“Silent Runners.vbs”, revision 58, http://www.silentrunners.org/ Operating System: Windows Vista Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ehTray.exe” = “C:\Windows\ehome\ehTray.exe” [MS] “WMPNSCFG” = “C:\Program Files\Windows Media Player\WMPNSCFG.exe” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Windows Defender” = “C:\Program Files\Windows Defender\MSASCui.exe -hide” “SMSERIAL” = “C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe” [“Motorola Inc.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “RtHDVCpl” = “RtHDVCpl.exe” [“Realtek Semiconductor”] “IAAnotif” = “C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe” [“Intel Corporation”] “QPService” = ““C:\Program Files\HP\QuickPlay\QPService.exe”” [“CyberLink Corp.”] “QlbCtrl” = “C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start” “HP Health Check Scheduler” = “C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe” [null data] “hpWirelessAssistant” = “C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe” “WAWifiMessage” = “C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe” “HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “CognizanceTS” = “rundll32.exe c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule” [MS] “FLMOFFICE4DMOUSE” = “C:\Program Files\Trust\MI-2550XP OPTICAL MINI MOUSE\Mouse32a.exe” [empty string] “TQ566808” = ““E:\Setup.exe”” [file not found] “Launch LCDMon” = ““C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe”” [file not found] “SynTPStart” = “C:\Program Files\Synaptics\SynTP\SynTPStart.exe” [“Synaptics, Inc.”] “Adobe Reader Speed Launcher” = ““C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”” [“Adobe Systems Incorporated”] “QuickTime Task” = ““C:\Program Files\QuickTime\QTTask.exe” -atboottime” [“Apple Inc.”] “iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Inc.”] “Kernel and Hardware Abstraction Layer” = “KHALMNPR.EXE” [“Logitech, Inc.”] “NvSvc” = “RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart” [MS] “NvCplDaemon” = “RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup” [MS] “NvMediaCenter” = “RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit” [MS] “egui” = ““C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice” [“ESET”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “Launcher” = “C:\Windows\SMINST\launcher.exe” HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)” -> {HKLM…CLSID} = “Skype add-on (mastermind)” \InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll” [“Sun Microsystems, Inc.”] {9030D464-4C02-4ABF-8ECC-5164760863C6}(Default) = (no title provided) -> {HKLM…CLSID} = “Windows Live Sign-in Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll” [MS] {DF21F1DB-80C6-11D3-9483-B03D0EC10000}(Default) = “VeriSoft Access Manager” -> {HKLM…CLSID} = “VeriSoft Access Manager” \InProcServer32(Default) = “c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll” [“Bioscrypt Inc.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}” = “Messenger Sharing Folders” -> {HKLM…CLSID} = “Moje foldery udostępniania” \InProcServer32(Default) = “C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll” [MS] “{7F67036B-66F1-411A-AD85-759FB9C5B0DB}” = “ShellViewRTF” -> {HKLM…CLSID} = “ShellViewRTF” \InProcServer32(Default) = “C:\Windows\System32\ShellvRTF.dll” [“XSS”] “{7842554E-6BED-11D2-8CDB-B05550C10000}” = “Monitor” -> {HKLM…CLSID} = “Monitor Class” \InProcServer32(Default) = “C:\Windows\system32\btncopy.dll” [“Broadcom Corporation.