“Silent Runners.vbs”, revision 63, http://www.silentrunners.org/ Operating System: Windows 7 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “AdobeBridge” = “(empty string)” [file not found] “(Default)” = “(empty string)” [file not found] “EADM” = ““C:\Program Files (x86)\Origin\Origin.exe” -AutoStart” [“Electronic Arts”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “RtHDVCpl” = “C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s” [“Realtek Semiconductor”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}(Default) = “IEVkbdBHO” -> {HKLM…CLSID} = “IEVkbdBHO Class” \InProcServer32(Default) = “C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\x64\ievkbd.dll” [“Kaspersky Lab ZAO”] {9030D464-4C02-4ABF-8ECC-5164760863C6}(Default) = (no title provided) -> {HKLM…CLSID} = “Windows Live ID Sign-in Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll” [MS] {E33CF602-D945-461A-83F0-819F76A199F8}(Default) = “link filter bho” -> {HKLM…CLSID} = “FilterBHO Class” \InProcServer32(Default) = “C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\x64\klwtbbho.dll” [“Kaspersky Lab ZAO”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ AutoCAD Digital Signatures Icon Overlay Handler(Default) = “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” -> {HKLM…CLSID} = “AcSignIcon” \InProcServer32(Default) = “C:\Windows\system32\AcSignIcon.dll” [“Autodesk, Inc.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiacm64.dll” [“Advanced Micro Devices, Inc.”] “{B7056B8E-4F99-44f8-8CBD-282390FE5428}” = “VirtualCloneDrive” -> {HKLM…CLSID} = “VirtualCloneDrive Shell Extension” \InProcServer32(Default) = “C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll” [“Elaborate Bytes AG”] “{B41DB860-64E4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [“Alexander Roshal”] “{5800AD5B-72C1-477B-9A08-CA112DF06D97}” = “AutoCAD DWG InfoTip Handler” -> {HKLM…CLSID} = “AcInfoTipHandler” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll” [“Autodesk”] “{8A0BC933-7552-42E2-A228-3BE055777227}” = “AutoCAD DWG Column Handler” -> {HKLM…CLSID} = “AcColumnHandler” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll” [“Autodesk”] “{ADC46291-D8A1-4486-A24C-86FFB392AEFA}” = “Autodesk Dgn File Preview” -> {HKLM…CLSID} = “AcDgnImageExtractor” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\AcDgnCOM17.dll” [“Autodesk”] “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “AutoCAD Digital Signatures Icon Overlay Handler” -> {HKLM…CLSID} = “AcSignIcon” \InProcServer32(Default) = “C:\Windows\system32\AcSignIcon.dll” [“Autodesk, Inc.”] “{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview” -> {HKLM…CLSID} = “ACTHUMBNAIL” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll” [“Autodesk, Inc.”] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “Nokia Phone Browser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PhoneBrowser64.dll” [“Nokia”] “{872A9397-E0D6-4e28-B64D-52B8D0A7EA35}” = “Display CPL Extension” -> {HKLM…CLSID} = “DisplayCplExt Class” \InProcServer32(Default) = “C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiama64.dll” [“Advanced Micro Devices, Inc.”] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “C:\PROGRA~2\KASPER~1\KASPER~1\x64\sbhook64.dll,C:\PROGRA~2\KASPER~1\KASPER~1\x64\kloehk.dll” [file not found] HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ <> (“livessp” [MS]) “Security Packages” = “kerberos”|“msv1_0”|“schannel”|“wdigest”|“tspkg”|“pku2u”|“livessp” HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\ {F8A0B131-5F68-486c-8040-7E8FC3C85BB6}(Default) = “WLIDCredentialProvider” -> {HKLM…CLSID} = “WLIDCredentialProvider” \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDCREDPROV.DLL” [MS] HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\ AcShellExtension.AcContextMenuHandler(Default) = “{2E7A2C6C-B938-40a4-BA1C-C7EC982DC202}” -> {HKLM…CLSID} = “AcContextMenuHandler” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll” [“Autodesk”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\x64\ShellEx.dll” [“Kaspersky Lab ZAO”] VirtualCloneDrive(Default) = “{B7056B8E-4F99-44f8-8CBD-282390FE5428}” -> {HKLM…CLSID} = “VirtualCloneDrive Shell Extension” \InProcServer32(Default) = “C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll” [“Elaborate Bytes AG”] WinRAR(Default) = “{B41DB860-64E4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [“Alexander Roshal”] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\x64\ShellEx.dll” [“Kaspersky Lab ZAO”] WinRAR(Default) = “{B41DB860-64E4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [“Alexander Roshal”] HKLM\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\ Nokia(Default) = “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PhoneBrowser64.dll” [“Nokia”] HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\ WinRAR(Default) = “{B41DB860-64E4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [“Alexander Roshal”] HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\ ACE(Default) = “{5E2121EE-0300-11D4-8D3B-444553540000}” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiacm64.dll” [“Advanced Micro Devices, Inc.”] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {8A0BC933-7552-42E2-A228-3BE055777227}(Default) = “AutoCAD DWG column info” -> {HKLM…CLSID} = “AcColumnHandler” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll” [“Autodesk”] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\x64\ShellEx.dll” [“Kaspersky Lab ZAO”] WinRAR(Default) = “{B41DB860-64E4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [“Alexander Roshal”] HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\ WinRAR(Default) = “{B41DB860-64E4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [“Alexander Roshal”] Default executables: -------------------- HKLM\SOFTWARE\Classes.hta(Default) = “htafile” <> HKLM\SOFTWARE\Classes\htafile\shell\open\command(Default) = “C:\Windows\SysWOW64\mshta.exe “%1” %*” [MS] <> HKCU\Software\Classes.scr(Default) = “AutoCADScriptFile” <> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command(Default) = ““C:\Windows\system32\notepad.exe” “%1"” [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\ “LowRiskFileTypes” = (REG_SZ) (empty string) {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “NoActiveDesktopChanges” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “ForceActiveDesktopOn” = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “ConsentPromptBehaviorAdmin” = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} “EnableLUA” = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} “PromptOnSecureDesktop” = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Switch to the secure desktop when prompting for elevation} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Users\abs2\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg” Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ BridgeCS5ImportMediaOnArrival\ “Provider” = “Adobe Bridge CS5” “InvokeProgID” = “Adobe.adobebridgeCS5” “InvokeVerb” = “launch” HKLM\SOFTWARE\Classes\Adobe.adobebridgeCS5\shell\launch\command(Default) = “C:\Program Files (x86)\Adobe\Adobe Bridge CS5\bridgeproxy.exe -v %1” [“Adobe Systems, Inc.”] BurnAware\ “Provider” = “BurnAware” “InvokeProgID” = “BurnAwareOpen” “InvokeVerb” = “open” HKLM\SOFTWARE\Classes\BurnAwareOpen\shell\open\command(Default) = ““C:\Program Files (x86)\BurnAware Free\burnaware.exe”” [“Burnaware Technologies”] MSPlayCDAudioOnArrival\ “Provider” = “@wmploc.dll,-6502” “InvokeProgID” = “WMP.AudioCD” “InvokeVerb” = “play” HKLM\SOFTWARE\Classes\WMP.AudioCD\shell\play\command(Default) = ““C:\Program