"Wywalony" Outpost - logi HJ i SR do przejrzenia

Stary_Dziad · 18 Październik 2006 16:23

Witam.

Pracuję na pożyczonym sprzęcie.

Dzisiaj wyłożył się Outpost Pro - objawy - m.in. brak dojścia do IP i maski, program praktycznie - poza filtrem antyspywarowym - nieaktywny.

Ciekawostką jest pełna funkcjonalność outposta przy załadowaniu systemu w trybie awaryjnym - wygląda, że jest gdzieś jakiś konflikt, bo przy ładowaniu systemu w trybie normalnym po zainstalowaniu outposta, już po bootowaniu - zwiecha, czarny ekran, chociaż mysz chodzi. Zasygnalizowałem problem supportowi z Dagmy - też się biedzą, na razie - pomimo przeinstalowania - żadnych efektów. Sprawa doszła już do producenta, któremu przesłałem (na wyraźne życzenie) info o systemie, ale prosiłbym jeszcze, by Wiedzący rzucili okiem na logi.

NOD i ewido niczego nie wyłapały, czysto. Rejestr przeczyszczony RegCurem i jv16 na czysto.

HJ:

Logfile of HijackThis v1.99.1

Scan saved at 18:08:58, on 2006-10-18

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\LClock\lclock.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

C:\Documents and Settings\admin\Moje dokumenty\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = “C:\Program Files\Outlook Express\msimn.exe”

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dialog.net.pl:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype Plugin (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O4 - HKLM…\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU…\Run: [LClock] C:\Program Files\LClock\lclock.exe

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

O9 - Extra button: Szybkie dostosowywanie programu Outpost Firewall Pro - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

O9 - Extra button: Skype Plugin - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/10.19/uploader2.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118511995093

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1118511943078

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

O17 - HKLM\System\CCS\Services\Tcpip…{ABBB5761-3A03-466C-8AE6-A97F1CDD1675}: NameServer = 217.30.129.149,217.30.137.200

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
SR:

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“LClock” = “C:\Program Files\LClock\lclock.exe” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“nod32kui” = “C:\Program Files\Eset\nod32kui.exe /WAITSERVICE” ["Eset "]

“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\

{26923b43-4d38-484f-9b9e-de460746276c}(Default) = “Internet Explorer”
```
                                     \StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]
```
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”
```
                \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
```
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype Plugin (mastermind)”

-> {HKLM…CLSID} = “Skype Plugin (mastermind)”
```
                \InProcServer32\(Default) = "C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL" ["Skype Technologies S.A."]
```
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
```
“{FF393560-C2A7-11CF-BFF4-444553540000}” = “History”

-> {HKCU…CLSID} = “History”
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
```
“{88C6C381-2E85-11D0-94DE-444553540000}” = “ActiveX Cache Folder”

-> {HKCU…CLSID} = “ActiveX Cache Folder”
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\occache.dll" [MS]
```
“{F5175861-2688-11d0-9C5E-00AA00A45957}” = “Subscription Folder”

-> {HKCU…CLSID} = “Subscription Folder”
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
```
“{B089FE88-FB52-11d3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”
```
                \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]
```
“{BB7DF450-F119-11CD-8465-00AA00425D90}” = “Microsoft Access Custom Icon Handler”

-> {HKLM…CLSID} = (no title provided)
```
                \InProcServer32\(Default) = "D:\Office\soa800.dll" [MS]
```
“{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Explode”

-> {HKLM…CLSID} = “Microsoft Office Binder Explode”
```
                \InProcServer32\(Default) = "D:\Office\UNBIND.DLL" [MS]
```
“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Outlook File Icon Extension”
```
                \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
```
“{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”
```
                \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
```
“{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”
```
                \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
```
“{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”
```
                \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
```
“{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”
```
                \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
```
“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”

-> {HKLM…CLSID} = “RealOne Player Context Menu Class”
```
                \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
```
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”
```
                \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
```
“{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play”

-> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play”
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
```
“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”

-> {HKLM…CLSID} = “DesktopContext Class”
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
```
“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”

