Maciasi

Tym programem był reklamiarz premieropinion nie wiem jakim sposobem wywoływał on taką reakcje systemu, ale już jest po sprawie.

Problem już rozwiązany, ale nie obrażę się jak ktoś sprawdzi przy okazji loga

Witam. Mam poważny problem z działaniem systemu. Sprawa wygląda tak, że w chwili włączenia komputera wszystko jest ok, jednak gdy załączam Internet(nie zawsze sie to dzieje, ale czesciej tak), to w jakieś parę minut potem na pasku aktywnych programów wyskakuje jakiś nieznajomy mi symbol programu (6 ramienna biała gwiazda). Dalsza interakcja z systemem jest niemożliwa, więc nawet nie mogę sprawdzić jaki to program, gdyż system zawiesza się w taki sposób jakby „myślał” czyli przez cały czas klepsydra, chyba wiadomo o co chodzi. Skanowałem komputer Kasperskym i nic nie wykrył. Nie wiem w którym momencie się to zaczęło, bo jeszcze wczoraj bez problemu wszystko działało. Proszę o pomoc, bo reinstalkę systemu uważam za ostateczność. System: Vista 64bit SP1 Core2Extreme Q6850 4GB RAM GeForce 280GTX » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Log Silent Runners" "Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows Vista Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS] "Nowe Gadu-Gadu" = ""G:\Programy\Gadu Gadu 8\Nowe Gadu-Gadu\gg.exe"" ["GG Network S.A."] "NVIDIA nTune" = ""C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" clear" ["NVIDIA"] "ISUSPM Startup" = "C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup" ["InstallShield Software Corporation"] "ISUSScheduler" = ""C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start" ["Macrovision Corporation"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}\(Default) = "IEVkbdBHO" -> {HKLM...CLSID} = "IEVkbdBHO Class" \InProcServer32\(Default) = "G:\Programy\Kaspersky 2010\x64\ievkbd.dll" ["Kaspersky Lab"] {E33CF602-D945-461A-83F0-819F76A199F8}\(Default) = "link filter bho" -> {HKLM...CLSID} = "FilterBHO Class" \InProcServer32\(Default) = "G:\Programy\Kaspersky 2010\x64\klwtbbho.dll" ["Kaspersky Lab"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MSOHEVI.DLL" [MS] "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler" -> {HKLM...CLSID} = "Microsoft Office Metadata Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler" -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO" -> {HKLM...CLSID} = "UIContextMenu Class" \InProcServer32\(Default) = "G:\Programy\UltraISO\isoshl64.dll" ["EZB Systems, Inc."] "{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension" -> {HKLM...CLSID} = "KbLogiExt Class" \InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" ["Logitech Inc."] "{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension" -> {HKLM...CLSID} = "LogiExt Class" \InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" ["Logitech Inc."] "{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search" -> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search" \InProcServer32\(Default) = "C:\Windows\System32\ieframe.dll" [MS] "{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension" -> {HKLM...CLSID} = "TuneUp Theme Extension" \InProcServer32\(Default) = "C:\Windows\System32\uxtuneup.dll" ["TuneUp Software"] "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\Program Files (x86)\TuneUp Utilities 2009\SDShelEx-x64.dll" ["TuneUp Software"] "{4838CD50-7E5D-4811-9B17-C47A85539F28}" = "TuneUp Disk Space Explorer Shell Extension" -> {HKLM...CLSID} = "TuneUp Disk Space Explorer Shell Extension" \InProcServer32\(Default) = "C:\Program Files (x86)\TuneUp Utilities 2009\DseShExt-x64.dll" ["TuneUp Software"] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"] "{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9}" = "NVIDIA Play On My TV Context Menu Extension" -> {HKLM...CLSID} = "NVIDIA CPL Context Menu Extension" \InProcServer32\(Default) = "C:\Windows\system32\nvshext.dll" ["NVIDIA Corporation"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <<!>> "{E31004D1-A431-41B8-826F-E902F9D95C81}" = "Windows DreamScene" -> {HKLM...CLSID} = "Windows DreamScene" \InProcServer32\(Default) = "C:\Windows\System32\DreamScene.dll" [MS] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "G:\Programy\Kaspersky 2010\x64\ShellEx.dll" ["Kaspersky Lab"] PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}" -> {HKLM...CLSID} = "PowerArchiver Shell Extensions" \InProcServer32\(Default) = "G:\Programy\PowerArchiver 2009\PASHLEXT.DLL" ["ConeXware, Inc."] TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\Program Files (x86)\TuneUp Utilities 2009\SDShelEx-x64.dll" ["TuneUp Software"] WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "G:\Programy\WinRAR\rarext64.