"Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows Vista Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS] "Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."] "DAEMON Tools Pro Agent" = ""C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"" ["DT Soft Ltd."] "ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS] "BitComet" = ""C:\Program Files\BitComet\BitComet.exe" /tray" ["www.BitComet.com"] "WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"] "CTxfiHlp" = "CTXFIHLP.EXE" ["Creative Technology Ltd"] "NeroFilterCheck" = "C:\Windows\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."] "WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data] "Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"] "Windows Mobile Device Center" = "C:\Windows\WindowsMobile\wmdc.exe" "NvSvc" = "RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart" [MS] "NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS] "NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS] "!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)" -> {HKLM...CLSID} = "Skype add-on (mastermind)" \InProcServer32\(Default) = "C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL" ["Skype Technologies S.A."] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture" -> {HKLM...CLSID} = "BitComet Helper" \InProcServer32\(Default) = "C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll" ["BitComet"] {724d43a9-0d85-11d4-9908-00400523e39a}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] {a33fa729-d155-4b23-842b-2c665ecabdb6}\(Default) = (no title provided) -> {HKLM...CLSID} = "The Pirate Bay Toolbar" \InProcServer32\(Default) = "C:\Program Files\The_Pirate_Bay\tbThe_.dll" ["Conduit Ltd."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{00020d75-0000-0000-c000-000000000046}" = "lnkfile" -> {HKLM...CLSID} = "Microsoft Outlook" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\MLSHEXT.DLL" [MS] "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{D9F81151-62CA-4858-B45E-82B3EC41A549}" = "RExpCtxU" -> {HKLM...CLSID} = "RExpCtxU" \InProcServer32\(Default) = "C:\Program Files\Resco\Pocket Encryption\RExpCtxU.dll" [empty string] "{327669A0-59A7-4be9-B99E-1C9F3A57611A}" = "Haali Matroska Thumbnail Exctractor" -> {HKLM...CLSID} = "Haali Matroska Thumbnail Extractor" \InProcServer32\(Default) = "C:\Program Files\VistaCodecPack\filters\mmfinfo.dll" [null data] "{5574006C-28F5-4a65-A28C-74DE6BFBE0BB}" = "Haali Matroska Shell Property Page" -> {HKLM...CLSID} = "Haali Matroska Shell Property Page" \InProcServer32\(Default) = "C:\Program Files\VistaCodecPack\filters\mmfinfo.dll" [null data] "{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider" -> {HKLM...CLSID} = "Haali Column Provider" \InProcServer32\(Default) = "C:\Program Files\VistaCodecPack\filters\mmfinfo.dll" [null data] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"] "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler" -> {HKLM...CLSID} = "Microsoft Office Metadata Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler" -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview" -> {HKLM...CLSID} = "ACTHUMBNAIL" \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"] "{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Uchwyt nakładania ikony podpisu cyfrowego" -> {HKLM...CLSID} = "AcSignIcon" \InProcServer32\(Default) = "C:\Windows\system32\AcSignIcon.dll" ["Autodesk"] "{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview" -> {HKLM...CLSID} = "ACDWFTHMBPRXY" \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"] "{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki dla ochrony WWW" -> {HKLM...CLSID} = "Statystyki dla ochrony WWW" \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider" -> {HKLM...CLSID} = "Haali Column Provider" \InProcServer32\(Default) = "C:\Program Files\VistaCodecPack\filters\mmfinfo.dll" [null data] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"] RExpCtxU\(Default) = "{D9F81151-62CA-4858-B45E-82B3EC41A549}" -> {HKLM...CLSID} = "RExpCtxU" \InProcServer32\(Default) = "C:\Program Files\Resco\Pocket Encryption\RExpCtxU.dll" [empty string] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] RExpCtxU\(Default) = "{D9F81151-62CA-4858-B45E-82B3EC41A549}" -> {HKLM...CLSID} = "RExpCtxU" \InProcServer32\(Default) = "C:\Program Files\Resco\Pocket Encryption\RExpCtxU.dll" [empty string] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Default executables: -------------------- <> HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile" <> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\Windows\notepad.exe" "%1"" [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoNetHood" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoManageMyComputerVerb" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoCDBurning" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoStartMenuPinnedList" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoStartMenuMFUprogramsList" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoUserNameInStartMenu" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoStartMenuSubFolders" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoCommonGroups" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoRecentDocsMenu" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoPrinterTabs" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoDeletePrinter" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoAddPrinter" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoPrinters" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoNetworkConnections" = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Network & Dial-up Connections from Start Menu} "NoFavoritesMenu" = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Favorites menu from Start Menu} "NoSMHelp" = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Help menu from Start Menu} "NoChangeStartMenu" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoFileMenu" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoDrives" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoRecentDocsNetHood" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoChangeAnimation" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoChangeKeyboardNavigationIndicators" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoDrives" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideLogoffScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "RunLogonScriptSync" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "RunStartupScriptSync" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideStartupScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} "ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Standard