Files (x86)\Windows Media Player\wmplayer.exe” /prefetch:3 /device:AudioCD “%L”” [MS] MSPlayDVDMovieOnArrival\ “Provider” = “@wmploc.dll,-6502” “InvokeProgID” = “WMP.DVD” “InvokeVerb” = “play” HKLM\SOFTWARE\Classes\WMP.DVD\shell\play\command(Default) = ““C:\Program Files (x86)\Windows Media Player\wmplayer.exe” /prefetch:4 /device:DVD “%L”” [MS] MSPlaySuperVideoCDMovieOnArrival\ “Provider” = “@wmploc.dll,-6502” “InvokeProgID” = “WMP.VCD” “InvokeVerb” = “play” HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command(Default) = ““C:\Program Files (x86)\Windows Media Player\wmplayer.exe” /prefetch:4 /device:VCD “%L”” [MS] MSPlayVideoCDMovieOnArrival\ “Provider” = “@wmploc.dll,-6502” “InvokeProgID” = “WMP.VCD” “InvokeVerb” = “play” HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command(Default) = ““C:\Program Files (x86)\Windows Media Player\wmplayer.exe” /prefetch:4 /device:VCD “%L”” [MS] MSWMPBurnCDOnArrival\ “Provider” = “@wmploc.dll,-6502” “InvokeProgID” = “WMP.BurnCD” “InvokeVerb” = “Burn” HKLM\SOFTWARE\Classes\WMP.BurnCD\shell\Burn\Command(Default) = ““C:\Program Files (x86)\Windows Media Player\wmplayer.exe” /prefetch:3 /Task:CDWrite /Device:”%L”" [MS] VLCPlayCDAudioOnArrival\ “Provider” = “VideoLAN VLC media player” “InvokeProgID” = “VLC.CDAudio” “InvokeVerb” = “Open” HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\Open\command(Default) = ““C:\Program Files (x86)\VideoLAN\VLC\vlc.exe” --started-from-file cdda://%1” [“the VideoLAN Team”] VLCPlayDVDAudioOnArrival\ “Provider” = “VideoLAN VLC media player” “InvokeProgID” = “VLC.OPENFolder” “InvokeVerb” = “Open” HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command(Default) = ““C:\Program Files (x86)\VideoLAN\VLC\vlc.exe” %1” [“the VideoLAN Team”] VLCPlayDVDMovieOnArrival\ “Provider” = “VideoLAN VLC media player” “InvokeProgID” = “VLC.DVDMovie” “InvokeVerb” = “Open” HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\Open\command(Default) = ““C:\Program Files (x86)\VideoLAN\VLC\vlc.exe” --started-from-file dvd://%1” [“the VideoLAN Team”] VLCPlayMusicFilesOnArrival\ “Provider” = “VideoLAN VLC media player” “InvokeProgID” = “VLC.OPENFolder” “InvokeVerb” = “Open” HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command(Default) = ““C:\Program Files (x86)\VideoLAN\VLC\vlc.exe” %1” [“the VideoLAN Team”] VLCPlaySVCDMovieOnArrival\ “Provider” = “VideoLAN VLC media player” “InvokeProgID” = “VLC.SVCDMovie” “InvokeVerb” = “Open” HKLM\SOFTWARE\Classes\VLC.SVCDMovie\shell\Open\command(Default) = ““C:\Program Files (x86)\VideoLAN\VLC\vlc.exe” --started-from-file vcd://%1” [“the VideoLAN Team”] VLCPlayVCDMovieOnArrival\ “Provider” = “VideoLAN VLC media player” “InvokeProgID” = “VLC.VCDMovie” “InvokeVerb” = “Open” HKLM\SOFTWARE\Classes\VLC.VCDMovie\shell\Open\command(Default) = ““C:\Program Files (x86)\VideoLAN\VLC\vlc.exe” --started-from-file vcd://%1” [“the VideoLAN Team”] VLCPlayVideoFilesOnArrival\ “Provider” = “VideoLAN VLC media player” “InvokeProgID” = “VLC.OPENFolder” “InvokeVerb” = “Open” HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command(Default) = ““C:\Program Files (x86)\VideoLAN\VLC\vlc.exe” %1” [“the VideoLAN Team”] WIA_{25EFD04F-75F2-4E46-BEDD-B5299B0A9698}\ “Provider” = “Photoshop” “CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}” “InitCmdLine” = “/WiaCmd;C:\Program Files (x86)\Adobe\Photoshop 7.0\Photoshop.exe /StiDevice:%1 /StiEvent:%2;” -> {HKLM…CLSID} = “WPDShextAutoplay” \LocalServer32(Default) = “C:\Windows\system32\WPDShextAutoplay.exe” [MS] WIA_{5B0F1A14-9828-4F3B-9E4E-15627C02BE44}\ “Provider” = “Photoshop” “CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}” “InitCmdLine” = “/WiaCmd;C:\Program Files\Adobe\Adobe