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ TuneUp Disk Space Explorer Shell Extension\(Default) = "{4838CD50-7E5D-4811-9B17-C47A85539F28}" -> {HKLM...CLSID} = "TuneUp Disk Space Explorer Shell Extension" \InProcServer32\(Default) = "C:\Program Files (x86)\TuneUp Utilities 2009\DseShExt-x64.dll" ["TuneUp Software"] TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\Program Files (x86)\TuneUp Utilities 2009\SDShelEx-x64.dll" ["TuneUp Software"] UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}" -> {HKLM...CLSID} = "UIContextMenu Class" \InProcServer32\(Default) = "G:\Programy\UltraISO\isoshl64.dll" ["EZB Systems, Inc."] WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "G:\Programy\WinRAR\rarext64.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "G:\Programy\Kaspersky 2010\x64\ShellEx.dll" ["Kaspersky Lab"] PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}" -> {HKLM...CLSID} = "PowerArchiver Shell Extensions" \InProcServer32\(Default) = "G:\Programy\PowerArchiver 2009\PASHLEXT.DLL" ["ConeXware, Inc."] UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}" -> {HKLM...CLSID} = "UIContextMenu Class" \InProcServer32\(Default) = "G:\Programy\UltraISO\isoshl64.dll" ["EZB Systems, Inc."] WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "G:\Programy\WinRAR\rarext64.dll" [null data] Default executables: -------------------- HKLM\SOFTWARE\Classes\.hta\(Default) = "htafile" <<!>> HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = "C:\Windows\SysWOW64\mshta.exe "%1" %*" [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoActiveDesktop" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "ForceActiveDesktopOn" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "ConsentPromptbehaviorAdmin" = (REG_DWORD) dword:0x00000002 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} "ConsentPromptbehaviorUser" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: behavior Of The Elevation Prompt For Standard Users} "EnableInstallerDetection" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Detect Application Installations And Prompt For Elevation} "EnableLUA" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} "EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Only elevate UIAccess applications that are installed in secure locations} "EnableVirtualization" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Virtualize file and registry write failures to per-user locations} "PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Switch to the secure desktop when prompting for elevation} "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "FilterAdministratorToken" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Admin Approval Mode for the Built-in Administrator Account} "EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Users\Maciek\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ CanonCW50PicturesOnArrival\ "Provider" = "Canon CameraWindow" "InvokeProgID" = "Cw50.AutoplayHandler" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\Cw50.AutoplayHandler\shell\open\command\(Default) = "C:\Program Files (x86)\Canon\CameraWindow\CameraWindowMC\CameraLauncherMC.exe" [null data] CanonCW60EventHandler\ "Provider" = "Canon CameraWindow" "ProgID" = "Cw60.AutoplayHandler" HKLM\SOFTWARE\Classes\Cw60.AutoplayHandler\CLSID\(Default) = "{9FA058BF-A4FA-4DD6-8043-A3AD58AD8C15}" -> {HKLM...CLSID} = "Canon CameraWindow" \LocalServer32\(Default) = ""C:\Program Files (x86)\Canon\CameraWindow\CameraWindowDVC6\CameraLauncher.exe"" ["Canon Inc."] MSPlayCDAudioOnArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.AudioCD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\WMP.AudioCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"" [MS] MSPlayDVDMovieOnArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.DVD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\WMP.DVD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"" [MS] MSPlaySuperVideoCDMovieOnArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.VCD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS] MSPlayVideoCDMovieOnArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.VCD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS] MSRipCDAudioOnArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.RipCD" "InvokeVerb" = "Rip" HKLM\SOFTWARE\Classes\WMP.RipCD\shell\Rip\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /RipAudioCD "%L" " [MS] MSWMPBurnCDOnArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.BurnCD" "InvokeVerb" = "Burn" HKLM\SOFTWARE\Classes\WMP.BurnCD\shell\Burn\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:CDWrite /Device:"%L" " [MS] MSWMPBurnDataDVDArrival\ "Provider" = "@wmploc.dll,-6502" "InvokeProgID" = "WMP.BurnDVD" "InvokeVerb" = "Burn" HKLM\SOFTWARE\Classes\WMP.BurnDVD\shell\Burn\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:DVDWrite /Device:"%L" " [MS] PABurner\ "Provider" = "PowerArchiver Burner 2009" "InvokeProgID" = "PABurnerOpen" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\PABurnerOpen\shell\open\command\(Default) = ""G:\Programy\PowerArchiver 2009\PABURNTOOLS.EXE"" ["ConeXware, Inc."] UVSFolder\ "Provider" = "Ulead VideoStudio 11" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "G:\Programy\Ulead VideoStudio 11\vstudio.