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}” = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” -> {HKLM…CLSID} = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office12\msohevi.dll” [MS] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” -> {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\Windows\system32\nvcpl.dll” [“NVIDIA Corporation”] “{79BC0345-1015-11D2-A299-006008312725}” = “blue.shell” -> {HKLM…CLSID} = “///FAST project settings” \InProcServer32(Default) = “C:\Program Files\Pinnacle\VideoSpin\Programs\BlueShellExt.dll” [null data] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Inc.”] “{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}” = “Logitech Setpoint Extension” -> {HKLM…CLSID} = “KbLogiExt Class” \InProcServer32(Default) = “C:\Program Files\Logitech\SetPoint\kbcplext.dll” [“Logitech, Inc.”] “{B9B9F083-2B04-452A-8691-83694AC1037B}” = “Logitech Setpoint Extension” -> {HKLM…CLSID} = “LogiExt Class” \InProcServer32(Default) = “C:\Program Files\Logitech\SetPoint\mcplext.dll” [“Logitech, Inc.”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\Windows\system32\nvcpl.dll” [“NVIDIA Corporation”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “Eset Smart Security - Context Menu Shell Extension” -> {HKLM…CLSID} = “Eset Smart Security - Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll” [“ESET”] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\ Eset Smart Security - Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “Eset Smart Security - Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll” [“ESET”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ Eset Smart Security - Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “Eset Smart Security - Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll” [“ESET”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “ConsentPromptBehaviorAdmin” = (REG_DWORD) dword:0x00000002 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} “ConsentPromptBehaviorUser” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Standard Users} “EnableInstallerDetection” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Detect Application Installations And Prompt For Elevation} “EnableLUA” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} “EnableSecureUIAPaths” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Only elevate UIAccess applications that are installed in secure locations} “EnableVirtualization” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Virtualize file and registry write failures to per-user locations} “PromptOnSecureDesktop” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Switch to the secure desktop when prompting for elevation} “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “FilterAdministratorToken” = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Admin Approval Mode for the Built-in Administrator Account} “EnableUIADesktopToggle” = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Users\Michel\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg” Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ HPAutoplayPSE\ “Provider” = “HP Photosmart Essential 2.0” “InvokeProgID” = “HpqPSApl.Autoplay” “InvokeVerb” = “Play” HKLM\SOFTWARE\Classes\HpqPSApl.Autoplay\shell\Play\DropTarget\CLSID = “{A6873065-D632-4615-A3A9-C5F05EE109C1}” -> {HKLM…CLSID} = (no title provided) \LocalServer32(Default) = “C:\Program Files\HP\Digital Imaging\bin\HpqPsApl.exe” [“Hewlett-Packard”] HPGGPhotoEventHandler\ “Provider” = “HP Photosmart Essential” “InvokeProgID” = “HP.acquireautoplayG” “InvokeVerb” = “open” HKLM\SOFTWARE\Classes\HP.acquireautoplayG\shell\open\DropTarget\CLSID = “{F3A39B00-BE67-4d7d-BED7-53E9C510EC5B}” -> {HKLM…CLSID} = “HP AcquireAutoPlay2 Class” \InProcServer32(Default) = “C:\Program Files\HP\Photosmart Essential\AcquireAutoPlay.dll” [empty string] iTunesBurnCDOnArrival\ “Provider” = “iTunes” “InvokeProgID” = “iTunes.BurnCD” “InvokeVerb” = “burn” HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /AutoPlayBurn “%L”” [“Apple Inc.”] iTunesImportSongsOnArrival\ “Provider” = “iTunes” “InvokeProgID” = “iTunes.ImportSongsOnCD” “InvokeVerb” = “import” HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /AutoPlayImportSongs “%L”” [“Apple Inc.”] iTunesPlaySongsOnArrival\ “Provider” = “iTunes” “InvokeProgID” = “iTunes.PlaySongsOnCD” “InvokeVerb” = “play” HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /playCD “%L”” [“Apple Inc.”] iTunesShowSongsOnArrival\ “Provider” = “iTunes” “InvokeProgID” = “iTunes.ShowSongsOnCD” “InvokeVerb” = “showsongs” HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /AutoPlayShowSongs “%L”” [“Apple Inc.”] LightScribeOnArrivalAP\ “Provider” = “LightScribe Direct Disc Labeling” “InvokeProgID” = “LightScribe.AutoPlayHandler” “InvokeVerb” = “LabelLightScribeDisc” HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command(Default) = “C:\Program Files\Common Files\LightScribe\LsLauncher.exe” [“Hewlett-Packard Company”] MediaCapture9Music\ “Provider” = “Media Import” “InvokeProgID” = “RoxioMediaCapture9” “InvokeVerb” = “Audio” HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Audio\command(Default) = “C:\Program Files\Roxio\Roxio MyDVD Basic v9\Media Import 9\MediaCapture9.exe -audio %L” [“Sonic Solutions”] MediaCapture9Photos\ “Provider” = “Media Import” “InvokeProgID” = “RoxioMediaCapture9” “InvokeVerb” = “Photo” HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Photo\command(Default) = “C:\Program Files\Roxio\Roxio MyDVD Basic v9\Media Import 9\MediaCapture9.exe -photo %L” [“Sonic Solutions”] MediaCapture9VideoCamera\ “Provider” = “Media Import” “ProgID” = “Shell.HWEventHandlerShellExecute” “InitCmdLine” = “C:\Program Files\Roxio\Roxio MyDVD Basic v9\Media Import 9\MediaCapture9.exe” HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” -> {HKLM…CLSID} = “Shell Execute Hardware Event Handler” \LocalServer32(Default) = “C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS] MediaCapture9Videos\ “Provider” = “Media Import” “InvokeProgID” = “RoxioMediaCapture9” “InvokeVerb” = “Video” HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Video\command(Default) = “C:\Program Files\Roxio\Roxio MyDVD Basic v9\Media Import 9\MediaCapture9.exe -video %L” [“Sonic Solutions”] MPCPlayCDAudioOnArrival\ “Provider” = “Media Player Classic” “InvokeProgID” = “MediaPlayerClassic.Autorun” “InvokeVerb” = “PlayCDAudio” HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1 /cd” [“Gabest”] MPCPlayDVDMovieOnArrival\ “Provider” = “Media Player Classic” “InvokeProgID” = “MediaPlayerClassic.Autorun” “InvokeVerb” = “PlayDVDMovie” HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1 /dvd” [“Gabest”] MPCPlayMusicFilesOnArrival\ “Provider” = “Media Player Classic” “InvokeProgID” = “MediaPlayerClassic.Autorun” “InvokeVerb” = “PlayMusicFiles” HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1” [“Gabest”] MPCPlayVideoFilesOnArrival\ “Provider” = “Media Player Classic” “InvokeProgID” = “MediaPlayerClassic.Autorun” “InvokeVerb” = “PlayVideoFiles” HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1” [“Gabest”] Picasa2ImportPicturesOnArrival\ “Provider” = “Picasa2” “InvokeProgID” = “picasa2.autoplay” “InvokeVerb” = “import” HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command(Default) = "C:\MISZEL FOLDER\Picasa2\Picasa2.exe “%1"” [“Google Inc.”] QuickPlayDCameraArrival\ “Provider” = “HP QuickPlay” “InvokeProgID” = “Picture” “InvokeVerb” = “PlayWithQuickPlay” HKLM\SOFTWARE\Classes\Picture\shell\PlayWithQuickPlay\Command(Default) = ““C:\Program Files\HP\QuickPlay\QP.exe” AUTOPLAY DSC “%L”” [“CyberLink Corp.”] QuickPlayDVArrival\ “Provider” = “HP QuickPlay” “ProgID” = “Shell.HWEventHandlerShellExecute” “InitCmdLine” = ““C:\Program Files\HP\QuickPlay\QP.exe” DV “%L”” HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” -> {HKLM…CLSID} = “Shell Execute Hardware Event