Kilka dni walczę z dziwnym zjawiskiem. Mam oryginalny Windows .
Kiedy przyszły uaktualnienia wyskoczył komunikat "Nie można ukończyć sprawdzenia oryginalności systemu Windows "
Koło zegara umieściła sie pięcioramienna gwiazdka.
Kierując sie wskazówkami tam napisanymi nic nie mogę z tym zrobić.
Może ktoś mi pomoże jak to rozwiąząć.
logi :
Logfile of HijackThis v1.99.1
Scan saved at 20:12:59, on 2007-05-04
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Documents and Settings\oem-pl\Pulpit\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Programy\Scąganie z netu\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: IEbho Class - {68C55168-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - E:\odtwarzacz z napis\Expressivo Demo\IH_iexplore.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - E:\odtwarzacz z napis\Expressivo Demo\IH_iexplore.dll
O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM…\Run: [osCheck] “C:\Program Files\Norton Internet Security\osCheck.exe”
O4 - HKLM…\Run: [symantec PIF AlertEng] “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” /a /m “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll”
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU…\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU…\RunOnce: [update0] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe”
O8 - Extra context menu item: Download all links using BitComet - res://D:\Programy\Scąganie z netu\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://D:\Programy\Scąganie z netu\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://D:\Programy\Scąganie z netu\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\OFFICE~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: IE7pro - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra ‘Tools’ menuitem: IE7pro Ctrl+Alt+7 - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/ … 586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Usługa Auto-Protect programu Norton AntiVirus (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]
“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]
“WMPNSCFG” = “C:\Program Files\Windows Media Player\WMPNSCFG.exe” [MS]
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
“Update0” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe”” [“RealNetworks, Inc.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”]
“osCheck” = ““C:\Program Files\Norton Internet Security\osCheck.exe”” [“Symantec Corporation”]
“Symantec PIF AlertEng” = ““C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” /a /m “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll”” [“Symantec Corporation”]
“TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM…CLSID} = “Adobe PDF Reader Link Helper”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll” [“Symantec Corporation”]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture”
-> {HKLM…CLSID} = “BitComet Helper”
\InProcServer32(Default) = “D:\Programy\Scąganie z netu\BitComet\tools\BitCometBHO_1.1.2.7.dll” [“BitComet”]
{68C55168-E188-40DF-A514-835FCD78B1BF}(Default) = (no title provided)
-> {HKLM…CLSID} = “IEbho Class”
\InProcServer32(Default) = “C:\Program Files\IE7pro\IE7pro.dll” [“IE7pro.com”]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}(Default) = (no title provided)
-> {HKLM…CLSID} = “Groove GFS Browser Helper”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”]
{85F685C3-20D9-4943-95E4-EB4224056C3F}(Default) = (no title provided)
-> {HKLM…CLSID} = “Expressivo”
\InProcServer32(Default) = “E:\odtwarzacz z napis\Expressivo Demo\IH_iexplore.dll” [“IVO Software Sp. z o.o.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension”
-> {HKLM…CLSID} = “SimpleShlExt Class”
\InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string]
“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”
-> {HKLM…CLSID} = “RealOne Player Context Menu Class”
\InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”]
“{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play”
-> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play”
\InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS]
“{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension”
-> {HKLM…CLSID} = “7-Zip Shell Extension”
\InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”]
“{B7056B8E-4F99-44f8-8CBD-282390FE5428}” = “VirtualCloneDrive”
-> {HKLM…CLSID} = “VirtualCloneDrive Shell Extension”
\InProcServer32(Default) = “C:\Program Files\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll” [“Elaborate Bytes AG”]
“{72853161-30C5-4D22-B7F9-0BBC1D38A37E}” = “Groove GFS Browser Helper”
-> {HKLM…CLSID} = “Groove GFS Browser Helper”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
“{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}” = “Groove GFS Explorer Bar”
-> {HKLM…CLSID} = “Groove Folder Synchronization”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
“{A449600E-1DC6-4232-B948-9BD794D62056}” = “Groove GFS Stub Icon Handler”
-> {HKLM…CLSID} = “Groove GFS Stub Icon Handler”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
“{B5A7F190-DDA6-4420-B3BA-52453494E6CD}” = “Groove GFS Stub Execution Hook”
-> {HKLM…CLSID} = “Groove GFS Stub Execution Hook”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
“{6C467336-8281-4E60-8204-430CED96822D}” = “Groove GFS Context Menu Handler”
-> {HKLM…CLSID} = “Groove GFS Context Menu Handler”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
“{387E725D-DC16-4D76-B310-2C93ED4752A0}” = “Groove XML Icon Handler”
-> {HKLM…CLSID} = “Groove XML Icon Handler”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
“{16F3DD56-1AF5-4347-846D-7C10C4192619}” = “Groove Explorer Icon Overlay 3 (GFS Folder)”
-> {HKLM…CLSID} = “Groove Explorer Icon Overlay 3 (GFS Folder)”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
“{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}” = “Groove Explorer Icon Overlay 2 (GFS Stub)”
-> {HKLM…CLSID} = “Groove Explorer Icon Overlay 2 (GFS Stub)”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
“{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}” = “Groove Explorer Icon Overlay 4 (GFS Unread Mark)”
-> {HKLM…CLSID} = “Groove Explorer Icon Overlay 4 (GFS Unread Mark)”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
“{99FD978C-D287-4F50-827F-B2C658EDA8E7}” = “Groove Explorer Icon Overlay 1 (GFS Unread Stub)”
-> {HKLM…CLSID} = “Groove Explorer Icon Overlay 1 (GFS Unread Stub)”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
“{920E6DB1-9907-4370-B3A0-BAFC03D81399}” = “Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)”
-> {HKLM…CLSID} = “Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”
-> {HKLM…CLSID} = “Outlook File Icon Extension”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL” [MS]
“{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”
-> {HKLM…CLSID} = “Microsoft Office Outlook”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL” [MS]
“{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}” = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search”
-> {HKLM…CLSID} = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL” [MS]