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "Shell Execute Hardware Event Handler" \LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] WIA_{27BB7B3F-7FAB-4BE3-870D-C3FDCECE3B5C}\ "Provider" = "Photoshop" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = "/WiaCmd;G:\Programy\Adobe Photoshop CS3\Adobe Photoshop CS3\Photoshop.exe /StiDevice:%1 /StiEvent:%2;" -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS] WIA_{293170BD-3EBE-44E4-B542-EC73CDCF1568}\ "Provider" = "Microsoft Office OneNote" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = "/WiaCmd;C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE /IMG_WIA;" -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS] WIA_{C8092F1B-4941-4A9A-8720-E3776E96A013}\ "Provider" = "Microsoft Office Word" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = "/WiaCmd;C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE /IMG_WIA;" -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS] Non-disabled Scheduled Tasks: ----------------------------- C:\Windows\System32\Tasks "1-Click Maintenance" -> launches: "C:\Program Files (x86)\TuneUp Utilities 2009\OneClickStarter.exe /schedulestart" ["TuneUp Software GmbH"] "{1954035B-A0A8-46B0-AD6B-E8753639A6DB}" -> launches: "C:\Windows\system32\pcalua.exe -a "E:\Medieval II Total War\Uninstal.exe"" [MS] C:\Windows\System32\Tasks\ASUS "ASUS ACPI Service Provider" -> launches: "C:\Program Files (x86)\ASUS\AASP\1.00.63\aaCenter.exe" [empty string] "ASUS RegRun Loader" -> launches: "C:\Program Files (x86)\ASUS\AASP\1.00.63\AsLoader.exe -Run" [null data] "ASUS SIX Engine" -> launches: "C:\Program Files (x86)\ASUS\Six Engine\SixEngine.exe" [empty string] "Cpu Level Up Hook Lanunch" -> launches: "C:\Program Files (x86)\ASUS\AI Suite\CpuLevelUpHookLaunch.exe" [empty string] C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client "AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}" -> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth "UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient "SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS] "UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS] "UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program "Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS] "OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS] "VistaSP1CEIP" -> (HIDDEN!) launches: "%systemroot%\servicing\vsp1ceip.exe /delete /tn "\Microsoft\Windows\Customer Experience Improvement Program\VistaSP1CEIP" /f" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Defrag "ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Media Center "ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS] "mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0) -gc" [MS] "OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS] "OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery" [MS] "UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC "HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}" -> {HKLM...CLSID} = "HotStart User Agent" \InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS] "TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61}" -> {HKLM...CLSID} = "Transient Multi-Monitor Manager" \InProcServer32\(Default) = "C:\Windows\System32\TMM.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MUI "LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia "SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}" -> {HKLM...CLSID} = "Microsoft PlaySoundService Class" \InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection "NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}" -> {HKLM...CLSID} = "Nap ITask Handler Implementation" \InProcServer32\(Default) = "C:\Windows\System32\QAgent.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System "ConvertLogEntries" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RAC "RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance "RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Shell "CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}" -> {HKLM...CLSID} = "CrawlStartPages Task Handler" \InProcServer32\(Default) = "C:\Windows\System32\srchadmin.