Photoshop CS5 (64 Bit)\Photoshop.exe /StiDevice:%1 /StiEvent:%2;” -> {HKLM…CLSID} = “WPDShextAutoplay” \LocalServer32(Default) = “C:\Windows\system32\WPDShextAutoplay.exe” [MS] WIA_{6482C8B2-AE51-44AD-A87A-815F0CAEFBA0}\ “Provider” = “Microsoft Office Word” “CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}” “InitCmdLine” = “/WiaCmd;C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE /IMG_WIA;” -> {HKLM…CLSID} = “WPDShextAutoplay” \LocalServer32(Default) = “C:\Windows\system32\WPDShextAutoplay.exe” [MS] WIA_{7B254194-5320-4CB8-A12E-05889FC15959}\ “Provider” = “Photoshop” “CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}” “InitCmdLine” = “/WiaCmd;C:\Program Files\Adobe\Adobe Photoshop CS5 (64 Bit)\Photoshop.exe /StiDevice:%1 /StiEvent:%2;” -> {HKLM…CLSID} = “WPDShextAutoplay” \LocalServer32(Default) = “C:\Windows\system32\WPDShextAutoplay.exe” [MS] WIA_{92E937C2-739F-404A-8EC8-A3BB86B8E4D7}\ “Provider” = “Photoshop” “CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}” “InitCmdLine” = “/WiaCmd;C:\Program Files (x86)\Adobe\Photoshop 7.0\Photoshop.exe /StiDevice:%1 /StiEvent:%2;” -> {HKLM…CLSID} = “WPDShextAutoplay” \LocalServer32(Default) = “C:\Windows\system32\WPDShextAutoplay.exe” [MS] WIA_{D9B7A9A6-D9B3-484C-9D4A-503F0AC592B5}\ “Provider” = “ABBYY FineReader 10” “CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}” “InitCmdLine” = “/WiaCmd;C:\Program Files (x86)\ABBYY FineReader 10\AbbyySti.exe /clsid {C942B3A5-8DD2-4D83-81B8-21F7645EFA73} /StiDevice:%1 /StiEvent:%2;” -> {HKLM…CLSID} = “WPDShextAutoplay” \LocalServer32(Default) = “C:\Windows\system32\WPDShextAutoplay.exe” [MS] WinampMTPHandler\ “Provider” = “Winamp” “ProgID” = “Shell.HWEventHandlerShellExecute” “InitCmdLine” = “C:\Program Files (x86)\Winamp\winamp.exe” HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” -> {HKLM…CLSID} = “Shell Execute Hardware Event Handler” \LocalServer32(Default) = “C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS] WinampPlayMediaOnArrival\ “Provider” = “Winamp” “InvokeProgID” = “Winamp.File” “InvokeVerb” = “Play” HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command(Default) = ““C:\Program Files (x86)\Winamp\winamp.exe” “%1"” [“Nullsoft, Inc.”] Non-disabled Scheduled Tasks: ----------------------------- C:\Users\abs2\AppData\Local\Microsoft\Windows Sidebar\Settings.ini C:\Windows\System32\Tasks “AdobeAAMUpdater-1.0-abs2-Komputer-abs” -> launches: “C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe -mode=scheduled” [“Adobe Systems Incorporated”] “GoogleUpdateTaskUserS-1-5-21-2998006178-1616661977-82403599-1001Core” -> launches: “C:\Users\abs2\AppData\Local\Google\Update\GoogleUpdate.exe /c” [“Google Inc.”] “GoogleUpdateTaskUserS-1-5-21-2998006178-1616661977-82403599-1001UA” -> launches: “C:\Users\abs2\AppData\Local\Google\Update\GoogleUpdate.exe /ua /installsource scheduler” [“Google Inc.”] “SidebarExecute” -> launches: “C:\Program Files\Windows Sidebar\sidebar.exe /stopHidingGadgets” [MS] “{5F82DC10-D902-4C19-B22F-143248418F29}” -> launches: “C:\Windows\system32\pcalua.exe -a “C:\Users\abs2\AppData\Local\Temp\CProgram Files (x86)Opera\Opera_11.51_int_Setup.exe” -d “C:\Program Files (x86)\Opera”” [MS] “{86847749-62C1-407B-A95F-6E9C54912D44}” -> launches: “C:\Windows\system32\pcalua.exe -a “C:\Users\abs2\AppData\Local\Temp\CProgram Files (x86)Opera\Opera_11.60_int_Setup.exe” -d “C:\Program Files (x86)\Opera”” [MS] “{D29347E4-7D80-4CB6-8881-E4EFECAF6F83}” -> launches: “C:\Program Files (x86)\Skype\Phone\Skype.exe” [“Skype Technologies S.A.”] C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client “AD RMS Rights Policy Template Management (Manual)” -> launches: “{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}” -> {HKLM…CLSID} = “AD RMS Rights Policy Template Management (Manual) Task Handler” \InProcServer32(Default) = “C:\Windows\system32\msdrm.