“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CursorXP” = ““C:\Program Files\Stardock\Object Desktop\CursorXP\CursorXP.exe”” [" “] “Fraps” = ““C:\PROGRAM FILES\FRAPS\FRAPS.EXE”” [“Beepa P/L”] “Everest” = ““D:\Downloads\Programy\Everest Ultimate 3\everest.exe”” [“Lavalys, Inc.”] “PacSteam” = “F:\PacSteam\Steam.exe” [“Valve Corporation”] “Windows Registry Repair Pro” = “C:\Program Files\Windows Registry Repair Pro\RegistryRepairPro.exe 4” [“3B Software, Inc.”] “hldrrr” = “C:\WINDOWS\system32\hldrrr.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “BootSkin Startup Jobs” = ““C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe” /StartupJobs” [empty string] “NvCplDaemon” = ““RUNDLL32.EXE” C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “NvMediaCenter” = ““RunDLL32.exe” NvMCTray.dll,NvTaskbarInit” [MS] “hldrrr” = “C:\WINDOWS\system32\hldrrr.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\Spybot S&D\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll” [“Sun Microsystems, Inc.”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] {C333CF63-767F-4831-94AC-E683D962C63C}(Default) = (no title provided) -> {HKLM…CLSID} = “CoTGT_BHO Class” \InProcServer32(Default) = “C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\SHDOCVW.DLL” [MS] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” = “Webroot Spy Sweeper Context Menu Integration” -> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration” \InProcServer32(Default) = “C:\PROGRA~1\Spy Sweeper\SSCtxMnu.dll” [“Webroot Software, Inc.”] “{00000000-5736-4205-0100-f7ed0776fb27}” = “Steganos Internet Anonym 2006” -> {HKLM…CLSID} = “Steganos Internet Anonym 2006” \InProcServer32(Default) = “c:\program files\steganos internet anonym 2006\sia2006se.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> WRNotifier\DLLName = “WRLogonNTF.dll” [“Webroot Software, Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] Steganos Internet Anonym 2006(Default) = “{00000000-5736-4205-0100-f7ed0776fb27}” -> {HKLM…CLSID} = “Steganos Internet Anonym 2006” \InProcServer32(Default) = “c:\program files\steganos internet anonym 2006\sia2006se.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] Steganos Internet Anonym 2006(Default) = “{00000000-5736-4205-0100-f7ed0776fb27}” -> {HKLM…CLSID} = “Steganos Internet Anonym 2006” \InProcServer32(Default) = “c:\program files\steganos internet anonym 2006\sia2006se.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] SpySweeper(Default) = “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” -> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration” \InProcServer32(Default) = “C:\PROGRA~1\Spy Sweeper\SSCtxMnu.dll” [“Webroot Software, Inc.”] UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ SpySweeper(Default) = “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” -> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration” \InProcServer32(Default) = “C:\PROGRA~1\Spy Sweeper\SSCtxMnu.dll” [“Webroot Software, Inc.”] UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] Default executables: -------------------- HKLM\Software\Classes.hta\ = (key not found) <> HKLM\Software\Classes\scrfile\shell\open\command(Default) = “”%1” %*" [file not found] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoSMBalloonTip” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “CDRAutoRun” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoLowDiskSpaceChecks” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoClose” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoAutoTrayNotify” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoResolveTrack” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoResolveSearch” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “LinkResolveIgnoreLinkInfo” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoStartBanner” = (REG_BINARY) hex:00 00 00 00 {Remove “Click here to begin” from Start button} “NoWelcomeScreen” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDesktopCleanupWizard” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “ForceClassicControlPanel” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSMConfigurePrograms” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoDrives” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “MemCheckBoxInRunDlg” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSharedDocuments_XXX_Temp” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} “NoRecentDocsMenu” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoFavoritesMenu” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Favorites menu from Start Menu} “NoSMMyDocs” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Documents menu from Start Menu} “NoSMMyPictures” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove My Pictures icon from Start Menu} “NoStartMenuMyMusic” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoRecentDocsHistory” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoRecentDocsNetHood” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSMHelp” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Help menu from Start Menu} “NoRun” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoUserNameInStartMenu” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoStartMenuPinnedList” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSharedDocuments” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Remove Shared Documents from My Computer} “NoRecycleFiles” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “GreyMSIAds” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoViewOnDrive” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoLogoff” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Logon/Logoff| Disable Logoff} “NoInstrumentation” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “ForceStartMenuLogoff” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoAddPrinter” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} “NoDeletePrinter” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Disable Active Desktop} “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop| Don’t save settings at exit} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “NoThemesTab” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Enable Active