Witam.
Pracuję na pożyczonym sprzęcie.
Dzisiaj wyłożył się Outpost Pro - objawy - m.in. brak dojścia do IP i maski, program praktycznie - poza filtrem antyspywarowym - nieaktywny.
Ciekawostką jest pełna funkcjonalność outposta przy załadowaniu systemu w trybie awaryjnym - wygląda, że jest gdzieś jakiś konflikt, bo przy ładowaniu systemu w trybie normalnym po zainstalowaniu outposta, już po bootowaniu - zwiecha, czarny ekran, chociaż mysz chodzi. Zasygnalizowałem problem supportowi z Dagmy - też się biedzą, na razie - pomimo przeinstalowania - żadnych efektów. Sprawa doszła już do producenta, któremu przesłałem (na wyraźne życzenie) info o systemie, ale prosiłbym jeszcze, by Wiedzący rzucili okiem na logi.
NOD i ewido niczego nie wyłapały, czysto. Rejestr przeczyszczony RegCurem i jv16 na czysto.
-
HJ:
Logfile of HijackThis v1.99.1
Scan saved at 18:08:58, on 2006-10-18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Documents and Settings\admin\Moje dokumenty\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = “C:\Program Files\Outlook Express\msimn.exe”
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dialog.net.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype Plugin (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O4 - HKLM…\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU…\Run: [LClock] C:\Program Files\LClock\lclock.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Szybkie dostosowywanie programu Outpost Firewall Pro - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Skype Plugin - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/10.19/uploader2.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118511995093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1118511943078
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip…{ABBB5761-3A03-466C-8AE6-A97F1CDD1675}: NameServer = 217.30.129.149,217.30.137.200
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
-
SR:
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“LClock” = “C:\Program Files\LClock\lclock.exe” [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“nod32kui” = “C:\Program Files\Eset\nod32kui.exe /WAITSERVICE” ["Eset "]
“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{26923b43-4d38-484f-9b9e-de460746276c}(Default) = “Internet Explorer”
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM…CLSID} = “AcroIEHlprObj Class”
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype Plugin (mastermind)”
-> {HKLM…CLSID} = “Skype Plugin (mastermind)”
\InProcServer32\(Default) = "C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL" ["Skype Technologies S.A."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
“{FF393560-C2A7-11CF-BFF4-444553540000}” = “History”
-> {HKCU…CLSID} = “History”
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
“{88C6C381-2E85-11D0-94DE-444553540000}” = “ActiveX Cache Folder”
-> {HKCU…CLSID} = “ActiveX Cache Folder”
\InProcServer32\(Default) = "C:\WINDOWS\system32\occache.dll" [MS]
“{F5175861-2688-11d0-9C5E-00AA00A45957}” = “Subscription Folder”
-> {HKCU…CLSID} = “Subscription Folder”
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
“{B089FE88-FB52-11d3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”
-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]
“{BB7DF450-F119-11CD-8465-00AA00425D90}” = “Microsoft Access Custom Icon Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Office\soa800.dll" [MS]
“{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Explode”
-> {HKLM…CLSID} = “Microsoft Office Binder Explode”
\InProcServer32\(Default) = "D:\Office\UNBIND.DLL" [MS]
“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”
-> {HKLM…CLSID} = “Outlook File Icon Extension”
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
“{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
“{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
“{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
“{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”
-> {HKLM…CLSID} = “RealOne Player Context Menu Class”
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
“{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play”
-> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play”
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”
-> {HKLM…CLSID} = “DesktopContext Class”
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”
-> {HKLM…CLSID} = “Desktop Explorer”
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”
-> {HKLM…CLSID} = “nView Desktop Context Menu”
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
“{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}” = “ABBYYPDFContextMenuExtension”
-> {HKLM…CLSID} = “AbbyyPDF.PDFShellExtension.1”
\InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]
“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”
-> {HKLM…CLSID} = “Portable Media Devices Menu”
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
“{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”
-> {HKLM…CLSID} = “Microsoft Office Outlook”
