kasperskiego

“Silent Runners.vbs”, revision R51, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = ““C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”” [“Nero AG”]

“ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

“SpybotDeletingB7983” = “command /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe”” [null data]

“SpybotDeletingD2046” = “cmd /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe”” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“SoundMAXPnP” = “C:\Program Files\Analog Devices\Core\smax4pnp.exe” [“Analog Devices, Inc.”]

“SoundMAX” = ““C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray” [“Analog Devices, Inc.”]

“NeroFilterCheck” = “C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [“Nero AG”]

“LogitechVideoRepair” = “E:\Program Files\Logitech\Video\ISStart.exe” [“Labtec Inc.”]

“LogitechVideoTray” = “E:\Program Files\Logitech\Video\LogiTray.exe” [“Labtec Inc.”]

“LXCCCATS” = “rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16” [MS]

“lxccmon.exe” = ““C:\Program Files\Lexmark 3300 Series\lxccmon.exe”” [“Lexmark International, Inc.”]

“FaxCenterServer” = ““C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s” [null data]

“CnxDslTaskBar” = "“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” [“Conexant Systems, Inc.”]

“SunJavaUpdateSched” = “rem “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”” [file not found]

“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

“SpybotDeletingA1847” = “command /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe”” [null data]

“SpybotDeletingC6568” = “cmd /c del “C:\Program Files\Internet Explorer\Setup\svchost.exe”” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)”

-> {HKLM…CLSID} = “Skype add-on (mastermind)”

\InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”]

{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)

-> {HKLM…CLSID} = “Spybot-S&D IE Protection”

\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll” [“Sun Microsystems, Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band”

-> {HKLM…CLSID} = “History Band”

\InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS]

“{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension”

-> {HKLM…CLSID} = “SimpleShlExt Class”

\InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string]

“{A155339D-CCCD-4714-85EB-3754B804C9DF}” = “a-squared Free Shell Extension”

-> {HKLM…CLSID} = “a-squared Free Shell Extension”

\InProcServer32(Default) = “C:\Program Files\a-squared Free\a2freecontmenu.dll” [“Emsi Software GmbH”]

“{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}” = “My Labtec Pictures”

-> {HKLM…CLSID} = “My Labtec Pictures”

\InProcServer32(Default) = “E:\Program Files\Logitech\Video\Namespc2.dll” [“Labtec Inc.”]

“{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “E:\Program Files\rarext.dll” [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]


{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]


NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “E:\Program Files\rarext.dll” [null data]


WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “E:\Program Files\rarext.dll” [null data]


a-squared Free Shell Extension(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}”

-> {HKLM…CLSID} = “a-squared Free Shell Extension”

\InProcServer32(Default) = “C:\Program Files\a-squared Free\a2freecontmenu.dll” [“Emsi Software GmbH”]

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “E:\Program Files\rarext.dll” [null data]


a-squared Free Shell Extension(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}”

-> {HKLM…CLSID} = “a-squared Free Shell Extension”

\InProcServer32(Default) = “C:\Program Files\a-squared Free\a2freecontmenu.dll” [“Emsi Software GmbH”]

Group Policies {policy setting}:

Note: detected settings may not have any effect.


“NoResolveTrack” = (REG_DWORD) hex:0x00000001

{unrecognized setting}


“NoResolveTrack” = (REG_DWORD) hex:0x00000001

{unrecognized setting}


“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS]

Startup items in “admin” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Adobe Reader Speed Launch” -> shortcut to: “E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 31

%SYSTEMROOT%\system32\nvappfilter.dll [“NVIDIA”], 06 - 08, 14

%SystemRoot%\system32\mswsock.dll [MS], 09 - 11, 15 - 30

%SystemRoot%\system32\rsvpsp.dll [MS], 12 - 13

Toolbars, Explorer Bars, Extensions:

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\


“ButtonText” = “Skype”

“CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}”

-> {HKLM…CLSID} = “Skype add-on (button)”

\InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”]


“MenuText” = “Spybot - Search & Destroy Configuration”

“CLSIDExtension” = “{53707962-6F74-2D53-2644-206D7942484F}”

-> {HKLM…CLSID} = “Spybot-S&D IE Protection”

\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]


“MenuText” = “@xpsp3res.dll,-20001”

“Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

a-squared Free Service, a2free, ““C:\Program Files\a-squared Free\a2service.exe”” [“Emsi Software GmbH”]

Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]

ATK Keyboard Service, ATKKeyboardService, “C:\WINDOWS\ATKKBService.exe” [“ASUSTeK COMPUTER INC.”]

ForceWare Intelligent Application Manager (IAM), ForceWare Intelligent Application Manager (IAM), “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe” [empty string]

ForceWare IP service, nSvcIp, “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe” [“NVIDIA Corporation”]

ForceWare user log service, nSvcLog, “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe” [“NVIDIA Corporation”]

Forceware Web Interface, ForcewareWebInterface, ““C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe” -k runservice” [“Apache Software Foundation”]

LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”]

lxcc_device, lxcc_device, “C:\WINDOWS\system32\lxcccoms.exe -service” [“Lexmark International, Inc.”]

NMIndexingService, NMIndexingService, ““C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe”” [“Nero AG”]

NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "]

Registry Management Service, RegManServ, “E:\Advanced Registry Doctor\RegManServ.exe” [null data]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

Print Monitors:


3300 Series Port\Driver = “lxcclmpm.DLL” [“Lexmark International, Inc.”]

Lexmark Print-2-Fax Port\Driver = “LXPRMON.DLL” [null data]

---------- (launch time: 2007-08-31 20:01:25)

<>: Suspicious data at a malware launch point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 14 seconds.

---------- (total run time: 40 seconds)

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Jeśli nie masz jakiegoś narzędzia usuwającego, to ściągnij OTMoveIt

Do pola Paste List of Files/Folders to be Moved wklej poniższe ścieżki:

Następnie wciśnij przycisk MoveIt!

Pojawi się komunikat, że jest potrzebny restart do usunięcia podanych plików/folderów- wciśnij Yes.

Po restarcie usuń ręcznie folder C:** _OTMoveIt** (Prawoklik >>> Usuń >>> Opróżnij Kosz).

Opróżnij foldery “TEMP”, “Temporary Internet Files” oraz “System Volume Information”

Potem daj log z Hijacka oraz log z ComboFix (na dole tej strony z linku) -

Log wklej na http://wklej.org/, a w poście daj tylko link.


sory ale nie widzę w hijacku tych wpisów które mam usunąć

oto logi

Log wygląda na czysty.

Te sfiksowania podałam na wszelki wypadek, gdyby te wpisy były.

One teoretycznie powinny same zniknąć po restarcie, bo oznaczone były jako “RunOnce”. I rzeczywiście - same zniknęły.


dzięki za wyjasnienie

czy ktos moze mi powiedzieć jak otworzyć porty zmknięte przez windows woorms doors cleaner obawiam sie że zamknąłem nie te porty co trzeba i przez to ares zrywa mi połaczenia podczas ściągania wwdc nie chce sie uruchomic wyskakuje błąd explorer exe

czy jest jakis sposub lub program na otworzenie ręcznie zamkniętych portów

prosze pomózcie i przepraszam jak piszę nie w tym miejscu

Te porty możesz praktycznie otworzyć tylko przy pomocy WWDC, inny sposób wymaga zaniesienia komputera do serwisu naprawczego.

Jeśli WWDC nie chce działać, to go usuń i jeszcze raz ściągnij.

A tak poza tym, to nie sądzę, by te robaczywe porty miały jakiś związek z Aresem.


dzięki za radę to będzie kiszka jak nie moge tych portow sam otworzyć a czy format odblokuje mi te porty

i może mi ktoś powie dlaczego ares po paru minutach zrywa połączenie