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SideShow "GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}" -> {HKLM...CLSID} = "GadgetsManager Class" \InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore "SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip "IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS] "IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework "MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}" -> {HKLM...CLSID} = "MsCtfMonitor task handler" \InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\UPnP "UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\WDI "ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}" -> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler" \InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting "QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Wired "GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data] C:\Windows\System32\Tasks\Microsoft\Windows\Wireless "GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data] C:\Windows\System32\Tasks\Microsoft\Windows Defender "MP Scheduled Scan" -> (HIDDEN!) launches: "c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000007\LibraryPath = "C:\Program Files (x86)\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{32099AAC-C132-4136-9E9A-4E364A424E17}" -> {HKLM...CLSID} = "DAEMON Tools Toolbar" \InProcServer32\(Default) = "C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll" [null data] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{32099AAC-C132-4136-9E9A-4E364A424E17}" = (no title provided) -> {HKLM...CLSID} = "DAEMON Tools Toolbar" \InProcServer32\(Default) = "C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll" [null data] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {4248FE82-7FCB-46AC-B270-339F08212110}\ "ButtonText" = "&Virtual keyboard" "CLSIDExtension" = "{4248FE82-7FCB-46AC-B270-339F08212110}" -> {HKLM...CLSID} = "VirtualKeyboardButtonHandler Class" \InProcServer32\(Default) = "G:\Programy\Kaspersky 2010\x64\klwtbbho.dll" ["Kaspersky Lab"] {CCF151D8-D089-449F-A5A4-D9909053F20F}\ "ButtonText" = "URLs c&heck" "CLSIDExtension" = "{CCF151D8-D089-449F-A5A4-D9909053F20F}" -> {HKLM...CLSID} = "FilterButtonHandler Class" \InProcServer32\(Default) = "G:\Programy\Kaspersky 2010\x64\klwtbbho.dll" ["Kaspersky Lab"] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") <<H>> C:\WINDOWS\INF\IERESET.INF was not found! HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\ <<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files (x86)\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."] Andrea ADI Filters Service, AEADIFilters, "C:\Windows\system32\AEADISRV.EXE" ["Andrea Electronics Corporation"] Capture Device Service, Capture Device Service, ""C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe"" ["InterVideo Inc."] Diskeeper, Diskeeper, ""G:\Programy\Diskeeper 2007\DkService.exe"" ["Diskeeper Corporation"] Dostęp do urządzeń interfejsu HID, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]} Kaspersky Internet Security, AVP, ""G:\Programy\Kaspersky 2010\avp.exe" -r" ["Kaspersky Lab"] Lavasoft Ad-Aware Service, aawservice, ""G:\Programy\Ad-Aware 2008\aawservice.exe"" ["Lavasoft"] LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"] Nero BackItUp Scheduler 4.0, Nero BackItUp Scheduler 4.0, "C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe" ["Nero AG"] nTune Service, nTuneService, "C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe /StartService" ["NVIDIA"] NVIDIA Display Driver Service, nvsvc, "C:\Windows\system32\nvvsvc.exe" ["NVIDIA Corporation"] NVIDIA Stereoscopic 3D Driver Service, Stereo Service, "C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe" ["NVIDIA Corporation"] PIXMA Extended Survey Program, IJPLMSVC, "C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE" [null data] PnkBstrA, PnkBstrA, "C:\Windows\system32\PnkBstrA.exe" [file not found] PremierOpinion, PremierOpinion, "C:\Program Files (x86)\PremierOpinion\pmservice.exe /service" ["VoiceFive Networks, Inc."] TuneUp Program Statistics Service, TuneUp.ProgramStatisticsSvc, "C:\Windows\System32\TUProgSt.exe" ["TuneUp Software"] TuneUp Theme Extension, UxTuneUp, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\uxtuneup.dll" ["TuneUp Software"]} Usługa Protokół SSTP, SstpSvc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\sstpsvc.dll" [MS]} Windows Driver Foundation — User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]} Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]} Keyboard Driver Filters: ------------------------ HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = <<!>> "glogin" [file not found] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor iP2600 series\Driver = "CNMLM97.DLL" ["CANON INC."] ---------- (launch time: 2009-08-04 12:47:57) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 98 seconds. ---------- (total run time: 143 seconds)