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohev.dll" [MS]
“{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler”
-> {HKLM…CLSID} = “Microsoft Office Metadata Handler”
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
“{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler”
-> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler”
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
“{13E7F612-F261-4391-BEA2-39DF4F3FA311}” = “Windows Desktop Search”
-> {HKLM…CLSID} = “Windows Desktop Search”
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS]
“{506F4668-F13E-4AA1-BB04-B43203AB3CC0}” = “{506F4668-F13E-4AA1-BB04-B43203AB3CC0}”
-> {HKLM…CLSID} = “ImageExtractorShellExt Class”
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]
“{D66DC78C-4F61-447F-942B-3FB6980118CF}” = “{D66DC78C-4F61-447F-942B-3FB6980118CF}”
-> {HKLM…CLSID} = “CInfoTipShellExt Class”
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]
“{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW”
-> {HKLM…CLSID} = “Shell Extension for CDRW”
\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Nero AG"]
“{A5D35F9F-6A11-4EAA-B70B-7BB6FE32663A}” = “XnView Shell Extension”
-> {HKLM…CLSID} = “XnViewShell Class”
\InProcServer32\(Default) = "C:\Program Files\XnView\XnViewShellExt.dll" [empty string]
“{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension”
-> {HKLM…CLSID} = “UnlockerShellExtension”
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”
-> {HKLM…CLSID} = “NVIDIA CPL Extension”
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> “{56F9679E-7826-4C84-81F3-532071A8BCC5}” = (no title provided)
-> {HKLM…CLSID} = “Windows Desktop Search Namespace Manager”
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]
<> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “ewido anti-spyware 4.0”
-> {HKLM…CLSID} = “CShellExecuteHookImpl Object”
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
“WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”
-> {HKLM…CLSID} = “WPDShServiceObj Class”
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
“System” = (value not set)
HKLM\System\CurrentControlSet\Control\SecurityProviders\
<> (“zwebauth.dll” [MS]) “SecurityProviders” = “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll”
HKLM\Software\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}”
-> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter”
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”
-> {HKLM…CLSID} = “PDF Shell Extension”
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
ABBYYPDFContextMenuExtension(Default) = “{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}”
-> {HKLM…CLSID} = “AbbyyPDF.PDFShellExtension.1”
\InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]
ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}”
-> {HKLM…CLSID} = “Outpost.ASWShellExt Component”
\InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}”
-> {HKLM…CLSID} = “DAPMenuShellExt Class”
\InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}”
-> {HKLM…CLSID} = “DAPMenuShellExt Class”
\InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}”
-> {HKLM…CLSID} = “CContextScan Object”
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
IXnView(Default) = “{A5D35F9F-6A11-4EAA-B70B-7BB6FE32663A}”
-> {HKLM…CLSID} = “XnViewShell Class”
\InProcServer32\(Default) = "C:\Program Files\XnView\XnViewShellExt.dll" [empty string]
NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”
-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]
VersionsMenu(Default) = “{03170921-4754-11cf-AB9A-00C0F00683EB}”
-> {HKLM…CLSID} = “Corel Versions”
\InProcServer32\(Default) = "C:\Program Files\Corel\shared\Versions\CVersion.dll" [null data]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}”
-> {HKLM…CLSID} = “Outpost.ASWShellExt Component”
\InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}”
-> {HKLM…CLSID} = “DAPMenuShellExt Class”
\InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}”
-> {HKLM…CLSID} = “CContextScan Object”
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}”
-> {HKLM…CLSID} = “Outpost.ASWShellExt Component”
\InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
FineReader8(Default) = “{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}”
-> {HKLM…CLSID} = “FineReader8ExplorerContextMenuHandler”
\InProcServer32\(Default) = "C:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]
NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”
-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]
UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}”
-> {HKLM…CLSID} = “UnlockerShellExtension”
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
VersionsMenu(Default) = “{03170921-4754-11cf-AB9A-00C0F00683EB}”
-> {HKLM…CLSID} = “Corel Versions”
\InProcServer32\(Default) = "C:\Program Files\Corel\shared\Versions\CVersion.dll" [null data]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}”
-> {HKLM…CLSID} = “UnlockerShellExtension”
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
