Witam serdecznie,
Mam proble z dymkiem critical system errors . Poza tym na pasku IE pojawily mi sie jakies nowe skroty a co jakis czas pokazuje sie inny dymek:“system performance monitor: warning”. Próbowałam sobie z nimi poradzic za pomocą SmitFraudFix ale nie wiem dlaczego nie moge go uruchomic. Zamieszczam utworzone loga i prosze o pomoc w wykryciu tych paskud zebym wiedziala co mam usunac:)
dodam jeszcze ze w programach mialam zainstalowane jakies: ivideocodec oraz IE pluggin 2006 (chyba jakos tak) te nazwy pojawiaja sie w logach mimo ze z programow juz je usunelam.
Dziekuje za wszelka pomoc!
Logfile of HijackThis v1.99.1
Scan saved at 22:05:01, on 2006-11-08
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iVideoCodec\isamonitor.exe
C:\Program Files\iVideoCodec\pmsngr.exe
C:\Program Files\iVideoCodec\pmmon.exe
C:\Program Files\iVideoCodec\isamini.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\essspk.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
E:\
C:\Documents and Settings\All Users\Dokumenty\Neostrada TP\NeostradaTP.exe
C:\Documents and Settings\All Users\Dokumenty\Neostrada TP\ComComp.exe
C:\Documents and Settings\All Users\Dokumenty\Neostrada TP\Watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Renata\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {274c0420-ebe0-4f1d-b473-edd1aa9b85dd} - C:\Program Files\iVideoCodec\isaddon.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [nwiz] nwiz.exe /install
O4 - HKLM…\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM…\Run: [EssSpkPhone] essspk.exe
O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM…\Run: [ElbyCheckElbyCDFL] “C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe” /L ElbyCDFL
O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM…\Run: [ADATA_PLUtil] C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM…\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM…\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM…\Run: [shStatEXE] “C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE” /STANDALONE
O4 - HKLM…\Run: [McAfeeUpdaterUI] “C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe” /StartedFromRunKey
O4 - HKLM…\Run: [Network Associates Error Reporting Service] “C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe”
O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033
O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU…\Run: [Gadu-Gadu] "E:\
O8 - Extra context menu item: Eksport do programu Microsoft Excel - c:\program files\microsoft office\office\excel.exe
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab
O17 - HKLM\System\CCS\Services\Tcpip…{DB7FFCAB-AC1B-458B-8109-E4C43FE83422}: NameServer = 194.204.152.34 217.98.63.164
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: bonspells - {11853d5f-f894-4cc7-bbc3-fc7a9dcfd896} - C:\WINDOWS\system32\okkmtv.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Serwis struktury programu McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS]
“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]
“Gadu-Gadu” = ""E:\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
“isamonitor.exe” = “C:\Program Files\iVideoCodec\isamonitor.exe” [null data]
“pmsngr.exe” = “C:\Program Files\iVideoCodec\pmsngr.exe” [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS]
“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]
“InCD” = “C:\Program Files\ahead\InCD\InCD.exe” [“Copyright © ahead software gmbh and its licensors”]
“EssSpkPhone” = “essspk.exe” [null data]
“WheelMouse” = “C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [“A4Tech Co.,Ltd.”]
“ElbyCheckElbyCDFL” = ““C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe” /L ElbyCDFL” [“Elaborate Bytes”]
“SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]
“ADATA_PLUtil” = “C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon.exe” [“Prolific Technology Inc.”]
“PLFFAP” = “C:\WINDOWS\system32\HotfixQ0306270.exe” [“Prolific Technology Inc.”]
“ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”]
“ccRegVfy” = “C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe” [“Symantec Corporation”]
“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]
“HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe” [“HP”]
“Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe” [“Symantec Corporation”]
“ShStatEXE” = ““C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE” /STANDALONE” [“Network Associates, Inc.”]
“McAfeeUpdaterUI” = ““C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe” /StartedFromRunKey” [“Network Associates, Inc.”]
“Network Associates Error Reporting Service” = ““C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe”” [“Network Associates, Inc.”]
“DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [file not found]
“WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [file not found]
“WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [file not found]
“WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
- {HKLM…CLSID} = “AcroIEHlprObj Class”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string]
{259F616C-A300-44F5-B04A-ED001A26C85C}(Default) = (no title provided)
- {HKLM…CLSID} = “Solid Converter PDF”
\InProcServer32(Default) = “C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll” [“VoyagerSoft, LLC”]
{274c0420-ebe0-4f1d-b473-edd1aa9b85dd}(Default) = (no title provided)
- {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\iVideoCodec\isaddon.dll” [null data]
{BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = “NAV Helper”
- {HKLM…CLSID} = “CNavExtBho Class”
\InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
- {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]
“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitów”
- {HKLM…CLSID} = “Eksplorator pulpitów”
\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”
- {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]
“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”
- {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS]
“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”
- {HKLM…CLSID} = “Portable Media Devices Menu”
\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
- {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
“{259F616C-A300-44F5-B04A-ED001A26C85C}” = “SolidConverter extension”
- {HKLM…CLSID} = “Solid Converter PDF”
\InProcServer32(Default) = “C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll” [“VoyagerSoft, LLC”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
“{11853d5f-f894-4cc7-bbc3-fc7a9dcfd896}” = “bonspells”
- {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\system32\okkmtv.dll” [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
“bonspells” = “{11853d5f-f894-4cc7-bbc3-fc7a9dcfd896}”
- {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\system32\okkmtv.dll” [null data]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
SolidConverterPDF(Default) = “{259F616C-A300-44F5-B04A-ED001A26C85C}”
- {HKLM…CLSID} = “Solid Converter PDF”
\InProcServer32(Default) = “C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll” [“VoyagerSoft, LLC”]
Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}”
- {HKLM…CLSID} = “IEContextMenu Class”
\InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [file not found]
VirusScan(Default) = “{cda2863e-2497-4c49-9b89-06840e070a87}”
- {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Network Associates\VirusScan\shext.dll” [“Network Associates, Inc.”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
- {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
VirusScan(Default) = “{cda2863e-2497-4c49-9b89-06840e070a87}”
- {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Network Associates\VirusScan\shext.dll” [“Network Associates, Inc.”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
- {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
SolidConverterPDF(Default) = “{259F616C-A300-44F5-B04A-ED001A26C85C}”
- {HKLM…CLSID} = “Solid Converter PDF”
\InProcServer32(Default) = “C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll” [“VoyagerSoft, LLC”]
Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}”
- {HKLM…CLSID} = “IEContextMenu Class”
\InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [file not found]
VirusScan(Default) = “{cda2863e-2497-4c49-9b89-06840e070a87}”
- {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Network Associates\VirusScan\shext.dll” [“Network Associates, Inc.”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
- {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
Group Policies {policy setting}:
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\Documents and Settings\Renata\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
“SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
“{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}”
- {HKLM…CLSID} = “Norton AntiVirus”
\InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [file not found]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
“{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}”
- {HKLM…CLSID} = “Norton AntiVirus”
\InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [file not found]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
“{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” = “Norton AntiVirus”
- {HKLM…CLSID} = “Norton AntiVirus”
\InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [file not found]
“{259F616C-A300-44F5-B04A-ED001A26C85C}” = (no title provided)
- {HKLM…CLSID} = “Solid Converter PDF”
\InProcServer32(Default) = “C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll” [“VoyagerSoft, LLC”]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo”
Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [file not found]
HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class”
Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [file not found]
HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo”
Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [file not found]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
“MenuText” = “Uninstall BitDefender Online Scanner v8”
“Exec” = “%windir%\bdoscandel.exe” [null data]
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
Miscellaneous IE Hijack Points
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
“{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided)
- {HKLM…CLSID} = “Search Class”
\InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [file not found]
Running Services (Display Name, Service Name, Path {Service DLL}):
Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS]
Network Associates McShield, McShield, ““C:\Program Files\Network Associates\VirusScan\Mcshield.exe”” [“Network Associates, Inc.”]
Network Associates Task Manager, McTaskManager, ““C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe”” [“Network Associates, Inc.”]
NVIDIA Driver Helper Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”]
PLFlash DeviceIoControl Service, PLFlash DeviceIoControl Service, “C:\WINDOWS\system32\IoctlSvc.exe” [“Prolific Technology Inc.”]
Serwis struktury programu McAfee, McAfeeFramework, “C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart” [“Network Associates, Inc.”]
Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”]
Symantec Network Drivers Service, SNDSrvc, ““C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”]
Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]
WMDM PMSP Service, WMDM PMSP Service, “C:\WINDOWS\system32\MsPMSPSv.exe” [MS]
Print Monitors:
HKLM\System\CurrentControlSet\Control\Print\Monitors\
PDF-XChange\Driver = “pxc25pm.dll” [“Tracker Software”]
: Suspicious data at a malware launch point.
: Suspicious data at a browser hijack point.
-
This report excludes default entries except where indicated.
-
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
- The search for DESKTOP.INI DLL launch points on all local fixed drives
took 73 seconds.
---------- (total run time: 187 seconds)