“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office12\msohevi.dll” [MS]
“{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler”
-> {HKLM…CLSID} = “Microsoft Office Metadata Handler”
\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS]
“{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler”
-> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler”
\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
“{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser”
-> {HKLM…CLSID} = “Nokia Phone Browser”
\InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”]
“{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx”
-> {HKLM…CLSID} = “AlcoholShellEx”
\InProcServer32(Default) = “E:\ALCOHO~2\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> “{B5A7F190-DDA6-4420-B3BA-52453494E6CD}” = “Groove GFS Stub Execution Hook”
-> {HKLM…CLSID} = “Groove GFS Stub Execution Hook”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
“WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”
-> {HKLM…CLSID} = “WPDShServiceObj Class”
\InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]
HKLM\Software\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}”
-> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter”
\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”
-> {HKLM…CLSID} = “PDF Shell Extension”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}”
-> {HKLM…CLSID} = “7-Zip Shell Extension”
\InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”]
Symantec.Norton.Antivirus.IEContextMenu(Default) = “{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}”
-> {HKLM…CLSID} = “IEContextMenu Class”
\InProcServer32(Default) = “C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll” [“Symantec Corporation”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}”
-> {HKLM…CLSID} = “Groove GFS Context Menu Handler”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}”
-> {HKLM…CLSID} = “7-Zip Shell Extension”
\InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}”
-> {HKLM…CLSID} = “Groove GFS Context Menu Handler”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu(Default) = “{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}”
-> {HKLM…CLSID} = “IEContextMenu Class”
\InProcServer32(Default) = “C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll” [“Symantec Corporation”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}”
-> {HKLM…CLSID} = “Groove GFS Context Menu Handler”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}”
-> {HKLM…CLSID} = “Groove GFS Context Menu Handler”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
Group Policies {policy setting}:
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NoLowDiskSpaceChecks” = (REG_DWORD) hex:0x00000001
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NoCDBurning” = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“DisableRegistryTools” = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
“SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS]
Enabled Scheduled Tasks:
“Idle Time Backup” -> launches: “F:\Backup\itbackup.exe /n” [file not found]
“Norton Internet Security - Run Full System Scan - oem-pl” -> launches: “C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /TASK:“C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
“{F2CF5485-4E02-4F68-819C-B92DE9277049}”
-> {HKLM…CLSID} = “&Links”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
“{90222687-F593-4738-B738-FBEE9C7B26DF}” = “NCO Toolbar”
-> {HKLM…CLSID} = “Show Norton Toolbar”
\InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll” [“Symantec Corporation”]
“{85F685C3-20D9-4943-95E4-EB4224056C3F}” = “Expressivo”
-> {HKLM…CLSID} = “Expressivo”
\InProcServer32(Default) = “E:\odtwarzacz z napis\Expressivo Demo\IH_iexplore.dll” [“IVO Software Sp. z o.o.”]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}(Default) = “Groove Folder Synchronization”
Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS]
HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Poszukaj”
Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL” [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{0026439F-A980-4F18-8C95-4F1CBBF9C1D8}\
“ButtonText” = “IE7pro”
“MenuText” = “IE7pro Ctrl+Alt+7”
“CLSIDExtension” = “{B119EB0C-C021-46CF-85B0-34A760E0D5FE}”
-> {HKLM…CLSID} = “ToolsExt Class”
\InProcServer32(Default) = “C:\Program Files\IE7pro\IE7pro.dll” [“IE7pro.com”]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}”
-> {HKCU…CLSID} = “Java Plug-in 1.5.0_11”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”]
-> {HKLM…CLSID} = “Java Plug-in 1.5.0_11”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”]
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
“ButtonText” = “Wyślij do programu OneNote”
“MenuText” = “Wyślij &do programu OneNote”
“CLSIDExtension” = “{48E73304-E1D6-4330-914C-F5F514E3486C}”
-> {HKLM…CLSID} = “Send to OneNote from Internet Explorer button”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll” [MS]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
“ButtonText” = “Research”
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
“MenuText” = “@xpsp3res.dll,-20001”
“Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
“ButtonText” = “Messenger”
“MenuText” = “Windows Messenger”
“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ““C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe”” [“Symantec Corporation”]
COM Host, comHost, ““C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe”” [“Symantec Corporation”]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ““C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe” /h ccCommon” [“Symantec Corporation”]
Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS]
Symantec AppCore Service, SymAppCore, ““C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe”” [“Symantec Corporation”]
Symantec Core LC, Symantec Core LC, ““C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe”” [“Symantec Corporation”]
Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe” /h ccCommon” [“Symantec Corporation”]
Symantec Lic NetConnect service, CLTNetCnService, ““C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe” /h ccCommon” [“Symantec Corporation”]
Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe” /h ccCommon” [“Symantec Corporation”]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, “C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup” {“C:\WINDOWS\System32\WUDFSvc.dll” [MS]}
Print Monitors:
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Shared Fax Monitor\Driver = “FXSMON.DLL” [MS]
Send To Microsoft OneNote Monitor\Driver = “msonpmon.dll” [MS]
SUGS1 Langmon\Driver = “SUGS1LMK.DLL” [“Samsung Electronics.”]
<>: Suspicious data at a malware launch point.
-
This report excludes default entries except where indicated.
-
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
- To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer “No” at the
first message box and “Yes” at the second message box.
---------- (total run time: 183 seconds, including 5 seconds for message boxes)