Group Policies {policy setting}:
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001
{unrecognized setting}
“NoWinKeys” = (REG_DWORD) hex:0x00000001
{Disable Windows+X hotkeys}
“NoStrCmpLogical” = (REG_DWORD) hex:0x00000001
{unrecognized setting}
“NoLowDiskSpaceChecks” = (REG_DWORD) hex:0x00000000
{unrecognized setting}
“NoResolveTrack” = (REG_DWORD) hex:0x00000001
{unrecognized setting}
“EditLevel” = (REG_DWORD) hex:0x00000000
{unrecognized setting}
“NoRun” = (REG_DWORD) hex:0x00000000
{unrecognized setting}
“NoClose” = (REG_DWORD) hex:0x00000000
{unrecognized setting}
“NoSaveSettings” = (REG_DWORD) hex:0x00000000
{Don’t save settings at exit}
“NoFileMenu” = (REG_DWORD) hex:0x00000000
{unrecognized setting}
“NoCommonGroups” = (REG_DWORD) hex:0x00000000
{unrecognized setting}
“StartMenuLogOff” = (REG_DWORD) hex:0x00000001
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NoPropertiesRecycleBin” = (REG_DWORD) hex:0x00000000
{unrecognized setting}
“NoCDBurning” = (REG_DWORD) hex:0x00000000
{unrecognized setting}
“NoResolveTrack” = (REG_DWORD) hex:0x00000001
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“DisableRegistryTools” = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
“DisableStatusMessages” = (REG_DWORD) hex:0x00000001
{unrecognized setting}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Enabled Scheduled Tasks:
“HPpromotions journeysoftware” -> launches: “C:\Program Files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe /N “journeysoftware” -r” [“hp”]
“RegCure” -> launches: “C:\Program Files\RegCure\RegCure.exe -t” [null data]
“User_Feed_Synchronization-{00902FD0-579C-46B3-A507-A52971BD2344}” -> launches: “C:\WINDOWS\system32\msfeedssync.exe sync” [MS]
“User_Feed_Synchronization-{367C00FC-9EC3-47F3-876C-B98CD0A7EB42}” -> launches: “C:\WINDOWS\system32\msfeedssync.exe sync” [MS]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000004\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000005\LibraryPath = “C:\WINDOWS\system32\pnrpnsp.dll” [MS]
000000000006\LibraryPath = “C:\WINDOWS\system32\pnrpnsp.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
imon.dll ["Eset "], 01 - 05, 11
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 39
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
“{F2CF5485-4E02-4F68-819C-B92DE9277049}”
-> {HKLM…CLSID} = “&Links”
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID{A1A7E22D-1587-4230-8F16-081C68D21448}(Default) = “Szybkie dostosowywanie programu”
Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll” [“Agnitum Ltd.”]
HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Research”
Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL” [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}”
{44627E97-789B-40D4-B5C2-58BD171129A1}\
“ButtonText” = “Szybkie dostosowywanie programu Outpost Firewall Pro”
{77BF5300-1474-4EC7-9980-D32B190E9B07}\
“ButtonText” = “Skype Plugin”
“CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}”
-> {HKLM…CLSID} = “Skype Plugin (button)”
\InProcServer32\(Default) = "C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL" ["Skype Technologies S.A."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
“ButtonText” = “Research”
Miscellaneous IE Hijack Points
HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<> “NavigationFailure” = “res://shdoclc.dll/navcancl.htm” [MS]
<> “DesktopItemNavigationFailure” = “res://shdoclc.dll/navcancl.htm” [MS]
<> “NavigationCanceled” = “res://shdoclc.dll/navcancl.htm” [MS]
<> “OfflineInformation” = “res://shdoclc.dll/offcancl.htm” [MS]
<> “PostNotCached” = “res://mshtml.dll/repost.htm” [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
Agent SAP, NwSapAgent, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ipxsap.dll” [MS]}
NOD32 Kernel Service, NOD32krn, “C:\Program Files\Eset\nod32krn.exe” ["Eset "]
NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”]
Odbiornik RIP, Iprip, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\iprip.dll” [MS]}
Pml Driver HPZ12, Pml Driver HPZ12, “C:\WINDOWS\system32\HPZipm12.exe” [“HP”]
Usługa Pomocnik IPv6, 6to4, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\6to4svc.dll” [MS]}
Usługi Simple TCP/IP, SimpTcp, “C:\WINDOWS\system32\tcpsvcs.exe” [MS]
Print Monitors:
HKLM\System\CurrentControlSet\Control\Print\Monitors\
FPP2:\Driver = “fppmon2.dll” [“FinePrint Software, LLC”]
Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS]
PCL Language Monitor\Driver = “hpz3l3xu.dll” [“Hewlett-Packard Company”]
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.
-
This report excludes default entries except where indicated.
-
To see everywhere the script checks and everything it finds,
launch it from a command prompt or a shortcut with the -all parameter.
-
To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer “No” at the
first message box and “Yes” at the second message box.
---------- (total run time: 66 seconds, including 6 seconds for message boxes)
-
Powiedzcie, czy i co wywalić.
Dziękuję za poświęcony czas - SD