OK oto kod z Silent Runnera:
“Silent Runners.vbs”, revision 57, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“Sidebar” = “C:\Program Files\Windows Sidebar\sidebar.exe /autoRun” [MS]
“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]
“ehTray.exe” = “C:\Windows\ehome\ehTray.exe” [MS]
“AlcoholAutomount” = ““C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe” /automount” [“Alcohol Soft Development Team”]
“msnmsgr” = ““C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background” [MS]
“swg” = “C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [“Google Inc.”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“Windows Defender” = “C:\Program Files\Windows Defender\MSASCui.exe -hide”
“VAIOCameraUtility” = ““C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe”” [“Sony Corporation”]
“TrueImageMonitor.exe” = “C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe” [“Acronis”]
“AcronisTimounterMonitor” = “C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe” [“Acronis”]
“NvSvc” = “RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart” [MS]
“NvCplDaemon” = “RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup” [MS]
“NvMediaCenter” = “RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit” [MS]
“Sony Ericsson PC Suite” = ““C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions” [null data]
“Apoint” = “C:\Program Files\Apoint\Apoint.exe” [“Alps Electric Co., Ltd.”]
“Acronis Scheduler2 Service” = ““C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe”” [“Acronis”]
“ISBMgr.exe” = ““C:\Program Files\Sony\ISB Utility\ISBMgr.exe”” [“Sony Corporation”]
“Babylon Client” = “C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart” [“Babylon Ltd.”]
“AVG8_TRAY” = “C:\PROGRA~1\AVG\AVG8\avgtray.exe” [“AVG Technologies CZ, s.r.o.”]
“TrayServer” = “C:\Program Files\MAGIX\Movie_Edit_Pro_14_silver\TrayServer.exe” [“MAGIX AG”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM…CLSID} = “Adobe PDF Reader Link Helper”
\InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)”
-> {HKLM…CLSID} = “Skype add-on (mastermind)”
\InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}(Default) = “WormRadar.com IESiteBlocker.NavFilter”
-> {HKLM…CLSID} = “AVG Safe Search”
\InProcServer32(Default) = “C:\Program Files\AVG\AVG8\avgssie.dll” [“AVG Technologies CZ, s.r.o.”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll” [“Sun Microsystems, Inc.”]
{9030D464-4C02-4ABF-8ECC-5164760863C6}(Default) = (no title provided)
-> {HKLM…CLSID} = “Pomocnik rejestracji usługi Windows Live”
\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll” [MS]
{A057A204-BACC-4D26-9990-79A187E2698E}(Default) = (no title provided)
-> {HKLM…CLSID} = “AVG Security Toolbar”
\InProcServer32(Default) = “C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL” ["AVG, Technologies CZ, s.r.o "]
{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)
-> {HKLM…CLSID} = “Google Toolbar Helper”
\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}(Default) = (no title provided)
-> {HKLM…CLSID} = “Windows Live Toolbar Helper”
\InProcServer32(Default) = “C:\Program Files\Windows Live Toolbar\msntb.dll” [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”
-> {HKLM…CLSID} = “DesktopContext Class”
\InProcServer32(Default) = “C:\Windows\system32\nvcpl.dll” [“NVIDIA Corporation”]
“{45C6AFA5-2C13-402f-BC5D-45CC8172EF6B}” = “Bluetooth”
-> {HKCU…CLSID} = “Wymiana informacji - Bluetooth”
\InProcServer32(Default) = “C:\Windows\system32\TosBtExt.dll” [file not found]
-> {HKLM…CLSID} = “Wymiana informacji - Bluetooth”
\InProcServer32(Default) = “C:\Windows\system32\TosBtExt.dll” [file not found]
“{C539A15A-3AF9-4c92-B771-50CB78F5C751}” = “Acronis True Image Shell Context Menu Extension”
-> {HKLM…CLSID} = “Acronis True Image Shell Context Menu Extension”
\InProcServer32(Default) = “C:\Program Files\Acronis\TrueImageHome\tishell.dll” [“Acronis”]
“{C539A15B-3AF9-4c92-B771-50CB78F5C751}” = “Acronis True Image Shell Extension”
-> {HKLM…CLSID} = “Acronis True Image Shell Extension”
\InProcServer32(Default) = “C:\Program Files\Acronis\TrueImageHome\tishell.dll” [“Acronis”]
“{7842554E-6BED-11D2-8CDB-B05550C10000}” = “Monitor”
-> {HKLM…CLSID} = “Monitor Class”
\InProcServer32(Default) = “C:\Windows\system32\btncopy.dll” [“Broadcom Corporation.”]
“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”
-> {HKLM…CLSID} = “NVIDIA CPL Extension”
\InProcServer32(Default) = “C:\Windows\system32\nvcpl.dll” [“NVIDIA Corporation”]
“{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes”
-> {HKLM…CLSID} = “iTunes”
\InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Inc.”]
