Witam wszystkich, jestem nowym użytkownikiem forum i nie ukrywam, że zarejestrowałem się tu między innymi z powodu mojego problemu.
OczyszczaczKomputera - nie wiem skąd to się wzięło no, ale cóż. Problem jest w tym, że nie mogę tego wykryć. Zrobiłem log Silent Runners’em, ale nie wiem co i jak więc zamieszczam ten log, a jeśli nic on nie wnosi to proszę o porady. Problem (myślę, że związany z ww. wirusem) drugi to samoczynne zamykanie się aplikacji eksploratora Windows przy każdej próbie dostępu bezpośrednio do jakiegoś katalogu. Co ciekawe po uruchomienia eksploratora windows z menu start, foldery otwierają się już normalnie.
"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS]
"ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" ["Google Inc."]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]
"CollaborationHost" = "C:\Windows\system32\p2phost.exe -s" [MS]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"hpsysdrv" = "c:\hp\support\hpsysdrv.exe" ["Hewlett-Packard Company"]
"KBD" = "C:\HP\KBD\KbdStub.EXE" [null data]
"OsdMaestro" = ""C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"" ["OsdMaestro"]
"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]
"CCUTRAYICON" = "FactoryMode" [file not found]
"HP Health Check Scheduler" = "c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [null data]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"SunJavaUpdateReg" = ""C:\Windows\system32\jureg.exe"" ["Sun Microsystems, Inc."]
"HP Software Update" = "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard"]
"(Default)" = (empty string) [file not found]
"LogitechCommunicationsManager" = ""C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"" ["Logitech Inc."]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"NvSvc" = "RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"OrderReminder" = "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" ["Hewlett-Packard"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"MSServer" = "rundll32.exe C:\Windows\system32\xxwxw.dll,#1" [MS]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"Launcher" = "C:\Windows\SMINST\launcher.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Windows\system32\xxwxw.dll" [null data]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll" ["Symantec Corporation"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{85F685C3-20D9-4943-95E4-EB4224056C3F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Expressivo"
\InProcServer32\(Default) = "C:\Program Files\ivo\Expressivo\IH_iexplore.dll" ["IVO Software Sp. z o.o."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{B2153042-7EAC-4B8F-8EA6-4B7A93595613}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Windows\system32\rqoom.dll" [null data]
{D3B43CC4-F2FC-4AB0-9F9B-181279A6BAF8}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Windows\system32\rqoom.dll" [null data]
{ea3fd858-2456-4ac8-acb3-9716bad6763a}\(Default) = "{a3676dab-6179-3bca-8ca4-6542858df3ae}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Windows\system32\tvjihmde.dll" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "ShellViewRTF"
-> {HKLM...CLSID} = "ShellViewRTF"
\InProcServer32\(Default) = "C:\Windows\System32\ShellvRTF.dll" ["XSS"]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> "{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E}" = "*¶*¶ **h**" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Windows\system32\xxwxw.dll" [null data]
<> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}
"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}
"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}
"EnableLUA" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}
"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}
"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}
"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Conrol: Switch to the secure desktop when prompting for elevation}
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}
"EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\Web\Wallpaper\img24.jpg"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Windows\Web\Wallpaper\img24.jpg"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\Bubbles.scr" [MS]
Non-disabled Scheduled Tasks:
-----------------------------
C:\Windows\System32\Tasks
"ExtendedServicePlan" -> launches: ""C:\Program Files\Hewlett-Packard\SDP\RemEngine.exe" ExtendedServicePlan ShowMessageTask" [null data]
"HP Health Check" -> launches: ""c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" /Scan" [null data]
"HPCeeScheduleForRodzina" -> launches: "C:\program files\hewlett-packard\sdp\ceement\HPCEE.exe HPCeeScheduleForRodzina (null)" [null data]
"JavaUpdateAdministrator" -> launches: "C:\Windows\system32\jusched.exe" [file not found]
"JavaUpdateRodzina" -> launches: "C:\Windows\system32\jusched.exe" [file not found]
"RecoveryCD" -> launches: ""C:\Program Files\Hewlett-Packard\SDP\RemEngine.exe" RecoveryCD ShowMessageTask" [null data]
"ServicePlan" -> launches: ""C:\Program Files\Hewlett-Packard\SDP\RemEngine.exe" ServicePlan ShowMessageTask3M" [null data]
"User_Feed_Synchronization-{08219C36-6466-4A4B-9C06-BB3C8CDD4170}" -> (HIDDEN!) launches: "C:\Windows\system32\msfeedssync.exe sync" [MS]
"{ACF39336-88FE-41FC-BF85-49C242823382}" -> launches: "C:\Windows\system32\pcalua.exe -a "C:\Program Files\WildGames\Uninstall.exe"" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"
-> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
"OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS]
"Uploader" -> launches: "%windir%\system32\WSqmCons.exe -u" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
"ManualDefrag" -> launches: "%windir%\system32\defrag.exe \\?\Volume{611555f6-9aad-11dc-b00f-806e6f6e6963}\" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
"ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS]
"mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0) -gc" [MS]
"OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS]
"OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery" [MS]
"UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
"HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}"
-> {HKLM...CLSID} = "HotStart User Agent"
\InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS]
"TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61}"
-> {HKLM...CLSID} = "Transient Multi-Monitor Manager"
\InProcServer32\(Default) = "C:\Windows\System32\TMM.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\MUI
"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}"
-> {HKLM...CLSID} = "Microsoft PlaySoundService Class"
\InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection
"NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}"
-> {HKLM...CLSID} = "Nap ITask Handler Implementation"
\InProcServer32\(Default) = "C:\Windows\System32\QAgent.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System
"ConvertLogEntries" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\RAC
"RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
"RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Shell
"CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}"
-> {HKLM...CLSID} = "CrawlStartPages Task Handler"
\InProcServer32\(Default) = "C:\Windows\System32\srchadmin.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
"GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}"
-> {HKLM...CLSID} = "GadgetsManager Class"
\InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
"SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
"IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]
"IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"
-> {HKLM...CLSID} = "MsCtfMonitor task handler"
\InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\WDI
"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"
-> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar
"Reminders - Rodzina" -> launches: "C:\Program Files\Windows Calendar\WinCal.exe /reminder" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Wired
"GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data]
C:\Windows\System32\Tasks\Microsoft\Windows\Wireless
"GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data]
C:\Windows\System32\Tasks\Microsoft\Windows Defender
"MP Scheduled Scan" -> (HIDDEN!) launches: "c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 24
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Pokaż pasek narzędzi Norton"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll" ["Symantec Corporation"]
"{85F685C3-20D9-4943-95E4-EB4224056C3F}" = "Expressivo"
-> {HKLM...CLSID} = "Expressivo"
\InProcServer32\(Default) = "C:\Program Files\ivo\Expressivo\IH_iexplore.dll" ["IVO Software Sp. z o.o."]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Wyślij do programu OneNote"
"MenuText" = "Wyślij &do programu OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll" [MS]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
HOSTS file
----------
C:\Windows\System32\drivers\etc\HOSTS
maps: 2 domain names to IP addresses,
1 of the IP addresses is *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft"]
Autokonfiguracja sieci WLAN, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
ccEvtMgr, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
ccSetMgr, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
COM Host, comHost, ""C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe"" ["Symantec Corporation"]
Dostęp do urządzeń interfejsu HID, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}
DQLWinService, DQLWinService, ""C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe"" [null data]
Harmonogram automatycznej usługi LiveUpdate, Harmonogram automatycznej usługi LiveUpdate, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
HP Chasis Button Service, HPBtnSrv, "c:\hp\HPEZBTN\HPBtnSrv.exe" [null data]
HP Health Check Service, HP Health Check Service, ""c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe"" [null data]
Izolacja klucza CNG, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""c:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
LVCOMSer, LVCOMSer, ""C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe"" ["Logitech Inc."]
Menedżer tożsamości sieci równorzędnej, p2pimsvc, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {"C:\Windows\system32\p2psvc.dll" [MS]}
PnkBstrA, PnkBstrA, "C:\Windows\system32\PnkBstrA.exe" [null data]
Process Monitor, LVPrcSrv, ""C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe"" ["Logitech Inc."]
Protokół uwierzytelniania rozszerzonego (EAP), EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
Przeglądarka komputera, Browser, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]}
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Usługa Odbiornik Windows Media Center, ehRecvr, "C:\Windows\ehome\ehRecvr.exe" [MS]
Usługa Planowanie nagrywania, ehSched, "C:\Windows\ehome\ehsched.exe" [MS]
Usługa Protokół SSTP, SstpSvc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\sstpsvc.dll" [MS]}
Usługa udostępniania w sieci programu Windows Media Player, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" [MS]
Windows Driver Foundation — User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
Accessibility Tools:
--------------------
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AccessibilityTemp\
"narrator" = dword:0x00000000
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator\
"Description" = "Screen Reader"
"StartExe" = "C:\Windows\System32\Narrator.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
HPLJ1018LM\Driver = "ZLhp1018.DLL" ["Zenographics, Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]
---------- (launch time: 2008-02-19 18:24:34)
<>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 259 seconds, including 14 seconds for message boxes)