Users} "EnableInstallerDetection" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Detect Application Installations And Prompt For Elevation} "EnableLUA" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} "EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Only elevate UIAccess applications that are installed in secure locations} "EnableVirtualization" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Virtualize file and registry write failures to per-user locations} "PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Switch to the secure desktop when prompting for elevation} "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "FilterAdministratorToken" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Admin Approval Mode for the Built-in Administrator Account} "EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "DisableRegistryTools" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideLogoffScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "RunLogonScriptSync" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "RunStartupScriptSync" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideStartupScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Users\MATT\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ CDBurnerXP\ "Provider" = "CDBurnerXP" "InvokeProgID" = "CDBurnerXPOpen" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\CDBurnerXPOpen\shell\open\command\(Default) = ""C:\Program Files\CDBurnerXP\cdbxpp.exe"" [null data] LightScribeOnArrivalAP\ "Provider" = "LightScribe Direct Disc Labeling" "InvokeProgID" = "LightScribe.AutoPlayHandler" "InvokeVerb" = "LabelLightScribeDisc" HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command\(Default) = "C:\Program Files\Common Files\LightScribe\LsLauncher.exe" ["Hewlett-Packard Company"] MSPlayCDAudioOnArrival\ "Provider" = "ALLPlayer" "InvokeProgID" = "AllPlayerFile" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\AllPlayerFile\shell\play\command\(Default) = ""C:\Program Files\MarBit\ALLPlayer\ALLPlayer.exe" "%1"" ["MarBit"] WIA_{A9F3CD88-61DC-4CC0-8CA9-CED1E0B842D0}\ "Provider" = "Photoshop" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = "/WiaCmd;C:\Program Files\Adobe\Photoshop CS\Photoshop.exe /StiDevice:%1 /StiEvent:%2;" -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS] WinampMTPHandler\ "Provider" = "Winamp" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "C:\Program Files\Winamp\winamp.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "Shell Execute Hardware Event Handler" \LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] WinampPlayMediaOnArrival\ "Provider" = "Winamp" "InvokeProgID" = "Winamp.File" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"] Startup items in "MATT" & "All Users" startup folders: ------------------------------------------------------ C:\Users\MATT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup "Butler 4012 USB VoIP" -> shortcut to: "" [file not found] "OpenOffice.org 2.1" -> shortcut to: "C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe" [null data] "Zoomin.exe" -> shortcut to: "C:\Documents and Settings\All Users\Favorites\Zoomin.exe" [empty string] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS] "Przyspieszenie uruchomienia programu AutoCAD" -> shortcut to: "C:\Program Files\Common Files\Autodesk Shared\acstart16.exe" [null data] Non-disabled Scheduled Tasks: ----------------------------- C:\Windows\System32\Tasks "Go to RoboForm Install page" -> launches: "C:\Windows\System32\rundll32.exe url.dll,FileProtocolHandler "http://www.roboform.com/pl/test-pass.html?aaa=KICMNMKJOMLJMMJJJMMJCNHMKMJJPMCNLMKJHMJMCNGMOMIMOJCNPMLJMJMJJMJMHMKJKJKJKMOJJNJICMJMCNGMCNNMFMIMCNPMCNJMPMPMPMFMJMCNPMCNJMPMPMPMCNNMJNPICMPMFMEKMICNJJCKFMGMPMJNHICMCJGIGJKJNMJNBJCMCLOLLKLKJNKJCMJNNICM"" [MS] "{E1F7AA17-94A2-4D51-BDD0-D7A7C4D014A9}" -> launches: "C:\Windows\system32\pcalua.exe -a "C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe" -c /M{EF0D610C-92BE-4D8F-BD33-9F658F8754F1} /Z"UNINSTALL"" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client "AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}" -> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth "UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient "SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS] "UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS] "UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program "Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS] "OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Defrag "ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Media Center "ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS] "mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0) -gc" [MS] "OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS] "OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery" [MS] "UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC "HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}" -> {HKLM...CLSID} = "HotStart User Agent" \InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS] "TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61}" -> {HKLM...CLSID} = "Transient Multi-Monitor Manager" \InProcServer32\(Default) = "C:\Windows\System32\TMM.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MUI "LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia "SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}" -> {HKLM...CLSID} = "Microsoft PlaySoundService Class" \InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection "NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}" -> {HKLM...CLSID} = "Nap ITask Handler Implementation" \InProcServer32\(Default) = "C:\Windows\System32\QAgent.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System "ConvertLogEntries" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RAC "RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance "RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Shell "CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}" -> {HKLM...CLSID} = "CrawlStartPages Task Handler" \InProcServer32\(Default) = "C:\Windows\System32\srchadmin.