“{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}” = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search”
-> {HKLM…CLSID} = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL” [MS]
“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office12\msohevi.dll” [MS]
“{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler”
-> {HKLM…CLSID} = “Microsoft Office Metadata Handler”
\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS]
“{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler”
-> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler”
\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS]
“{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” = “AVG8 Shell Extension”
-> {HKLM…CLSID} = “AVG8 Shell Extension Class”
\InProcServer32(Default) = “C:\Program Files\AVG\AVG8\avgse.dll” [“AVG Technologies CZ, s.r.o.”]
“{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}” = “Messenger Sharing Folders”
-> {HKLM…CLSID} = “Moje foldery udostępniania”
\InProcServer32(Default) = “C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll” [MS]
“{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]
“{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]
“{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]
“{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]
“{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”]
“{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”]
“{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”]
“{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”]
“{0563DB41-F538-4B37-A92D-4659049B7766}” = “WLMD Message Handler”
-> {HKLM…CLSID} = “CLSID_WLMCMimeFilter”
\InProcServer32(Default) = “C:\Program Files\Windows Live\Mail\mailcomm.dll” [MS]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
“{00F33137-EE26-412F-8D71-F84E4C2C6625}” = (no title provided)
-> {HKLM…CLSID} = “Windows Live Photo Gallery Import Autoplay Shim”
\InProcServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll” [MS]
“{00F346CB-35A4-465B-8B8F-65A29DBAB1F6}” = “Windows Live Photo Gallery Viewer Drop Target Shim”
-> {HKLM…CLSID} = “Windows Live Photo Gallery Viewer Shim”
\InProcServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll” [MS]
“{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D}” = “Windows Live Photo Gallery Editor Drop Target Shim”
-> {HKLM…CLSID} = “Windows Live Photo Gallery Editor Shim”
\InProcServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll” [MS]
“{00F30F90-3E96-453B-AFCD-D71989ECC2C7}” = “Windows Live Photo Gallery Autoplay Drop Target Shim”
-> {HKLM…CLSID} = “Windows Live Photo Gallery Viewer Autoplay Shim”
\InProcServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll” [MS]
“{03DAACC5-10BA-4E3E-9D54-2A569F6B4B87}” = “Menedżer plików firmy Sony Ericsson”
-> {HKLM…CLSID} = “Menedżer plików firmy Sony Ericsson”
\InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll” [“Popwire AB”]
“{738D66C6-0149-4D40-84E4-A7BB2D0CE949}” = “Menedżer plików firmy Sony Ericsson”
-> {HKLM…CLSID} = “Menedżer plików firmy Sony Ericsson”
\InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll” [“Popwire AB”]
“{ED58A35B-B554-42AF-A26C-6F3D424200D3}” = “Sony Power Management Extensiond”
-> {HKLM…CLSID} = “SPMPanel”
\InProcServer32(Default) = “C:\Program Files\Sony\VAIO Power Management\SPMPanel.dll” [“Sony Corporation”]
“{79BC0345-1015-11D2-A299-006008312725}” = “blue.shell”
-> {HKLM…CLSID} = “///FAST project settings”
\InProcServer32(Default) = “C:\Program Files\Pinnacle\VideoSpin\Programs\BlueShellExt.dll” [null data]
“{A155339D-CCCD-4714-85EB-3754B804C9DF}” = “a-squared Free Shell Extension”
-> {HKLM…CLSID} = “a-squared Free Shell Extension”
\InProcServer32(Default) = “C:\Program Files\a-squared Free\a2freecontmenu.dll” [“Emsi Software GmbH”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5”
-> {HKLM…CLSID} = “CShellExecuteHookImpl Object”
\InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“GRISOFT s.r.o.”]
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<> “Authentication Packages” = “msv1_0”|“relog_ap”
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}”
-> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter”
\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”]
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”
-> {HKLM…CLSID} = “PDF Shell Extension”
\InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]
HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\
AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}”
-> {HKLM…CLSID} = “CContextScan Object”
\InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“GRISOFT s.r.o.”]
AVG8 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}”
-> {HKLM…CLSID} = “AVG8 Shell Extension Class”
\InProcServer32(Default) = “C:\Program Files\AVG\AVG8\avgse.dll” [“AVG Technologies CZ, s.r.o.”]
RXDCExtSvr(Default) = “{70D0238E-E029-4a94-B68D-182018B6C4FF}”
-> {HKLM…CLSID} = “RXDCExtShlExt Class”
\InProcServer32(Default) = “C:\Program Files\Roxio\Virtual Drive 10\DC_ShellExt.dll” [“Sonic Solutions”]
tosBtShllExt(Default) = “{6BEF3D0B-53F0-4b0d-B91C-C19ED3D4C9D1}”
-> {HKCU…CLSID} = “Bluetooth File Extenstion”
\InProcServer32(Default) = “C:\Windows\system32\TosBtShell.dll” [file not found]
-> {HKLM…CLSID} = “Bluetooth File Extenstion”
\InProcServer32(Default) = “C:\Windows\system32\TosBtShell.dll” [file not found]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}”
-> {HKLM…CLSID} = “CContextScan Object”
\InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“GRISOFT s.r.o.”]