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience “AitAgent” -> launches: “aitagent” [MS] “ProgramDataUpdater” -> launches: “%windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Autochk “Proxy” -> launches: “%windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth “UninstallDeviceTask” -> launches: “BthUdTask.exe $(Arg0)” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient “SystemTask” -> launches: “{58fb76b9-ac85-4e55-ac04-427593b1d060}” -> {HKLM…CLSID} = “Certificate Services Client Task Handler” \InProcServer32(Default) = “C:\Windows\system32\dimsjob.dll” [MS] “UserTask” -> launches: “{58fb76b9-ac85-4e55-ac04-427593b1d060}” -> {HKLM…CLSID} = “Certificate Services Client Task Handler” \InProcServer32(Default) = “C:\Windows\system32\dimsjob.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program “Consolidator” -> launches: “%SystemRoot%\System32\wsqmcons.exe” [MS] “KernelCeipTask” -> (HIDDEN!) launches: “{e7ed314f-2816-4c26-aeb5-54a34d02404c}” -> {HKLM…CLSID} = “KernelCeipCustomHandler” \InProcServer32(Default) = “C:\Windows\System32\kernelceip.dll” [MS] “UsbCeip” -> (HIDDEN!) launches: “{c27f6b1d-fe0b-45e4-9257-38799fa69bc8}” -> {HKLM…CLSID} = “UsbCeip” \InProcServer32(Default) = “C:\Windows\System32\usbceip.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Defrag “ScheduledDefrag” -> launches: “%windir%\system32\defrag.exe -c” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis “Scheduled” -> (HIDDEN!) launches: “{c1f85ef8-bcc2-4606-bb39-70c523715eb3}” -> {HKLM…CLSID} = “ScheduledDiagnosticCustomHandler” \InProcServer32(Default) = “C:\Windows\System32\sdiagschd.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Location “Notifications” -> launches: “%windir%\System32\LocationNotifications.exe” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance “WinSAT” -> launches: “{A9A33436-678B-4C9C-A211-7CC38785E79D}” -> {HKLM…CLSID} = “WinSAT Task Manger Task” \InProcServer32(Default) = “C:\Windows\system32\WinSATAPI.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Media Center “ActivateWindowsSearch” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch” [MS] “ConfigureInternetTimeService” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService” [MS] “DispatchRecoveryTasks” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0)” [MS] “ehDRMInit” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /DRMInit” [MS] “InstallPlayReady” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0)” [MS] “mcupdate” -> launches: “%SystemRoot%\ehome\mcupdate $(Arg0)” [MS] “MediaCenterRecoveryTask” -> launches: “%SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask” [MS] “ObjectStoreRecoveryTask” -> launches: “%SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask” [MS] “OCURActivate” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate” [MS] “OCURDiscovery” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0)” [MS] “PBDADiscovery” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery” [MS] “PBDADiscoveryW1” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery” [MS] “PBDADiscoveryW2” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery” [MS] “PvrRecoveryTask” -> launches: “%SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask” [MS] “PvrScheduleTask” -> launches: “%SystemRoot%\ehome\mcupdate.exe -PvrSchedule” [MS] “RegisterSearch” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0)” [MS] “ReindexSearchRoot” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot” [MS] “SqlLiteRecoveryTask” -> launches: “%SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask” [MS] “UpdateRecordPath” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic “CorruptionDetector” -> (HIDDEN!) launches: “{190BA3F6-0205-4f46-B589-95C6822899D2}” -> {HKLM…CLSID} = “MemoryDiagnosticCustomHandler” \InProcServer32(Default) = “C:\Windows\System32\memdiag.dll” [MS] “DecompressionFailureDetector” -> (HIDDEN!) launches: “{190BA3F6-0205-4f46-B589-95C6822899D2}” -> {HKLM…CLSID} = “MemoryDiagnosticCustomHandler” \InProcServer32(Default) = “C:\Windows\System32\memdiag.