"Wywalony" Outpost - logi HJ i SR do przejrzenia


(Stary Dziad) #1

Witam.

Pracuję na pożyczonym sprzęcie.

Dzisiaj wyłożył się Outpost Pro - objawy - m.in. brak dojścia do IP i maski, program praktycznie - poza filtrem antyspywarowym - nieaktywny.

Ciekawostką jest pełna funkcjonalność outposta przy załadowaniu systemu w trybie awaryjnym - wygląda, że jest gdzieś jakiś konflikt, bo przy ładowaniu systemu w trybie normalnym po zainstalowaniu outposta, już po bootowaniu - zwiecha, czarny ekran, chociaż mysz chodzi. Zasygnalizowałem problem supportowi z Dagmy - też się biedzą, na razie - pomimo przeinstalowania - żadnych efektów. Sprawa doszła już do producenta, któremu przesłałem (na wyraźne życzenie) info o systemie, ale prosiłbym jeszcze, by Wiedzący rzucili okiem na logi.

NOD i ewido niczego nie wyłapały, czysto. Rejestr przeczyszczony RegCurem i jv16 na czysto.

  1. HJ:

    Logfile of HijackThis v1.99.1

    Scan saved at 18:08:58, on 2006-10-18

    Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.5700.0006)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Eset\nod32kui.exe

    C:\Program Files\LClock\lclock.exe

    C:\Program Files\Eset\nod32krn.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\HPZipm12.exe

    C:\WINDOWS\system32\tcpsvcs.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

    C:\Documents and Settings\admin\Moje dokumenty\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dialog.net.pl:8080

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: Skype Plugin (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

    O4 - HKLM..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

    O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKCU..\Run: [LClock] C:\Program Files\LClock\lclock.exe

    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

    O9 - Extra button: Szybkie dostosowywanie programu Outpost Firewall Pro - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

    O9 - Extra button: Skype Plugin - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

    O11 - Options group: [INTERNATIONAL] International*

    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab

    O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/10.19/uploader2.cab

    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118511995093

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1118511943078

    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab

    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab

    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

    O17 - HKLM\System\CCS\Services\Tcpip..{ABBB5761-3A03-466C-8AE6-A97F1CDD1675}: NameServer = 217.30.129.149,217.30.137.200

    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

  2. SR:

    "Silent Runners.vbs", revision 49, http://www.silentrunners.org/

    Operating System: Windows XP SP2

    Output limited to non-default values, except where indicated by "{++}"

    Startup items buried in registry:


    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

    "LClock" = "C:\Program Files\LClock\lclock.exe" [null data]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

    "nod32kui" = "C:\Program Files\Eset\nod32kui.exe /WAITSERVICE" ["Eset "]

    "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

    HKLM\Software\Microsoft\Active Setup\Installed Components\

    {26923b43-4d38-484f-9b9e-de460746276c}(Default) = "Internet Explorer"

                                        \StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

    -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

    {22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = "Skype Plugin (mastermind)"

    -> {HKLM...CLSID} = "Skype Plugin (mastermind)"

                   \InProcServer32\(Default) = "C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL" ["Skype Technologies S.A."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

    "{FF393560-C2A7-11CF-BFF4-444553540000}" = "History"

    -> {HKCU...CLSID} = "History"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

    "{88C6C381-2E85-11D0-94DE-444553540000}" = "ActiveX Cache Folder"

    -> {HKCU...CLSID} = "ActiveX Cache Folder"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\occache.dll" [MS]

    "{F5175861-2688-11d0-9C5E-00AA00A45957}" = "Subscription Folder"

    -> {HKCU...CLSID} = "Subscription Folder"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]

    "{B089FE88-FB52-11d3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

    -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]

    "{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"

    -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Office\soa800.dll" [MS]

    "{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"

    -> {HKLM...CLSID} = "Microsoft Office Binder Explode"

                   \InProcServer32\(Default) = "D:\Office\UNBIND.DLL" [MS]

    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

    -> {HKLM...CLSID} = "Outlook File Icon Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]

    "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

    -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

    "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

    -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

    "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

    -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

    "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

    -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

    -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play"

    -> {HKLM...CLSID} = "Uniwersalne urządzenia Plug and Play"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

    "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

    -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

    -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

    -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

    -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

    "{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}" = "ABBYYPDFContextMenuExtension"

    -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

    -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

    "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

    -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]

    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

    -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohev.dll" [MS]

    "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

    -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

    "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

    -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

    "{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"

    -> {HKLM...CLSID} = "Windows Desktop Search"

                   \InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS]

    "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"

    -> {HKLM...CLSID} = "ImageExtractorShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]

    "{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"

    -> {HKLM...CLSID} = "CInfoTipShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]

    "{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"

    -> {HKLM...CLSID} = "Shell Extension for CDRW"

                   \InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Nero AG"]

    "{A5D35F9F-6A11-4EAA-B70B-7BB6FE32663A}" = "XnView Shell Extension"

    -> {HKLM...CLSID} = "XnViewShell Class"