tosBtShllExt(Default) = “{6BEF3D0B-53F0-4b0d-B91C-C19ED3D4C9D1}”
-> {HKCU…CLSID} = “Bluetooth File Extenstion”
\InProcServer32(Default) = “C:\Windows\system32\TosBtShell.dll” [file not found]
-> {HKLM…CLSID} = “Bluetooth File Extenstion”
\InProcServer32(Default) = “C:\Windows\system32\TosBtShell.dll” [file not found]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
a-squared Free Shell Extension(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}”
-> {HKLM…CLSID} = “a-squared Free Shell Extension”
\InProcServer32(Default) = “C:\Program Files\a-squared Free\a2freecontmenu.dll” [“Emsi Software GmbH”]
AVG8 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}”
-> {HKLM…CLSID} = “AVG8 Shell Extension Class”
\InProcServer32(Default) = “C:\Program Files\AVG\AVG8\avgse.dll” [“AVG Technologies CZ, s.r.o.”]
MBAMShlExt(Default) = “{57CE581A-0CB6-4266-9CA0-19364C90A0B3}”
-> {HKLM…CLSID} = “MBAMShlExt Class”
\InProcServer32(Default) = “C:\Program Files\Malwarebytes’ Anti-Malware\mbamext.dll” [“Malwarebytes”]
RXDCExtSvr(Default) = “{70D0238E-E029-4a94-B68D-182018B6C4FF}”
-> {HKLM…CLSID} = “RXDCExtShlExt Class”
\InProcServer32(Default) = “C:\Program Files\Roxio\Virtual Drive 10\DC_ShellExt.dll” [“Sonic Solutions”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing LP”]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a-squared Free Shell Extension(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}”
-> {HKLM…CLSID} = “a-squared Free Shell Extension”
\InProcServer32(Default) = “C:\Program Files\a-squared Free\a2freecontmenu.dll” [“Emsi Software GmbH”]
MBAMShlExt(Default) = “{57CE581A-0CB6-4266-9CA0-19364C90A0B3}”
-> {HKLM…CLSID} = “MBAMShlExt Class”
\InProcServer32(Default) = “C:\Program Files\Malwarebytes’ Anti-Malware\mbamext.dll” [“Malwarebytes”]
Group Policies {GPedit.msc branch and setting}:
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“HideLegacyLogonScripts” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“HideLogoffScripts” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“RunLogonScriptSync” = (REG_DWORD) dword:0x00000001
{unrecognized setting}
“RunStartupScriptSync” = (REG_DWORD) dword:0x00000001
{unrecognized setting}
“HideStartupScripts” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
“ConsentPromptBehaviorAdmin” = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}
“ConsentPromptBehaviorUser” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}
“EnableInstallerDetection” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}
“EnableLUA” = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}
“EnableSecureUIAPaths” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}
“EnableVirtualization” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}
“PromptOnSecureDesktop” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}
“shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
“FilterAdministratorToken” = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}
“DisableRegistryTools” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“HideLegacyLogonScripts” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“HideLogoffScripts” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“RunLogonScriptSync” = (REG_DWORD) dword:0x00000001
{unrecognized setting}
“RunStartupScriptSync” = (REG_DWORD) dword:0x00000001
{unrecognized setting}
“HideStartupScripts” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg”
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\Users\VAIO\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg”
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
“SCRNSAVE.EXE” = “C:\Windows\system32\scrnsave.scr” [MS]
Windows Portable Device AutoPlay Handlers
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
DMXPlayDVD\
“Provider” = “Roxio CinePlayer”
“InvokeProgID” = “DMX.PLAYDVD”
“InvokeVerb” = “Play”
HKLM\SOFTWARE\Classes\DMX.PLAYDVD\shell\Play\Command(Default) = "C:\Program Files\Roxio\CinePlayer\DMX.exe DVD “Play %1"” [null data]
InterActualPlayerPlayDVDVideoArrival\
“Provider” = “InterActual Player”
“InvokeProgID” = “InterActualPlayer.PlayDVD”
“InvokeVerb” = “play”
HKLM\SOFTWARE\Classes\InterActualPlayer.PlayDVD\shell\play\command(Default) = “C:\Program Files\InterActual\InterActual Player\iPlayer.exe -startup=autorun” [“Sonic Solutions”]
iTunesBurnCDOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.BurnCD”
“InvokeVerb” = “burn”
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /AutoPlayBurn “%L”” [“Apple Inc.”]
iTunesImportSongsOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.ImportSongsOnCD”
“InvokeVerb” = “import”
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /AutoPlayImportSongs “%L”” [“Apple Inc.”]
iTunesPlaySongsOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.PlaySongsOnCD”
“InvokeVerb” = “play”
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /playCD “%L”” [“Apple Inc.”]
iTunesShowSongsOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.ShowSongsOnCD”
“InvokeVerb” = “showsongs”
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /AutoPlayShowSongs “%L”” [“Apple Inc.”]