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC “HotStart” -> launches: “{06DA0625-9701-43da-BFD7-FBEEA2180A1E}” -> {HKLM…CLSID} = “HotStart User Agent” \InProcServer32(Default) = “C:\Windows\System32\HotStartUserAgent.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MUI “LPRemove” -> launches: “%windir%\system32\lpremove.exe” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia “SystemSoundsService” -> launches: “{2DEA658F-54C1-4227-AF9B-260AB5FC3543}” -> {HKLM…CLSID} = “Microsoft PlaySoundService Class” \InProcServer32(Default) = “C:\Windows\System32\PlaySndSrv.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace “GatherNetworkInfo” -> launches: “%windir%\system32\gatherNetworkInfo.vbs” [null data] C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics “AnalyzeSystem” -> launches: “%SystemRoot%\System32\powercfg.exe -energy -auto” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RAC “RacTask” -> (HIDDEN!) launches: “{42060D27-CA53-41f5-96E4-B1E8169308A6}” -> {HKLM…CLSID} = “ReliabilityAnalysisCustomHandler” \InProcServer32(Default) = “C:\Windows\system32\RacEngn.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Ras “MobilityManager” -> launches: “{c463a0fc-794f-4fdf-9201-01938ceacafa}” -> {HKLM…CLSID} = “RasMobilityManager” \InProcServer32(Default) = “C:\Windows\system32\rasmbmgr.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Registry “RegIdleBackup” -> (HIDDEN!) launches: “{ca767aa8-9157-4604-b64b-40747123d5f2}” -> {HKLM…CLSID} = “RegistryIdleBackupHandler” \InProcServer32(Default) = “C:\Windows\System32\regidle.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance “RemoteAssistanceTask” -> (HIDDEN!) launches: “%windir%\system32\RAServer.exe /offerraupdate” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SideShow “GadgetManager” -> launches: “{FF87090D-4A9A-4f47-879B-29A80C355D61}” -> {HKLM…CLSID} = “GadgetsManager Class” \InProcServer32(Default) = “C:\Windows\System32\AuxiliaryDisplayServices.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\TabletPC “InputPersonalization” -> launches: “%CommonProgramFiles%\Microsoft Shared\Ink\InputPersonalization.exe” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Task Manager “Interactive” -> (HIDDEN!) launches: “{855fec53-d2e4-4999-9e87-3414e9cf0ff4}” -> {HKLM…CLSID} = “RunTask” \InProcServer32(Default) = “C:\Windows\system32\wdc.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip “IpAddressConflict1” -> launches: “%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem” [MS] “IpAddressConflict2” -> launches: “%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework “MsCtfMonitor” -> (HIDDEN!) launches: “{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}” -> {HKLM…CLSID} = “MsCtfMonitor task handler” \InProcServer32(Default) = “C:\Windows\system32\MsCtfMonitor.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization “SynchronizeTime” -> launches: “%windir%\system32\sc.exe start w32time task_started” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\UPnP “UPnPHostConfig” -> launches: “sc.exe config upnphost start= auto” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\WDI “ResolutionHost” -> (HIDDEN!) launches: “{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}” -> {HKLM…CLSID} = “DiagnosticInfrastructureCustomHandler” \InProcServer32(Default) = “C:\Windows\System32\wdi.