-> {HKLM…CLSID} = “Desktop Explorer”
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
```
“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

-> {HKLM…CLSID} = (no title provided)
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
```
“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”

-> {HKLM…CLSID} = “nView Desktop Context Menu”
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
```
“{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}” = “ABBYYPDFContextMenuExtension”

-> {HKLM…CLSID} = “AbbyyPDF.PDFShellExtension.1”
```
                \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]
```
“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”

-> {HKLM…CLSID} = “Portable Media Devices Menu”
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
```
“{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”

-> {HKLM…CLSID} = “Microsoft Office Outlook”
```
                \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
```
“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)
```
                \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohev.dll" [MS]
```
“{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler”

-> {HKLM…CLSID} = “Microsoft Office Metadata Handler”
```
                \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
```
“{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler”

-> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler”
```
                \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
```
“{13E7F612-F261-4391-BEA2-39DF4F3FA311}” = “Windows Desktop Search”

-> {HKLM…CLSID} = “Windows Desktop Search”
```
                \InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS]
```
“{506F4668-F13E-4AA1-BB04-B43203AB3CC0}” = “{506F4668-F13E-4AA1-BB04-B43203AB3CC0}”

-> {HKLM…CLSID} = “ImageExtractorShellExt Class”
```
                \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]
```
“{D66DC78C-4F61-447F-942B-3FB6980118CF}” = “{D66DC78C-4F61-447F-942B-3FB6980118CF}”

-> {HKLM…CLSID} = “CInfoTipShellExt Class”
```
                \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]
```
“{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW”

-> {HKLM…CLSID} = “Shell Extension for CDRW”
```
                \InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Nero AG"]
```
“{A5D35F9F-6A11-4EAA-B70B-7BB6FE32663A}” = “XnView Shell Extension”

-> {HKLM…CLSID} = “XnViewShell Class”
```
                \InProcServer32\(Default) = "C:\Program Files\XnView\XnViewShellExt.dll" [empty string]
```
“{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension”

-> {HKLM…CLSID} = “UnlockerShellExtension”
```
                \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
```
“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”

-> {HKLM…CLSID} = “NVIDIA CPL Extension”
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
```
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> “{56F9679E-7826-4C84-81F3-532071A8BCC5}” = (no title provided)

-> {HKLM…CLSID} = “Windows Desktop Search Namespace Manager”
```
                \InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]
```
<> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “ewido anti-spyware 4.0”

-> {HKLM…CLSID} = “CShellExecuteHookImpl Object”
```
                \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
```
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

“WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”

-> {HKLM…CLSID} = “WPDShServiceObj Class”
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
```
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

“System” = (value not set)

HKLM\System\CurrentControlSet\Control\SecurityProviders\

<> (“zwebauth.dll” [MS]) “SecurityProviders” = “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll”

HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}”

-> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter”
```
                \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
```
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”
```
                \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
```
HKLM\Software\Classes*\shellex\ContextMenuHandlers\

ABBYYPDFContextMenuExtension(Default) = “{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}”

-> {HKLM…CLSID} = “AbbyyPDF.PDFShellExtension.1”
```
                \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]
```
ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}”

-> {HKLM…CLSID} = “Outpost.ASWShellExt Component”
```
                \InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
```
DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}”

-> {HKLM…CLSID} = “DAPMenuShellExt Class”
```
                \InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
```
DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}”

-> {HKLM…CLSID} = “DAPMenuShellExt Class”
```
                \InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
```
ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}”

-> {HKLM…CLSID} = “CContextScan Object”
```
                \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
```
IXnView(Default) = “{A5D35F9F-6A11-4EAA-B70B-7BB6FE32663A}”

-> {HKLM…CLSID} = “XnViewShell Class”
```
                \InProcServer32\(Default) = "C:\Program Files\XnView\XnViewShellExt.dll" [empty string]
```
NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”
```
                \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]
```
VersionsMenu(Default) = “{03170921-4754-11cf-AB9A-00C0F00683EB}”

-> {HKLM…CLSID} = “Corel Versions”
```
                \InProcServer32\(Default) = "C:\Program Files\Corel\shared\Versions\CVersion.dll" [null data]
```
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”
```
                \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
```
WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