MediaCapture10Music\
“Provider” = “Media Import”
“InvokeProgID” = “RoxioMediaCapture10”
“InvokeVerb” = “Audio”
HKLM\SOFTWARE\Classes\RoxioMediaCapture10\shell\Audio\command(Default) = “C:\Program Files\Roxio\Media Import 10\MediaCapture10.exe -audio %L” [“Sonic Solutions”]
MediaCapture10Photos\
“Provider” = “Media Import”
“InvokeProgID” = “RoxioMediaCapture10”
“InvokeVerb” = “Photo”
HKLM\SOFTWARE\Classes\RoxioMediaCapture10\shell\Photo\command(Default) = “C:\Program Files\Roxio\Media Import 10\MediaCapture10.exe -photo %L” [“Sonic Solutions”]
MediaCapture10VideoCamera\
“Provider” = “Media Import”
“ProgID” = “Shell.HWEventHandlerShellExecute”
“InitCmdLine” = “C:\Program Files\Roxio\Media Import 10\MediaCapture10.exe”
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}”
-> {HKLM…CLSID} = “Shell Execute Hardware Event Handler”
\LocalServer32(Default) = “C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS]
MediaCapture10Videos\
“Provider” = “Media Import”
“InvokeProgID” = “RoxioMediaCapture10”
“InvokeVerb” = “Video”
HKLM\SOFTWARE\Classes\RoxioMediaCapture10\shell\Video\command(Default) = “C:\Program Files\Roxio\Media Import 10\MediaCapture10.exe -video %L” [“Sonic Solutions”]
MediaMonkeyBurnHandler\
“Provider” = “MediaMonkey”
“InvokeProgID” = “SongsDB.SDBDropTarget”
“InvokeVerb” = “open”
HKLM\SOFTWARE\Classes\SongsDB.SDBDropTarget\shell\open\DropTarget\CLSID = “{AB97EDE4-091B-405F-83E6-9A31AD18EDAF}”
-> {HKLM…CLSID} = “SDBDropTarget”
\LocalServer32(Default) = “C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE” [“Ventis Media Inc.”]
MediaMonkeyPlayCDHandler\
“Provider” = “MediaMonkey”
“InvokeProgID” = “SongsDB.SDBDropTarget”
“InvokeVerb” = “open”
HKLM\SOFTWARE\Classes\SongsDB.SDBDropTarget\shell\open\DropTarget\CLSID = “{AB97EDE4-091B-405F-83E6-9A31AD18EDAF}”
-> {HKLM…CLSID} = “SDBDropTarget”
\LocalServer32(Default) = “C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE” [“Ventis Media Inc.”]
MediaMonkeyPlayHandler\
“Provider” = “MediaMonkey”
“InvokeProgID” = “SongsDB.SDBDropTarget”
“InvokeVerb” = “open”
HKLM\SOFTWARE\Classes\SongsDB.SDBDropTarget\shell\open\DropTarget\CLSID = “{AB97EDE4-091B-405F-83E6-9A31AD18EDAF}”
-> {HKLM…CLSID} = “SDBDropTarget”
\LocalServer32(Default) = “C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE” [“Ventis Media Inc.”]
MediaMonkeyRipCDHandler\
“Provider” = “MediaMonkey”
“InvokeProgID” = “SongsDB.SDBDropTargetRip”
“InvokeVerb” = “open”
HKLM\SOFTWARE\Classes\SongsDB.SDBDropTargetRip\shell\open\DropTarget\CLSID = “{7903D765-DA8C-4CB9-ADF2-F88D82E6BFFE}”
-> {HKLM…CLSID} = “SDBDropTargetRip”
\LocalServer32(Default) = “C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE” [“Ventis Media Inc.”]
MediaMonkeyStartHandler\
“Provider” = “MediaMonkey”
“CLSID” = “{0BA2D9E2-D4C8-45B2-8F5B-B3ADE5E461E6}”
-> {HKLM…CLSID} = “SDBHWEvents”
\LocalServer32(Default) = “C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE” [“Ventis Media Inc.”]