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting “QueueReporting” -> launches: “%windir%\system32\wermgr.exe -queuereporting” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform “BfeOnServiceStartTypeChange” -> (HIDDEN!) launches: “%windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing “UpdateLibrary” -> launches: “”%ProgramFiles%\Windows Media Player\wmpnscfg.exe”" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup “ConfigNotification” -> launches: “%systemroot%\System32\sdclt.exe /CONFIGNOTIFICATION” [MS] C:\Windows\System32\Tasks\Microsoft\Windows Defender “MP Scheduled Scan” -> (HIDDEN!) launches: “c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan” [MS] C:\Windows\System32\Tasks\WPD “SqmUpload_S-1-5-21-2998006178-1616661977-82403599-1001” -> (HIDDEN!) launches: “%windir%\system32\rundll32.exe portabledeviceapi.dll,#1” [MS] “SqmUpload_S-1-5-21-2998006178-1616661977-82403599-1005” -> (HIDDEN!) launches: “%windir%\system32\rundll32.exe portabledeviceapi.dll,#1” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\system32\NLAapi.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\system32\napinsp.dll” [MS] 000000000005\LibraryPath = “%SystemRoot%\system32\pnrpnsp.dll” [MS] 000000000006\LibraryPath = “%SystemRoot%\system32\pnrpnsp.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {4248FE82-7FCB-46AC-B270-339F08212110}\ “ButtonText” = “&Klawiatura wirtualna” “CLSIDExtension” = “{4248FE82-7FCB-46AC-B270-339F08212110}” -> {HKLM…CLSID} = “VirtualKeyboardButtonHandler Class” \InProcServer32(Default) = “C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\x64\klwtbbho.dll” [“Kaspersky Lab ZAO”] {CCF151D8-D089-449F-A5A4-D9909053F20F}\ “ButtonText” = “&Sprawdzanie adresów internetowych” “CLSIDExtension” = “{CCF151D8-D089-449F-A5A4-D9909053F20F}” -> {HKLM…CLSID} = “FilterButtonHandler Class” \InProcServer32(Default) = “C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\x64\klwtbbho.dll” [“Kaspersky Lab ZAO”] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- ABBYY FineReader 10 PE Licensing Service, ABBYY.Licensing.FineReader.Professional.10.0, ““C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe” -service” [“ABBYY”] AMD External Events Utility, AMD External Events Utility, “C:\Windows\system32\atiesrxx.exe” [“AMD”] Host bibliotek DLL liczników wydajności, PerfHost, “C:\Windows\SysWow64\perfhost.exe” [MS] InstallDriver Table Manager, IDriverT, ““C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe”” [“Macrovision Corporation”] Microsoft .NET Framework NGEN v2.0.50727_X64, clr_optimization_v2.0.50727_64, “C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe” [MS] Office Source Engine, ose, ““C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE”” [MS] PnkBstrA, PnkBstrA, “C:\Windows\system32\PnkBstrA.exe” [file not found] SwitchBoard, SwitchBoard, ““C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe”” [“Adobe Systems Incorporated”] Usługa Kaspersky Anti-Virus, AVP, ““C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe” -r” [“Kaspersky Lab ZAO”] Usługa magazynu, StorSvc, “C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted” {“C:\Windows\system32\storsvc.dll” [MS]} Windows Live ID Sign-in Assistant, wlidsvc, ““C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE”” [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Bullzip PDF Print Monitor\Driver = “bzpdf.dll” [“Bullzip”] Canon BJ Language Monitor MP210 series\Driver = “CNMLM8S.DLL” [“CANON INC.”] Canon BJ Language Monitor MP250 series\Driver = “CNMLM9W.DLL” [“CANON INC.”] SUGS2 Langmon\Driver = “sugs2l6.dll” [empty string] ---------- (launch time: 2012-02-10 14:26:16) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 28 seconds, including 7 seconds for message boxes)