Handler” \LocalServer32(Default) = “C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS] QuickPlayMusicFilesArrival\ “Provider” = “HP QuickPlay” “InvokeProgID” = “MusicFiles” “InvokeVerb” = “PlayWithQuickPlay” HKLM\SOFTWARE\Classes\MusicFiles\shell\PlayWithQuickPlay\Command(Default) = ““C:\Program Files\HP\QuickPlay\QP.exe” AUTOPLAY MUSIC “%L”” [“CyberLink Corp.”] QuickPlayPlayCDAudioOnArrival\ “Provider” = “HP QuickPlay” “InvokeProgID” = “AudioCD” “InvokeVerb” = “PlayWithQuickPlay” HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithQuickPlay\Command(Default) = ““C:\Program Files\HP\QuickPlay\QP.exe” AUTOPLAY CD “%L”” [“CyberLink Corp.”] QuickPlayPlayDVDMovieOnArrival\ “Provider” = “HP QuickPlay” “InvokeProgID” = “DVD” “InvokeVerb” = “PlayWithQuickPlay” HKLM\SOFTWARE\Classes\DVD\shell\PlayWithQuickPlay\Command(Default) = ““C:\Program Files\HP\QuickPlay\QP.exe” AUTOPLAY MOVIE “%L”” [“CyberLink Corp.”] QuickPlayPlayVideoCDMovieOnArrival\ “Provider” = “HP QuickPlay” “InvokeProgID” = “VCD” “InvokeVerb” = “PlayWithQuickPlay” HKLM\SOFTWARE\Classes\VCD\shell\PlayWithQuickPlay\Command(Default) = ““C:\Program Files\HP\QuickPlay\QP.exe” AUTOPLAY MOVIE “%L”” [“CyberLink Corp.”] QuickPlayVideoFilesArrival\ “Provider” = “HP QuickPlay” “InvokeProgID” = “VideoFiles” “InvokeVerb” = “PlayWithQuickPlay” HKLM\SOFTWARE\Classes\VideoFiles\shell\PlayWithQuickPlay\Command(Default) = ““C:\Program Files\HP\QuickPlay\QP.exe” AUTOPLAY VIDEO “%L”” [“CyberLink Corp.”] RoxioSCAudioCDTask33\ “Provider” = “Roxio Creator Audio” “InvokeProgID” = “Roxio.RoxioCentral33” “InvokeVerb” = “AudioCDTask” HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\AudioCDTask\Command(Default) = ““C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe” /Launch {8E376824-EA6C-4CB7-AA05-A30CB84D359B}” [null data] RoxioSCCopyCD33\ “Provider” = “Roxio Creator Copy” “InvokeProgID” = “Roxio.RoxioCentral33” “InvokeVerb” = “ExactCopyJob” HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command(Default) = ““C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe” /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}” [null data] RoxioSCCopyDisc33\ “Provider” = “Roxio Creator Copy” “InvokeProgID” = “Roxio.RoxioCentral33” “InvokeVerb” = “ExactCopyJob” HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command(Default) = ““C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe” /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}” [null data] RoxioSCDataProject33\ “Provider” = “Roxio Creator Data” “InvokeProgID” = “Roxio.RoxioCentral33” “InvokeVerb” = “DataGuide” HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataGuide\Command(Default) = ““C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe” /Launch Data” [null data] RoxioSCDataTask33\ “Provider” = “Roxio Creator Data” “InvokeProgID” = “Roxio.RoxioCentral33” “InvokeVerb” = “DataTask” HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataTask\Command(Default) = ““C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe” /Launch {D085B12D-4D9B-49C2-8323-5053831CBD54}” [null data] WIA_{48F35888-45B1-4912-B652-69F9886406FE}\ “Provider” = “Picasa2” “CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}” “InitCmdLine” = “/WiaCmd;C:\MISZEL FOLDER\Picasa2\PicasaMediaDetector.exe /StiDevice:%1 /StiEvent:%2;” -> {HKLM…CLSID} = “WPDShextAutoplay” \LocalServer32(Default) = “C:\Windows\system32\WPDShextAutoplay.exe” [MS] WinampMTPHandler\ “Provider” = “Winamp” “ProgID” = “Shell.HWEventHandlerShellExecute” “InitCmdLine” = “C:\Program Files\Winamp\winamp.exe” HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” -> {HKLM…CLSID} = “Shell Execute Hardware Event Handler” \LocalServer32(Default) = “C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS] WinampPlayMediaOnArrival\ “Provider” = “Winamp” “InvokeProgID” = “Winamp.File” “InvokeVerb” = “Play” HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command(Default) = "“C:\Program Files\Winamp\winamp.exe” “%1"” [“Nullsoft”] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = “{46986115-84D6-459c-8F95-52DD653E532E}” -> {HKLM…CLSID} = (no title provided) \LocalServer32(Default) = ““C:\Program Files\Winamp\winamp.exe”” [“Nullsoft”] DESKTOP.INI DLL launch in local fixed drive directories: -------------------------------------------------------- D:\DESKTOP.INI [.ShellClassInfo] CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db} -> {HKLM…CLSID}\InProcServer32(Default) = “C:\Windows\System32\ShellvRTF.dll” [“XSS”] D:\boot\DESKTOP.INI [.ShellClassInfo] CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db} -> {HKLM…CLSID}\InProcServer32(Default) = “C:\Windows\System32\ShellvRTF.dll” [“XSS”] D:\HP\DESKTOP.INI [.ShellClassInfo] CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db} -> {HKLM…CLSID}\InProcServer32(Default) = “C:\Windows\System32\ShellvRTF.dll” [“XSS”] D:\preload\DESKTOP.INI [.ShellClassInfo] CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db} -> {HKLM…CLSID}\InProcServer32(Default) = “C:\Windows\System32\ShellvRTF.dll” [“XSS”] D:\SOURCES\DESKTOP.INI [.ShellClassInfo] CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db} -> {HKLM…CLSID}\InProcServer32(Default) = “C:\Windows\System32\ShellvRTF.dll” [“XSS”] D:\Tools\DESKTOP.INI [.ShellClassInfo] CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db} -> {HKLM…CLSID}\InProcServer32(Default) = “C:\Windows\System32\ShellvRTF.dll” [“XSS”] D:\WINDOWS\DESKTOP.INI [.ShellClassInfo] CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db} -> {HKLM…CLSID}\InProcServer32(Default) = “C:\Windows\System32\ShellvRTF.dll” [“XSS”] Startup items in “Michel” & “All Users” startup folders: -------------------------------------------------------- C:\Users\Michel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup “Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007” -> shortcut to: “C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE /tsr” [MS] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup “BTTray” -> shortcut to: “C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe” [“Broadcom Corporation.”] “HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] “Logitech SetPoint” -> shortcut to: “C:\Program Files\Logitech\SetPoint\SetPoint.exe” [“Logitech, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\system32\NLAapi.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\system32\napinsp.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\system32\pnrpnsp.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\system32\pnrpnsp.dll” [MS] 000000000005\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000006\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000007\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 31 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Poszukaj” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in 1.6.0_05” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll” [“Sun Microsystems, Inc.”] {2670000A-7350-4F3C-8081-5663EE0C6C49}\ “ButtonText” = “Wyślij do programu OneNote” “MenuText” = “Wyślij &do programu OneNote” “CLSIDExtension” = “{48E73304-E1D6-4330-914C-F5F514E3486C}” -> {HKLM…CLSID} = “Send to OneNote from Internet Explorer button” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll” [MS] {77BF5300-1474-4EC7-9980-D32B190E9B07}\ “ButtonText” = “Skype” “CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}” -> {HKLM…CLSID} = “Skype add-on (button)” \InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Research” {CCA281CA-C863-46EF-9331-5C8D4460577F}\ “ButtonText” = “@btrez.dll,-4015” “MenuText” = “@btrez.dll,-12650” “Script” = “C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm” [null data] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Autokonfiguracja sieci WLAN, Wlansvc, “C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted” {“C:\Windows\System32\wlansvc.dll” [MS]} CyberLink Background Capture Service (CBCS), CLCapSvc, ““C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe”” [empty string] CyberLink Task Scheduler (CTS), CLSched, ““C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe”” [empty string] Dostęp do urządzeń interfejsu HID, hidserv, “C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted” {“C:\Windows\system32\hidserv.dll” [MS]} Eset Service, ekrn, ““C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe”” [“ESET”] HP Health Check Service, HP Health Check Service, ““C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe”” [null data] hpqcxs08, hpqcxs08, “C:\Windows\system32\svchost.exe -k hpdevmgmt” {“C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll” [“Hewlett-Packard Co.”]} hpqwmiex, hpqwmiex, “C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe” [“Hewlett-Packard Development Company, L.P.”] Intel® Matrix Storage Event Monitor, IAANTMON, “C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe” [“Intel Corporation”] Izolacja klucza CNG, KeyIso, “C:\Windows\system32\lsass.exe” [MS] Karta inteligentna, SCardSvr, “C:\Windows\system32\svchost.exe -k LocalService” {“C:\Windows\System32\SCardSvr.dll” [MS]} LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”] Local Communication Channel, ASChannel, “C:\Windows\System32\svchost.exe -k Cognizance” {“c:\Program Files\Bioscrypt\VeriSoft\Bin\AsChnl.dll” [“Cognizance Corporation”]} Logon Session Broker, ASBroker, “C:\Windows\System32\svchost.exe -k Cognizance” {“c:\Program Files\Bioscrypt\VeriSoft\Bin\ASWLNPkg.dll” [“Cognizance Corporation”]} Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] Net Driver HPZ12, Net Driver HPZ12, “C:\Windows\System32\svchost.exe -k HPZ12” {“C:\Windows\system32\HPZinw12.dll” [“Hewlett-Packard”]} Pml Driver HPZ12, Pml Driver HPZ12, “C:\Windows\System32\svchost.exe -k HPZ12” {“C:\Windows\system32\HPZipm12.dll” [“Hewlett-Packard”]} Protokół uwierzytelniania rozszerzonego (EAP), EapHost, “C:\Windows\System32\svchost.exe -k netsvcs” {“C:\Windows\System32\eapsvc.dll” [MS]} Urządzenie mobilne Apple, Apple Mobile Device, ““C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe”” [“Apple, Inc.”] Usługa HP CUE DeviceDiscovery, hpqddsvc, “C:\Windows\system32\svchost.exe -k hpdevmgmt” {“C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll” [“Hewlett-Packard Co.”]} Usługa iPod, iPod Service, ““C:\Program Files\iPod\bin\iPodService.exe”” [“Apple Inc.”] Usługa obsługi Bluetooth, BthServ, “C:\Windows\system32\svchost.exe -k bthsvcs” {“C:\Windows\System32\bthserv.dll” [MS]} Usługa Protokół SSTP, SstpSvc, “C:\Windows\system32\svchost.exe -k LocalService” {“C:\Windows\system32\sstpsvc.dll” [MS]} Windows Driver Foundation — User-mode Driver Framework, wudfsvc, “C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted” {“C:\Windows\System32\WUDFSvc.dll” [MS]} Windows Image Acquisition (WIA), stisvc, “C:\Windows\system32\svchost.exe -k imgsvc” {“C:\Windows\System32\wiaservc.dll” [MS]} Accessibility Tools: -------------------- HKCU\Software\Microsoft\Windows NT\CurrentVersion\AccessibilityTemp\ “narrator” = dword:0x00000000 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator\ “Description” = “Screen Reader” “StartExe” = “C:\Windows\System32\Narrator.exe” [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ PCL hpz3l4v2\Driver = “hpz3l4v2.dll” [“Hewlett-Packard Company”] Send To Microsoft OneNote Monitor\Driver = “msonpmon.dll” [MS] ---------- (launch time: 2008-06-25 12:20:41) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 155 seconds. ---------- (total run time: 192 seconds)