MPCPlayCDAudioOnArrival\
“Provider” = “Media Player Classic”
“InvokeProgID” = “MediaPlayerClassic.Autorun”
“InvokeVerb” = “PlayCDAudio”
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1 /cd” [“Gabest”]
MPCPlayDVDMovieOnArrival\
“Provider” = “Media Player Classic”
“InvokeProgID” = “MediaPlayerClassic.Autorun”
“InvokeVerb” = “PlayDVDMovie”
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1 /dvd” [“Gabest”]
MPCPlayMusicFilesOnArrival\
“Provider” = “Media Player Classic”
“InvokeProgID” = “MediaPlayerClassic.Autorun”
“InvokeVerb” = “PlayMusicFiles”
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1” [“Gabest”]
MPCPlayVideoFilesOnArrival\
“Provider” = “Media Player Classic”
“InvokeProgID” = “MediaPlayerClassic.Autorun”
“InvokeVerb” = “PlayVideoFiles”
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command(Default) = ““C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1” [“Gabest”]
MSLivePhotoAcqHWEventHandler\
“Provider” = “@C:\Program Files\Windows Live\Photo Gallery\regres.dll,-10;en-us.1329.0201”
“ProgID” = “Microsoft.LivePhotoAcqHWEventHandler”
HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqHWEventHandler\CLSID(Default) = “{3BD0ACD1-71CA-4475-92CC-E0AA0AAF843F}”
-> {HKLM…CLSID} = (no title provided)
\LocalServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe” [MS]
MSLivePhotoAcquireDropHandler\
“Provider” = “@C:\Program Files\Windows Live\Photo Gallery\regres.dll,-10;en-us.1329.0201”
“InvokeProgID” = “Microsoft.LivePhotoAcqDTShim.1”
“InvokeVerb” = “open”
HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqDTShim.1\shell\open\DropTarget\CLSID = “{00F33137-EE26-412F-8D71-F84E4C2C6625}”
-> {HKLM…CLSID} = “Windows Live Photo Gallery Import Autoplay Shim”
\InProcServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll” [MS]
MSLiveShowPicturesOnArrival\
“Provider” = “@C:\Program Files\Windows Live\Photo Gallery\regres.dll,-10;en-us.1329.0201”
“InvokeProgID” = “Microsoft.Photos.LiveAutoplayShim.1”
“InvokeVerb” = “open”
HKLM\SOFTWARE\Classes\Microsoft.Photos.LiveAutoplayShim.1\shell\open\DropTarget\CLSID = “{00F30F90-3E96-453B-AFCD-D71989ECC2C7}”
-> {HKLM…CLSID} = “Windows Live Photo Gallery Viewer Autoplay Shim”
\InProcServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll” [MS]
MSLiveVideoCameraArrivalCaptureWizard\
“Provider” = “@C:\Program Files\Windows Live\Photo Gallery\regres.dll,-10;en-us.1329.0201”
“ProgID” = “WLXAutoPlayMgr.WLXHWEventHandler”
“InitCmdLine” = “WLXVideoAcquireWizard”
HKLM\SOFTWARE\Classes\WLXAutoPlayMgr.WLXHWEventHandler\CLSID(Default) = “{9B5C97F6-B3A5-4A6D-8B03-993EC7291A22}”
-> {HKLM…CLSID} = “WLXWEventHandler Class”
\LocalServer32(Default) = ““C:\Program Files\Windows Live\Photo Gallery\WLXVideoCameraAutoPlayManager.exe”” [MS]
MSWMEncVCArrival\
“Provider” = “Windows Media Encoder 9 Series”
“ProgID” = “Shell.HWEventHandlerShellExecute”
“InitCmdLine” = “C:\Program Files\Windows Media Components\Encoder\WMEnc.exe”
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}”
-> {HKLM…CLSID} = “Shell Execute Hardware Event Handler”
\LocalServer32(Default) = “C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS]
MxVideoDeLuxeVideoCameraArrival\
“Provider” = “MAGIX Movie Edit Pro silver”
“ProgID” = “Magix.videodeLuxe”
HKLM\SOFTWARE\Classes\Magix.videodeLuxe\CLSID(Default) = “{1810360D-0FC7-474B-ABC1-84E96BF51D2F}”
-> {HKLM…CLSID} = “videodeLuxe AutoplayClass”
\LocalServer32(Default) = “C:\Program Files\MAGIX\Movie_Edit_Pro_14_silver\MovieEdit.exe” [“MAGIX AG”]
Picasa2ImportPicturesOnArrival\
“Provider” = “Picasa2”
“InvokeProgID” = “picasa2.autoplay”
“InvokeVerb” = “import”
HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command(Default) = "C:\Program Files\Picasa2\Picasa2.exe “%1"” [“Google Inc.”]
RoxioCreator10PlayCDAudioOnArrival\
“Provider” = “Roxio Creator Classic”
“InvokeProgID” = “Creator10”
“InvokeVerb” = “open”
HKLM\SOFTWARE\Classes\Creator10\shell\open\Command(Default) = “C:\Program Files\Roxio\Creator Classic 10\Creator10.exe” [“Sonic Solutions”]
RoxioSCAudioCDTask36\
“Provider” = “Roxio Central Audio”
“InvokeProgID” = “Roxio.RoxioCentral36”
“InvokeVerb” = “AudioCDTask”
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral36\shell\AudioCDTask\Command(Default) = ““C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\Main\Roxio_Central36.exe” /Launch {1DF24BC5-8E7F-4D41-AF7B-1EAAF8CE889B}” [null data]
RoxioSCCopyCD36\