                   \InProcServer32\(Default) = "C:\Program Files\XnView\XnViewShellExt.dll" [empty string]

    "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"

    -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

    -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

    <> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)

    -> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"

                   \InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]

    <> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"

    -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

    "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    -> {HKLM...CLSID} = "WPDShServiceObj Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

    "System" = (value not set)

    HKLM\System\CurrentControlSet\Control\SecurityProviders\

    <> ("zwebauth.dll" [MS]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

    HKLM\Software\Classes\PROTOCOLS\Filter\

    <> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

    -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

    {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"

    -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes*\shellex\ContextMenuHandlers\

    ABBYYPDFContextMenuExtension(Default) = "{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}"

    -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

    ASW(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

    -> {HKLM...CLSID} = "Outpost.ASWShellExt Component"

                   \InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

    DAP_Menu(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"

    -> {HKLM...CLSID} = "DAPMenuShellExt Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]

    DAP_ShredMenu(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"

    -> {HKLM...CLSID} = "DAPMenuShellExt Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]

    ewido anti-spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

    -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

    IXnView(Default) = "{A5D35F9F-6A11-4EAA-B70B-7BB6FE32663A}"

    -> {HKLM...CLSID} = "XnViewShell Class"

                   \InProcServer32\(Default) = "C:\Program Files\XnView\XnViewShellExt.dll" [empty string]

    NOD32 Context Menu Shell Extension(Default) = "{B089FE88-FB52-11d3-BDF1-0050DA34150D}"

    -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]

    VersionsMenu(Default) = "{03170921-4754-11cf-AB9A-00C0F00683EB}"

    -> {HKLM...CLSID} = "Corel Versions"

                   \InProcServer32\(Default) = "C:\Program Files\Corel\shared\Versions\CVersion.dll" [null data]

    WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

    -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    WinZip(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

    -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

    ASW(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

    -> {HKLM...CLSID} = "Outpost.ASWShellExt Component"

                   \InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

    DAP_ShredMenu(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"

    -> {HKLM...CLSID} = "DAPMenuShellExt Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]

    ewido anti-spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

    -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

    WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

    -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    WinZip(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

    -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

    ASW(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

    -> {HKLM...CLSID} = "Outpost.ASWShellExt Component"

                   \InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

    FineReader8(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"

    -> {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]

    NOD32 Context Menu Shell Extension(Default) = "{B089FE88-FB52-11d3-BDF1-0050DA34150D}"

    -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]

    UnlockerShellExtension(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

    -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

    VersionsMenu(Default) = "{03170921-4754-11cf-AB9A-00C0F00683EB}"

    -> {HKLM...CLSID} = "Corel Versions"

                   \InProcServer32\(Default) = "C:\Program Files\Corel\shared\Versions\CVersion.dll" [null data]

    WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

    -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    WinZip(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

    -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

    HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

    UnlockerShellExtension(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

    -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

    Group Policies {policy setting}:


    Note: detected settings may not have any effect.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    "ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000001

    {unrecognized setting}

    "NoWinKeys" = (REG_DWORD) hex:0x00000001

    {Disable Windows+X hotkeys}

    "NoStrCmpLogical" = (REG_DWORD) hex:0x00000001

    {unrecognized setting}

    "NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000000

    {unrecognized setting}

    "NoResolveTrack" = (REG_DWORD) hex:0x00000001

    {unrecognized setting}

    "EditLevel" = (REG_DWORD) hex:0x00000000

    {unrecognized setting}

    "NoRun" = (REG_DWORD) hex:0x00000000

    {unrecognized setting}

    "NoClose" = (REG_DWORD) hex:0x00000000

    {unrecognized setting}

    "NoSaveSettings" = (REG_DWORD) hex:0x00000000

    {Don't save settings at exit}

    "NoFileMenu" = (REG_DWORD) hex:0x00000000

    {unrecognized setting}

    "NoCommonGroups" = (REG_DWORD) hex:0x00000000

    {unrecognized setting}

    "StartMenuLogOff" = (REG_DWORD) hex:0x00000001

    {unrecognized setting}

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    "NoPropertiesRecycleBin" = (REG_DWORD) hex:0x00000000

    {unrecognized setting}

    "NoCDBurning" = (REG_DWORD) hex:0x00000000

    {unrecognized setting}

    "NoResolveTrack" = (REG_DWORD) hex:0x00000001

    {unrecognized setting}

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "DisableRegistryTools" = (REG_DWORD) hex:0x00000000

    {Prevent access to registry editing tools}

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

    {Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001

    {Devices: Allow undock without having to log on}

    "DisableStatusMessages" = (REG_DWORD) hex:0x00000001

    {unrecognized setting}

    Active Desktop and Wallpaper:


    Active Desktop may be disabled at this entry:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

    "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

    HKCU\Control Panel\Desktop\

    "Wallpaper" = "C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

    Enabled Scheduled Tasks:


    "HPpromotions journeysoftware" -> launches: "C:\Program Files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe /N "journeysoftware" -r" ["hp"]

    "RegCure" -> launches: "C:\Program Files\RegCure\RegCure.exe -t" [null data]