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SideShow "GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}" -> {HKLM...CLSID} = "GadgetsManager Class" \InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore "SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip "IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS] "IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework "MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}" -> {HKLM...CLSID} = "MsCtfMonitor task handler" \InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\UPnP "UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\WDI "ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}" -> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler" \InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting "QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar "Reminders - MATT" -> launches: "C:\Program Files\Windows Calendar\WinCal.exe /reminder" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Wired "GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data] C:\Windows\System32\Tasks\Microsoft\Windows\Wireless "GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data] C:\Windows\System32\Tasks\Microsoft\Windows Defender "MP Scheduled Scan" -> (HIDDEN!) launches: "c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 24 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{724D43A0-0D85-11D4-9908-00400523E39A}" -> {HKLM...CLSID} = "&RoboForm" \InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"] "{A33FA729-D155-4B23-842B-2C665ECABDB6}" -> {HKLM...CLSID} = "The Pirate Bay Toolbar" \InProcServer32\(Default) = "C:\Program Files\The_Pirate_Bay\tbThe_.dll" ["Conduit Ltd."] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{724D43A0-0D85-11D4-9908-00400523E39A}" = (no title provided) -> {HKLM...CLSID} = "&RoboForm" \InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"] "{A33FA729-D155-4B23-842B-2C665ECABDB6}" = "The_Pirate_Bay Toolbar" -> {HKLM...CLSID} = "The Pirate Bay Toolbar" \InProcServer32\(Default) = "C:\Program Files\The_Pirate_Bay\tbThe_.dll" ["Conduit Ltd."] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statystyki dla ochrony WWW" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}" -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ "ButtonText" = "Statystyki dla ochrony WWW" {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ "ButtonText" = "@C:\Windows\WindowsMobile\INetRepl.dll,-222" "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {HKLM...CLSID} = "Create Mobile Favorite" \InProcServer32\(Default) = "C:\Windows\WindowsMobile\INetRepl.dll" [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ "MenuText" = "@C:\Windows\WindowsMobile\INetRepl.dll,-223" "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {HKLM...CLSID} = "Create Mobile Favorite" \InProcServer32\(Default) = "C:\Windows\WindowsMobile\INetRepl.dll" [MS] {320AF880-6646-11D3-ABEE-C5DBF3571F46}\ "ButtonText" = "Wypełnij pola" "MenuText" = "Wypełnij Pola" "Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html" [file not found] {320AF880-6646-11D3-ABEE-C5DBF3571F49}\ "ButtonText" = "Zapisz" "MenuText" = "Zapisz Pola" "Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html" [file not found] {724D43AA-0D85-11D4-9908-00400523E39A}\ "ButtonText" = "RoboForm" "MenuText" = "Pasek Narzędzi RoboForm" "Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html" [file not found] {77BF5300-1474-4EC7-9980-D32B190E9B07}\ "ButtonText" = "Skype" "CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}" -> {HKLM...CLSID} = "Skype add-on (button)" \InProcServer32\(Default) = "C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL" ["Skype Technologies S.A."] {D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\ "ButtonText" = "BitComet" "Script" = "res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206" ["BitComet"] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> "{a33fa729-d155-4b23-842b-2c665ecabdb6}" = (no title provided) -> {HKLM...CLSID} = "The Pirate Bay Toolbar" \InProcServer32\(Default) = "C:\Program Files\The_Pirate_Bay\tbThe_.dll" ["Conduit Ltd."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Autokonfiguracja sieci WLAN, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]} AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."] Dostęp do urządzeń interfejsu HID, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]} Izolacja klucza CNG, KeyIso, "C:\Windows\system32\lsass.exe" [MS] Kaspersky Internet Security 7.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r" ["Kaspersky Lab"] Konfiguracja usług terminalowych, SessionEnv, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\system32\sessenv.dll" [MS]} LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"] NMSAccessU, NMSAccessU, "C:\Program Files\CDBurnerXP\NMSAccessU.exe" [null data] Propagacja certyfikatu, CertPropSvc, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\certprop.dll" [MS]} Protokół uwierzytelniania rozszerzonego (EAP), EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]} Przeglądarka komputera, Browser, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]} Usługa obsługi Bluetooth, BthServ, "C:\Windows\system32\svchost.exe -k bthsvcs" {"C:\Windows\System32\bthserv.dll" [MS]} Usługa Protokół SSTP, SstpSvc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\sstpsvc.dll" [MS]} Usługa udostępniania w sieci programu Windows Media Player, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" [MS] Windows Driver Foundation — User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]} Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]} Windows Mobile-2003-based device connectivity, WcesComm, "C:\Windows\system32\svchost.exe -k WindowsMobile" {"C:\Windows\WindowsMobile\wcescomm.dll" [MS]} Windows Mobile-based device connectivity, RapiMgr, "C:\Windows\system32\svchost.exe -k WindowsMobile" {"C:\Windows\WindowsMobile\rapimgr.dll" [MS]} Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ PCL hpz3l4v2\Driver = "hpz3l4v2.dll" ["Hewlett-Packard Company"] PCL hpz3llhn\Driver = "hpz3llhn.dll" ["Hewlett-Packard Company"] ---------- (launch time: 2008-06-11 22:04:48) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 69 seconds, including 18 seconds for message boxes)