“Provider” = “Roxio Central Copy”
“InvokeProgID” = “Roxio.RoxioCentral36”
“InvokeVerb” = “ExactCopyJob”
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral36\shell\ExactCopyJob\Command(Default) = ““C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\Main\Roxio_Central36.exe” /Launch {D7B34115-CCC3-4508-BAC4-02A111F4DB4D}” [null data]
RoxioSCCopyDisc36\
“Provider” = “Roxio Central Copy”
“InvokeProgID” = “Roxio.RoxioCentral36”
“InvokeVerb” = “ExactCopyJob”
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral36\shell\ExactCopyJob\Command(Default) = ““C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\Main\Roxio_Central36.exe” /Launch {D7B34115-CCC3-4508-BAC4-02A111F4DB4D}” [null data]
RoxioSCDataProject36\
“Provider” = “Roxio Central Data”
“InvokeProgID” = “Roxio.RoxioCentral36”
“InvokeVerb” = “DataGuide”
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral36\shell\DataGuide\Command(Default) = ““C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\Main\Roxio_Central36.exe” /Launch Data” [null data]
RoxioSCDataTask36\
“Provider” = “Roxio Central Data”
“InvokeProgID” = “Roxio.RoxioCentral36”
“InvokeVerb” = “DataTask”
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral36\shell\DataTask\Command(Default) = ““C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\Main\Roxio_Central36.exe” /Launch {85B64A0F-9111-4A55-8B5A-59343EE1EE8B}” [null data]
WIA_{569A2D1B-F33D-4CCC-B8CA-476FFD3251A8}\
“Provider” = “Picasa2”
“CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}”
“InitCmdLine” = “/WiaCmd;C:\Program Files\Picasa2\PicasaMediaDetector.exe /StiDevice:%1 /StiEvent:%2;”
-> {HKLM…CLSID} = “WPDShextAutoplay”
\LocalServer32(Default) = “C:\Windows\system32\WPDShextAutoplay.exe” [MS]
WIA_{6D7F3577-EB4C-4F01-B242-8E14F4B58B05}\
“Provider” = “Picasa2”
“CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}”
“InitCmdLine” = “/WiaCmd;C:\Program Files\Picasa2\PicasaMediaDetector.exe /StiDevice:%1 /StiEvent:%2;”
-> {HKLM…CLSID} = “WPDShextAutoplay”
\LocalServer32(Default) = “C:\Windows\system32\WPDShextAutoplay.exe” [MS]
WIA_{7F76B217-883B-462F-B39C-1AE8B271BADB}\
“Provider” = “Microsoft Office OneNote”
“CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}”
“InitCmdLine” = “/WiaCmd;C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE /IMG_WIA;”
-> {HKLM…CLSID} = “WPDShextAutoplay”
\LocalServer32(Default) = “C:\Windows\system32\WPDShextAutoplay.exe” [MS]
WIA_{E12ADB14-BDAA-48A7-B1E5-0019F93E9B80}\
“Provider” = “Microsoft Office Word”
“CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}”
“InitCmdLine” = “/WiaCmd;C:\Program Files\Microsoft Office\Office12\WINWORD.EXE /IMG_WIA;”
-> {HKLM…CLSID} = “WPDShextAutoplay”
\LocalServer32(Default) = “C:\Windows\system32\WPDShextAutoplay.exe” [MS]
WinampMTPHandler\
“Provider” = “Winamp”
“ProgID” = “Shell.HWEventHandlerShellExecute”
“InitCmdLine” = “C:\Program Files\Winamp\winamp.exe”
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}”
-> {HKLM…CLSID} = “Shell Execute Hardware Event Handler”
\LocalServer32(Default) = “C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS]
WinampPlayMediaOnArrival\
“Provider” = “Winamp”
“InvokeProgID” = “Winamp.File”
“InvokeVerb” = “Play”
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command(Default) = "“C:\Program Files\Winamp\winamp.exe” “%1"” [“Nullsoft”]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = “{46986115-84D6-459c-8F95-52DD653E532E}”
-> {HKLM…CLSID} = (no title provided)
\LocalServer32(Default) = ““C:\Program Files\Winamp\winamp.exe”” [“Nullsoft”]
Startup items in “VAIO” & “All Users” startup folders:
C:\Users\VAIO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
“Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007” -> shortcut to: “C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE /tsr” [MS]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
“BTTray” -> shortcut to: “C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe” [“Broadcom Corporation.”]
Non-disabled Scheduled Tasks:
C:\Windows\System32\Tasks
“Sprawdź aktualizacje paska narzędzi Windows Live Toolbar” -> launches: “C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE” [MS]
“User_Feed_Synchronization-{F1D15D29-081B-486C-8246-AD8F38BED216}” -> (HIDDEN!) launches: “C:\Windows\system32\msfeedssync.exe sync” [MS]
C:\Windows\System32\Tasks\Apple
“AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task” [“Apple Inc.”]