    "User_Feed_Synchronization-{00902FD0-579C-46B3-A507-A52971BD2344}" -> launches: "C:\WINDOWS\system32\msfeedssync.exe sync" [MS]

    "User_Feed_Synchronization-{367C00FC-9EC3-47F3-876C-B98CD0A7EB42}" -> launches: "C:\WINDOWS\system32\msfeedssync.exe sync" [MS]

    Winsock2 Service Provider DLLs:


    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

    000000000001\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

    000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

    000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

    000000000006\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

    imon.dll ["Eset "], 01 - 05, 11

    %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 39

    %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

    Toolbars, Explorer Bars, Extensions:


    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

    "{F2CF5485-4E02-4F68-819C-B92DE9277049}"

    -> {HKLM...CLSID} = "&Links"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\Software\Classes\CLSID{A1A7E22D-1587-4230-8F16-081C68D21448}(Default) = "Szybkie dostosowywanie programu"

    Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

    InProcServer32(Default) = "C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll" ["Agnitum Ltd."]

    HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = "&Research"

    Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

    InProcServer32(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

    "MenuText" = "Sun Java Console"

    "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

    {44627E97-789B-40D4-B5C2-58BD171129A1}\

    "ButtonText" = "Szybkie dostosowywanie programu Outpost Firewall Pro"

    {77BF5300-1474-4EC7-9980-D32B190E9B07}\

    "ButtonText" = "Skype Plugin"

    "CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"

    -> {HKLM...CLSID} = "Skype Plugin (button)"

                   \InProcServer32\(Default) = "C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL" ["Skype Technologies S.A."]

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\

    "ButtonText" = "Research"

    Miscellaneous IE Hijack Points


    HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

    <> "NavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]

    <> "DesktopItemNavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]

    <> "NavigationCanceled" = "res://shdoclc.dll/navcancl.htm" [MS]

    <> "OfflineInformation" = "res://shdoclc.dll/offcancl.htm" [MS]

    <> "PostNotCached" = "res://mshtml.dll/repost.htm" [MS]

    Running Services (Display Name, Service Name, Path {Service DLL}):


    Agent SAP, NwSapAgent, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipxsap.dll" [MS]}

    NOD32 Kernel Service, NOD32krn, "C:\Program Files\Eset\nod32krn.exe" ["Eset "]

    NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

    Odbiornik RIP, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}

    Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]

    Usługa Pomocnik IPv6, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}

    Usługi Simple TCP/IP, SimpTcp, "C:\WINDOWS\system32\tcpsvcs.exe" [MS]

    Print Monitors:


    HKLM\System\CurrentControlSet\Control\Print\Monitors\

    FPP2:\Driver = "fppmon2.dll" ["FinePrint Software, LLC"]

    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

    PCL Language Monitor\Driver = "hpz3l3xu.dll" ["Hewlett-Packard Company"]


    <>: Suspicious data at a malware launch point.

    <>: Suspicious data at a browser hijack point.

    • This report excludes default entries except where indicated.

    • To see everywhere the script checks and everything it finds,

    launch it from a command prompt or a shortcut with the -all parameter.

    • To search all directories of local fixed drives for DESKTOP.INI

    DLL launch points, use the -supp parameter or answer "No" at the

    first message box and "Yes" at the second message box.

    ---------- (total run time: 66 seconds, including 6 seconds for message boxes)

Powiedzcie, czy i co wywalić.

Dziękuję za poświęcony czas - SD :slight_smile:


(Gutek) #2

Czysto jest :slight_smile:


(Stary Dziad) #3

Dzięki.

Przepraszam za rozjechane forum, zmniejszyłem czcionkę do wklejenia, ale widzę, że "pojeeeechało".

Skoro jest ok - to może - kosz?


(Gutek) #4

Można do kosza, ale zrób tylko jeszcze to - kosmetycznie:

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa


(Stary Dziad) #5

Zrobione, dzięki jeszcze raz.

Ciekaw jestem co Agnitum wykombinuje z problemem - pierwszy raz mi się zdarzyło, żeby zażyczyli sobie pełne info o systemie poz screenami komunikatów i rejestru.

Jeszcze raz - dzięki. :brawo:

Złączono Posta : 20.10.2006 (Pią) 21:25

No, to żeby definitywnie zamknąć temat - a może się kiedyś komuś przyda.

Otrzymałem od producenta - Agnitum - następującą odpowiedź:

Przeniosłem plik afpansi.sys - i outpost odzyskał "cnotę" - chodzi OK.

Poszperawszy, wyszło na to, że plik afpansi.sys jest od keyloggera Informer - wykopałem go na stałe i jest ok.

Jeżeli by ktoś potrzebował info o ww. keyloggerze - polecam:

W dalszym ciągu nie mam pojęcia, gdzie mogłem go załapać - podejrzewam testowanego bluetootha i Bluesoleil, ale może to "pomówienie".

W każdym razie - ewido i antyspyware z outposta go nie widziały, a skubany "uwalił" outposta w bliżej jeszcze nieznany sposób.

Dzięki za pomoc - SD