-> {HKLM…CLSID} = “WinZip”
```
                \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
```
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}”

-> {HKLM…CLSID} = “Outpost.ASWShellExt Component”
```
                \InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
```
DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}”

-> {HKLM…CLSID} = “DAPMenuShellExt Class”
```
                \InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
```
ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}”

-> {HKLM…CLSID} = “CContextScan Object”
```
                \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
```
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”
```
                \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
```
WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

-> {HKLM…CLSID} = “WinZip”
```
                \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
```
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}”

-> {HKLM…CLSID} = “Outpost.ASWShellExt Component”
```
                \InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
```
FineReader8(Default) = “{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}”

-> {HKLM…CLSID} = “FineReader8ExplorerContextMenuHandler”
```
                \InProcServer32\(Default) = "C:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]
```
NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”
```
                \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]
```
UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}”

-> {HKLM…CLSID} = “UnlockerShellExtension”
```
                \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
```
VersionsMenu(Default) = “{03170921-4754-11cf-AB9A-00C0F00683EB}”

-> {HKLM…CLSID} = “Corel Versions”
```
                \InProcServer32\(Default) = "C:\Program Files\Corel\shared\Versions\CVersion.dll" [null data]
```
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”
```
                \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
```
WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

-> {HKLM…CLSID} = “WinZip”
```
                \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
```
HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}”

-> {HKLM…CLSID} = “UnlockerShellExtension”
```
                \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
```
Group Policies {policy setting}:

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

“NoWinKeys” = (REG_DWORD) hex:0x00000001

{Disable Windows+X hotkeys}

“NoStrCmpLogical” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

“NoLowDiskSpaceChecks” = (REG_DWORD) hex:0x00000000

{unrecognized setting}

“NoResolveTrack” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

“EditLevel” = (REG_DWORD) hex:0x00000000

{unrecognized setting}

“NoRun” = (REG_DWORD) hex:0x00000000

{unrecognized setting}

“NoClose” = (REG_DWORD) hex:0x00000000

{unrecognized setting}

“NoSaveSettings” = (REG_DWORD) hex:0x00000000

{Don’t save settings at exit}

“NoFileMenu” = (REG_DWORD) hex:0x00000000

{unrecognized setting}

“NoCommonGroups” = (REG_DWORD) hex:0x00000000

{unrecognized setting}

“StartMenuLogOff” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“NoPropertiesRecycleBin” = (REG_DWORD) hex:0x00000000

{unrecognized setting}

“NoCDBurning” = (REG_DWORD) hex:0x00000000

{unrecognized setting}

“NoResolveTrack” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“DisableRegistryTools” = (REG_DWORD) hex:0x00000000

{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}

“DisableStatusMessages” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Enabled Scheduled Tasks:

“HPpromotions journeysoftware” -> launches: “C:\Program Files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe /N “journeysoftware” -r” [“hp”]

“RegCure” -> launches: “C:\Program Files\RegCure\RegCure.exe -t” [null data]

“User_Feed_Synchronization-{00902FD0-579C-46B3-A507-A52971BD2344}” -> launches: “C:\WINDOWS\system32\msfeedssync.exe sync” [MS]

“User_Feed_Synchronization-{367C00FC-9EC3-47F3-876C-B98CD0A7EB42}” -> launches: “C:\WINDOWS\system32\msfeedssync.exe sync” [MS]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000004\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000005\LibraryPath = “C:\WINDOWS\system32\pnrpnsp.dll” [MS]

000000000006\LibraryPath = “C:\WINDOWS\system32\pnrpnsp.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

imon.dll ["Eset "], 01 - 05, 11

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 39

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{F2CF5485-4E02-4F68-819C-B92DE9277049}”

-> {HKLM…CLSID} = “&Links”
```
                \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
```
Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID{A1A7E22D-1587-4230-8F16-081C68D21448}(Default) = “Szybkie dostosowywanie programu”

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll” [“Agnitum Ltd.”]

HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Research”

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL” [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}”

{44627E97-789B-40D4-B5C2-58BD171129A1}\

“ButtonText” = “Szybkie dostosowywanie programu Outpost Firewall Pro”

{77BF5300-1474-4EC7-9980-D32B190E9B07}\

“ButtonText” = “Skype Plugin”

“CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}”

-> {HKLM…CLSID} = “Skype Plugin (button)”
```
                \InProcServer32\(Default) = "C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL" ["Skype Technologies S.A."]
```
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

“ButtonText” = “Research”

Miscellaneous IE Hijack Points

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

<> “NavigationFailure” = “res://shdoclc.dll/navcancl.htm” [MS]

<> “DesktopItemNavigationFailure” = “res://shdoclc.dll/navcancl.htm” [MS]

<> “NavigationCanceled” = “res://shdoclc.dll/navcancl.htm” [MS]

<> “OfflineInformation” = “res://shdoclc.dll/offcancl.htm” [MS]

<> “PostNotCached” = “res://mshtml.dll/repost.htm” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

Agent SAP, NwSapAgent, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ipxsap.dll” [MS]}

NOD32 Kernel Service, NOD32krn, “C:\Program Files\Eset\nod32krn.exe” ["Eset "]

NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”]

Odbiornik RIP, Iprip, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\iprip.dll” [MS]}

Pml Driver HPZ12, Pml Driver HPZ12, “C:\WINDOWS\system32\HPZipm12.exe” [“HP”]

Usługa Pomocnik IPv6, 6to4, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\6to4svc.dll” [MS]}

Usługi Simple TCP/IP, SimpTcp, “C:\WINDOWS\system32\tcpsvcs.exe” [MS]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

FPP2:\Driver = “fppmon2.dll” [“FinePrint Software, LLC”]

Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS]

PCL Language Monitor\Driver = “hpz3l3xu.dll” [“Hewlett-Packard Company”]

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.
- This report excludes default entries except where indicated.
- To see everywhere the script checks and everything it finds,
  
  launch it from a command prompt or a shortcut with the -all parameter.
- To search all directories of local fixed drives for DESKTOP.INI
  
  DLL launch points, use the -supp parameter or answer “No” at the
  
  first message box and “Yes” at the second message box.
---------- (total run time: 66 seconds, including 6 seconds for message boxes)

Powiedzcie, czy i co wywalić.

Dziękuję za poświęcony czas - SD

Gutek · 18 Październik 2006 16:30

Czysto jest

Stary_Dziad · 18 Październik 2006 16:39

Dzięki.

Przepraszam za rozjechane forum, zmniejszyłem czcionkę do wklejenia, ale widzę, że “pojeeeechało”.

Skoro jest ok - to może - kosz?

Gutek · 18 Październik 2006 16:53

Można do kosza, ale zrób tylko jeszcze to - kosmetycznie:

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa

Stary_Dziad · 18 Październik 2006 17:32

Zrobione, dzięki jeszcze raz.

Ciekaw jestem co Agnitum wykombinuje z problemem - pierwszy raz mi się zdarzyło, żeby zażyczyli sobie pełne info o systemie poz screenami komunikatów i rejestru.

Jeszcze raz - dzięki. :brawo:

Złączono Posta : 20.10.2006 (Pią) 21:25

No, to żeby definitywnie zamknąć temat - a może się kiedyś komuś przyda.

Otrzymałem od producenta - Agnitum - następującą odpowiedź:

Przeniosłem plik afpansi.sys - i outpost odzyskał “cnotę” - chodzi OK.

Poszperawszy, wyszło na to, że plik afpansi.sys jest od keyloggera Informer - wykopałem go na stałe i jest ok.

Jeżeli by ktoś potrzebował info o ww. keyloggerze - polecam:

http://www.2-spyware.com/remove-informer.html

W dalszym ciągu nie mam pojęcia, gdzie mogłem go załapać - podejrzewam testowanego bluetootha i Bluesoleil, ale może to “pomówienie”.

W każdym razie - ewido i antyspyware z outposta go nie widziały, a skubany “uwalił” outposta w bliżej jeszcze nieznany sposób.

Dzięki za pomoc - SD