C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
“UninstallDeviceTask” -> launches: “BthUdTask.exe $(Arg0)” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
“SystemTask” -> launches: “{58fb76b9-ac85-4e55-ac04-427593b1d060}”
-> {HKLM…CLSID} = “Certificate Services Client Task Handler”
\InProcServer32(Default) = “C:\Windows\system32\dimsjob.dll” [MS]
“UserTask” -> launches: “{58fb76b9-ac85-4e55-ac04-427593b1d060}”
-> {HKLM…CLSID} = “Certificate Services Client Task Handler”
\InProcServer32(Default) = “C:\Windows\system32\dimsjob.dll” [MS]
“UserTask-Roam” -> launches: “{58fb76b9-ac85-4e55-ac04-427593b1d060}”
-> {HKLM…CLSID} = “Certificate Services Client Task Handler”
\InProcServer32(Default) = “C:\Windows\system32\dimsjob.dll” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
“Consolidator” -> launches: “%SystemRoot%\System32\wsqmcons.exe” [MS]
“OptinNotification” -> launches: “%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0” [MS]
“Uploader” -> launches: “%windir%\system32\WSqmCons.exe -u” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
“ScheduledDefrag” -> launches: “%windir%\system32\defrag.exe -c -i” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
“ehDRMInit” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /DRMInit” [MS]
“mcupdate” -> launches: “%SystemRoot%\ehome\mcupdate $(Arg0) -gc” [MS]
“OCURActivate” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate” [MS]
“OCURDiscovery” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery” [MS]
“UpdateRecordPath” -> launches: “%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
“HotStart” -> launches: “{06DA0625-9701-43da-BFD7-FBEEA2180A1E}”
-> {HKLM…CLSID} = “HotStart User Agent”
\InProcServer32(Default) = “C:\Windows\System32\HotStartUserAgent.dll” [MS]
“TMM” -> launches: “{35EF4182-F900-4632-B072-8639E4478A61}”
-> {HKLM…CLSID} = “Transient Multi-Monitor Manager”
\InProcServer32(Default) = “C:\Windows\System32\TMM.dll” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\MUI
“LPRemove” -> launches: “%windir%\system32\lpremove.exe” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
“SystemSoundsService” -> launches: “{2DEA658F-54C1-4227-AF9B-260AB5FC3543}”
-> {HKLM…CLSID} = “Microsoft PlaySoundService Class”
\InProcServer32(Default) = “C:\Windows\System32\PlaySndSrv.dll” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection
“NAPStatus UI” -> launches: “{f09878a1-4652-4292-aa63-8c7d4fd7648f}”
-> {HKLM…CLSID} = “Nap ITask Handler Implementation”
\InProcServer32(Default) = “C:\Windows\System32\QAgent.dll” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System
“ConvertLogEntries” -> (HIDDEN!) launches: “%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\RAC
“RACAgent” -> (HIDDEN!) launches: “%windir%\system32\RacAgent.exe” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
“RemoteAssistanceTask” -> (HIDDEN!) launches: “%windir%\system32\RAServer.exe /offerraupdate” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Shell
“CrawlStartPages” -> launches: “{51653423-e62d-4ff7-894a-dabb2b8e21e2}”
-> {HKLM…CLSID} = “CrawlStartPages Task Handler”
\InProcServer32(Default) = “C:\Windows\System32\srchadmin.dll” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
“GadgetManager” -> launches: “{FF87090D-4A9A-4f47-879B-29A80C355D61}”
-> {HKLM…CLSID} = “GadgetsManager Class”
\InProcServer32(Default) = “C:\Windows\System32\AuxiliaryDisplayServices.dll” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
“IpAddressConflict1” -> launches: “rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem” [MS]
“IpAddressConflict2” -> launches: “rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
“MsCtfMonitor” -> (HIDDEN!) launches: “{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}”
-> {HKLM…CLSID} = “MsCtfMonitor task handler”
\InProcServer32(Default) = “C:\Windows\system32\MsCtfMonitor.dll” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
“UPnPHostConfig” -> launches: “sc.exe config upnphost start= auto” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\WDI
“ResolutionHost” -> (HIDDEN!) launches: “{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}”
-> {HKLM…CLSID} = “DiagnosticInfrastructureCustomHandler”
\InProcServer32(Default) = “C:\Windows\System32\wdi.dll” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
“QueueReporting” -> launches: “%windir%\system32\wermgr.exe -queuereporting” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar
“Reminders - VAIO” -> launches: “C:\Program Files\Windows Calendar\WinCal.exe /reminder” [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Wired
“GatherWiredInfo” -> launches: “%windir%\system32\gatherWiredInfo.vbs” [null data]
C:\Windows\System32\Tasks\Microsoft\Windows\Wireless
“GatherWirelessInfo” -> launches: “%windir%\system32\gatherWirelessInfo.vbs” [null data]
C:\Windows\System32\Tasks\Microsoft\Windows Defender
“MP Scheduled Scan” -> (HIDDEN!) launches: “c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges” [MS]
C:\Windows\System32\Tasks\SONY\VAIO Update
“VAIO Update” -> launches: ““C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe” /Stationary” [“Sony Corporation”]
C:\Windows\System32\Tasks\SONY\WSSU
“WSSU” -> launches: “C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe” [“Sony Corporation”]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\system32\NLAapi.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000004\LibraryPath = “%SystemRoot%\system32\napinsp.dll” [MS]
000000000005\LibraryPath = “%SystemRoot%\system32\pnrpnsp.dll” [MS]
000000000006\LibraryPath = “%SystemRoot%\system32\pnrpnsp.dll” [MS]
000000000007\LibraryPath = “C:\Program Files\Bonjour\mdnsNSP.dll” [“Apple Inc.”]