Desktop} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoRemoteRecursiveEvents” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoStrCmpLogical” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoClose” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “LinkResolveIgnoreLinkInfo” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoResolveSearch” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoRecentDocsMenu” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoFavoritesMenu” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSMMyDocs” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSMMyPictures” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoStartMenuMyMusic” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoRecentDocsHistory” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoRecentDocsNetHood” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSMHelp” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoRun” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoInstrumentation” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoSimpleStartMenu” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoActiveDesktopChanges” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegedit” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} “NoDispAppearancePage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoColorChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSizeChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispBackgroundPage” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Hide Desktop tab} “NoDispScrSavPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispCPL” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Remove Display in Control Panel} “NoVisualStyleChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispSettingsPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\ “DisableWindowsUpdateAccess” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Update| Remove access to use all Windows Update features} HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\ “NoUpdateCheck” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “RunStartupScriptSync” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “SynchronousMachineGroupPolicy” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “SynchronousUserGroupPolicy” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\CopperDeckII_1600.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\CopperDeckII_1600.bmp” Startup items in “User” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\User\Menu Start\Programy\Autostart “Rainlendar” -> shortcut to: “C:\Program Files\Rainlendar\Rainlendar.exe” [“Rainy”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\Secure Surfing Engine\sselsp.dll [null data], 01 - 03, 24 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] “{00000000-5736-4205-0008-F7ED0776FB27}” -> {HKLM…CLSID} = “Steganos Internet Anonym” \InProcServer32(Default) = “c:\program files\steganos internet anonym 2006\sia2006iep.dll” [null data] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] “{00000000-5736-4205-0008-F7ED0776FB27}” = (no title provided) -> {HKLM…CLSID} = “Steganos Internet Anonym” \InProcServer32(Default) = “c:\program files\steganos internet anonym 2006\sia2006iep.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{00000000-5736-4205-0009-F7ED0776FB27}(Default) = “Steganos Private Favorites” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “c:\program files\steganos internet anonym 2006\sia2006iep.dll” [null data] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): : ˙ţ[V e r s i o n] : S i g n a t u r e = " $ C H I C A G O $ " : A d v a n c e d I N F = 2 . 5 , " Y o u n e e d a n e w v e r s i o n o f a d v p a c k . d l l " : : [R e s t o r e H o m e P a g e] : A d d R e g = R e s t o r e H o m e P a g e . r e g : : [R e s t o r e B r o w s e r S e t t i n g s] : A d d R e g = R e s t o r e B r o w s e r S e t t i n g s . r e g : D e l R e g = D e l e t e T e m p l a t e s . r e g , D e l e t e A u t o s e a r c h . r e g : : [R e s t o r e H o m e P a g e . r e g] : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S t a r t P a g e " , 0 , % S T A R T _ P A G E _ U R L % : : [R e s t o r e B r o w s e r S e t t i n g s . r e g] : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ P a g e _ U R L " , 0 , % S T A R T _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ S e a r c h _ U R L " , 0 , % S E A R C H _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 1 " , 0 , " w w w . % s . c o m " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 2 " , 0 , " w w w . % s . o r g " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 3 " , 0 , " w w w . % s . n e t " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 4 " , 0 , " w w w . % s . e d u " : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % : : ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ S e a r c h U r l " , " P r o v i d e r " , 0 , " " : : t m " : t m " : H K L M , " S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ I n t e r n e t S e t t i n g s \ S a f e S i t e s " , % S A F E S I T E _ V A L U E % , 0 , " h t t p : / / i e . s e a r c h . m s n . c o m / * " : : [D e l e t e T e m p l a t e s . r e g] : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 5 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 6 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 7 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 8 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 9 " : : [D e l e t e A u t o s e a r c h . r e g] : ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " A u t o S e a r c h " : : [S t r i n g s] : S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " : S E A R C H _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & a r = i e s e a r c h " : S A F E S I T E _ V A L U E = " i e . s e a r c h . m s n . c o m " : : ; I M P O R T A N T N O T E : : ; I E b r a n d i n g d l l ( i e d k c s 3 2 . d l l ) u s e s t h e f o l l o w i n g e n t r i e s t o r e s t o r e t h e d e f a u l t M S v a l u e s . : ; I n t h e v a n i l l a v e r s i o n o f I E , t h e v a l u e s m u s t b e t h e s a m e a s t h e i r c o r r e s p o n d i n g n o n M S _ * v a l u e s . : ; F o r e x a m p l e , S T A R T _ P A G E _ U R L a n d M S _ S T A R T _ P A G E _ U R L m u s t h a v e t h e s a m e U R L i n t h e I E v e r s i o n r e l e a s e d b y M S . : M S _ S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " : Missing lines (compared with English-language version): [Version]: 2 lines [RestoreHomePage]: 1 line [RestoreHomePage.reg]: 1 line [RestoreBrowserSettings.reg]: 12 lines [DeleteTemplates.reg]: 5 lines [DeleteAutosearch.reg]: 1 line [strings]: 1 line [RestoreBrowserSettings]: 2 lines [strings]: 3 lines Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, “C:\Program Files\AVG Anti-Spyware 7.5\guard.exe” [“Anti-Malware Development a.s.”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] StyleXPService, StyleXPService, ““C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe”” [empty string] Sunbelt Kerio Personal Firewall 4, KPF4, ““C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe”” [“Sunbelt Software”] Webroot Spy Sweeper Engine, WebrootSpySweeperService, ““C:\Program Files\Spy Sweeper\SpySweeper.exe”” [“Webroot Software, Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 31 seconds. ---------- (total run time: 80 seconds)