000000000008\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 63
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
“{2318C2B1-4965-11D4-9B18-009027A5CD4F}”
-> {HKLM…CLSID} = “&Google”
\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]
“{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}”
-> {HKLM…CLSID} = “Windows Live Toolbar”
\InProcServer32(Default) = “C:\Program Files\Windows Live Toolbar\msntb.dll” [MS]
“{A057A204-BACC-4D26-9990-79A187E2698E}”
-> {HKLM…CLSID} = “AVG Security Toolbar”
\InProcServer32(Default) = “C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL” ["AVG, Technologies CZ, s.r.o "]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
“{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided)
-> {HKLM…CLSID} = “&Google”
\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]
“{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}” = (no title provided)
-> {HKLM…CLSID} = “Windows Live Toolbar”
\InProcServer32(Default) = “C:\Program Files\Windows Live Toolbar\msntb.dll” [MS]
“{A057A204-BACC-4D26-9990-79A187E2698E}” = (no title provided)
-> {HKLM…CLSID} = “AVG Security Toolbar”
\InProcServer32(Default) = “C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL” ["AVG, Technologies CZ, s.r.o "]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Poszukaj”
Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL” [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}”
-> {HKLM…CLSID} = “Java Plug-in 1.6.0_05”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll” [“Sun Microsystems, Inc.”]
{219C3416-8CB2-491A-A3C7-D9FCDDC9D600}\
“ButtonText” = “Wpis w blogu”
“MenuText” = “&Wpis w blogu w Windows Live Writer”
“CLSIDExtension” = “{5F7B1267-94A9-47F5-98DB-E99415F33AEC}”
-> {HKLM…CLSID} = “BlogThisToolbarButton Class”
\InProcServer32(Default) = “C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll” [MS]
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
“ButtonText” = “Wyślij do programu OneNote”
“MenuText” = “Wyślij &do programu OneNote”
“CLSIDExtension” = “{48E73304-E1D6-4330-914C-F5F514E3486C}”
-> {HKLM…CLSID} = “Send to OneNote from Internet Explorer button”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll” [MS]
{77BF5300-1474-4EC7-9980-D32B190E9B07}\
“ButtonText” = “Skype”
“CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}”
-> {HKLM…CLSID} = “Skype add-on (button)”
\InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
“ButtonText” = “Research”
{CCA281CA-C863-46EF-9331-5C8D4460577F}\
“ButtonText” = “@btrez.dll,-4015”
“MenuText” = “@btrez.dll,-12650”
“Script” = “C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm” [null data]
Running Services (Display Name, Service Name, Path {Service DLL}):
a-squared Free Service, a2free, ““C:\Program Files\a-squared Free\a2service.exe”” [“Emsi Software GmbH”]
Acronis Scheduler2 Service, AcrSch2Svc, ““C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe”” [“Acronis”]
Acronis Try And Decide Service, TryAndDecideService, ““C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe”” [null data]
Autokonfiguracja sieci WLAN, Wlansvc, “C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted” {“C:\Windows\System32\wlansvc.dll” [MS]}
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe” [“GRISOFT s.r.o.”]
AVG8 E-mail Scanner, avg8emc, “C:\PROGRA~1\AVG\AVG8\avgemc.exe” [“AVG Technologies CZ, s.r.o.”]
AVG8 WatchDog, avg8wd, “C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe” [“AVG Technologies CZ, s.r.o.”]
Bonjour Service, Bonjour Service, ““C:\Program Files\Bonjour\mDNSResponder.exe”” [“Apple Inc.”]
Dostęp do urządzeń interfejsu HID, hidserv, “C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted” {“C:\Windows\system32\hidserv.dll” [MS]}
Izolacja klucza CNG, KeyIso, “C:\Windows\system32\lsass.exe” [MS]
Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS]
Protokół uwierzytelniania rozszerzonego (EAP), EapHost, “C:\Windows\System32\svchost.exe -k netsvcs” {“C:\Windows\System32\eapsvc.dll” [MS]}
SigmaTel Audio Service, STacSV, “C:\Windows\system32\stacsv.exe” [“SigmaTel, Inc.”]
StarWind AE Service, StarWindServiceAE, “C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe” [“Rocket Division Software”]
Urządzenie mobilne Apple, Apple Mobile Device, ““C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe”” [“Apple, Inc.”]
Usługa buforowania czcionek platformy Windows Presentation Foundation, wersja 3.0.0.0, FontCache3.0.0.0, “C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe” [MS]
Usługa Messenger Sharing Folders USN Journal Reader, usnjsvc, ““C:\Program Files\Windows Live\Messenger\usnsvc.exe”” [MS]
Usługa obsługi Bluetooth, BthServ, “C:\Windows\system32\svchost.exe -k bthsvcs” {“C:\Windows\System32\bthserv.dll” [MS]}
VAIO Event Service, VAIO Event Service, “C:\Program Files\Sony\VAIO Event Service\VESMgr.exe” [“Sony Corporation”]
Windows Driver Foundation — User-mode Driver Framework, wudfsvc, “C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted” {“C:\Windows\System32\WUDFSvc.dll” [MS]}
Windows Image Acquisition (WIA), stisvc, “C:\Windows\system32\svchost.exe -k imgsvc” {“C:\Windows\System32\wiaservc.dll” [MS]}
Print Monitors:
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = “msonpmon.dll” [MS]
- (launch time: 2008-05-11 11:27:42)
<>: Suspicious data at a malware launch point.
- The search for DESKTOP.INI DLL launch points on all local fixed drives
took 424 seconds.
---------- (total run time: 648 seconds)
