“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Yahoo! Pager” = “~“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet” [file not found] “swg” = “C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe” [file not found] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Compete Toolbar” = “C:\Program Files\Compete Toolbar\Compete.exe” [“Compete, Inc.”] “Compete Toolbar Update” = “C:\Program Files\Compete Toolbar\CompeteUa.exe” [“Compete, Inc.”] “msnmsgr” = “~“C:\Program Files\MSN Messenger\msnmsgr.exe” /background” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “IMJPMIG8.1” = ““C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32” [MS] “PHIME2002ASync” = “C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC” [MS] “PHIME2002A” = “C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName” [MS] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “BluetoothAuthenticationAgent” = “rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent” [MS] “SNPHV71” = “C:\WINDOWS\vsnphv71.exe” [empty string] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “Disk Monitor” = “C:\Program Files\Generic\USB Card Reader Driver v2.2\Disk_Monitor.exe” [“Neodio Corp.”] “FtkCPY” = ““C:\Program Files\Common Files\Java\ftkcpy.exe”” [file not found] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “P17Helper” = “Rundll32 P17.dll,P17Helper” [MS] “SemanticInsight” = “C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe” [file not found] “LXCFCATS” = “rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16” [MS] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Computer, Inc.”] “CTSysVol” = “C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r” [“Creative Technology Ltd”] “ISUSPM Startup” = ““C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup” [“Macrovision Corporation”] “ISUSScheduler” = ““C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start” [“Macrovision Corporation”] “AttuneClientEngine” = “C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe” [file not found] “PCTools FW” = “C:\Program Files\PC Tools Firewall Plus\PCTFW.exe /s” [null data] “googletalk” = “C:\Program Files\Google\Google Talk\googletalk.exe /autostart” [“Google”] “avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”] “Google Desktop Search” = ““C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup” [“Google”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “OODefragTray” = “C:\WINDOWS\system32\oodtray.exe” [“O&O Software GmbH”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” “NSLauncher” = “C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll” [“Yahoo! Inc.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292}(Default) = (no title provided) -> {HKLM…CLSID} = “AzEntretien Class” \InProcServer32(Default) = “C:\WINDOWS\azentretien.dll” [file not found] {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A}(Default) = “SWEETIE” -> {HKLM…CLSID} = “SWEETIE Class” \InProcServer32(Default) = “C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll” [“Macrogaming”] {502C3BA4-2C3E-4317-BC29-C0445E82B1F9}(Default) = (no title provided) -> {HKLM…CLSID} = “PaltalkWebLogin” \InProcServer32(Default) = “C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll” [“AVM Software Inc.”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {55825511-174A-4b4e-84B7-69AAC4E294B6}(Default) = (no title provided) -> {HKLM…CLSID} = “CI ToolHelper Class” \InProcServer32(Default) = “C:\Program Files\Compete Toolbar\CompeteToolbar.dll” [“Compete, Inc.”] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! IE Services Button” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Common\yiesrvc.dll” [“Yahoo! Inc.”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {9030D464-4C02-4ABF-8ECC-5164760863C6}(Default) = (no title provided) -> {HKLM…CLSID} = “Windows Live Sign-in Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll” [MS] {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD}(Default) = (no title provided) -> {HKLM…CLSID} = “TwcToolbarBhoApp Class” \InProcServer32(Default) = “C:\WINDOWS\system32\TwcToolbarBho.dll” [null data] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar4.dll” [“Google Inc.”] {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}(Default) = (no title provided) -> {HKLM…CLSID} = “Windows Live Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Windows Live Toolbar\msntb.dll” [MS] {F97DA966-F09D-4cab-BF29-75A0026986EA}(Default) = (no title provided) -> {HKLM…CLSID} = “XBTP02634 Class” \InProcServer32(Default) = “C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension” -> {HKLM…CLSID} = “Display Panning CPL Extension” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{5464D816-CF16-4784-B9F3-75C0DB52B499}” = “Yahoo! Mail” -> {HKLM…CLSID} = “YMailShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\Yahoo!\Common\ymmapi.dll” [“Yahoo! Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Outlook File Icon Extension” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}” = “Messenger Sharing Folders” -> {HKLM…CLSID} = “My Sharing Folders” \InProcServer32(Default) = “C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll” [MS] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] “{AF663E5B-1791-412d-AAD5-8AD52F036B41}” = “ZJ_ShlExt extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\WinAVIVideoConverter\SimpleExt.dll” [“ZJMedia”] “{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}” = “CorelDRAW Shell Extension Component” -> {HKLM…CLSID} = “CorelDRAW Shell Extension Component” \InProcServer32(Default) = “C:\Program Files\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll” [“Corel Corporation”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” = “TuneUp Shredder Shell Extension” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” -> {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL” [“Google”] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“OODBS” [“O&O Software GmbH”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”] TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Yahoo! Mail(Default) = “{5464D816-CF16-4784-B9F3-75C0DB52B499}” -> {HKLM…CLSID} = “YMailShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\Yahoo!\Common\ymmapi.dll” [“Yahoo! Inc.”] ZJ_ShlExt(Default) = “{AF663E5B-1791-412d-AAD5-8AD52F036B41}” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\WinAVIVideoConverter\SimpleExt.dll” [“ZJMedia”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Default executables: -------------------- HKCU\Software\Classes.bat(Default) = (value not set) HKCU\Software\Classes.cmd(Default) = (value not set) HKCU\Software\Classes.com(Default) = (value not set) HKCU\Software\Classes.exe(Default) = “exefile” HKCU\Software\Classes.hta(Default) = “htafile” Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoLogOff” = (REG_DWORD) hex:0x00000000 {Disable Logoff} “NoSMHelp” = (REG_BINARY) hex:01 00 00 00 {Remove Help menu from Start Menu} “NoRecentDocsMenu” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} “ClearRecentDocsOnExit” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} “NoRecentDocsHistory” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} “NoRecentDocsNetHood” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} “NoSMMyDocs” = (REG_BINARY) hex:01 00 00 00 {Remove Documents menu from Start Menu} “NoSMMyPictures” = (REG_BINARY) hex:01 00 00 00 {Remove My Pictures icon from Start Menu} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableLockWorkstation” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “DisableChangePassword” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Hemant Raiker\Local Settings\Application Data\Microsoft\Wallpaper1.bmp” Startup items in “Hemant Raiker” & “All Users” startup folders: --------------------------------------------------------------- C:\Documents and Settings\Hemant Raiker\Start Menu\Programs\Startup “Registration Brothers In Arms EiB” -> shortcut to: “C:\Program Files\Ubisoft\Gearbox Software\BrothersInArmsEiB\Support\Register\RegistrationReminder.exe -d 802964 -l english -r 7 -g Brothers In Arms EiB -c united -i " [file not found] “Stardock ObjectDock” -> shortcut to: “C:\Program Files\Stardock\ObjectDock\ObjectDock.exe” [“Stardock”] C:\Documents and Settings\All Users\Start Menu\Programs\Startup “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart” [“TuneUp Software GmbH”] “AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task” [“Apple Computer, Inc.”] “Check Updates for Windows Live Toolbar” -> launches: “C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] 000000000005\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 27 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar4.dll” [“Google Inc.”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll” [“Yahoo! Inc.”] “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar4.dll” [“Google Inc.”] “{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}” -> {HKLM…CLSID} = “Windows Live Toolbar” \InProcServer32(Default) = “C:\Program Files\Windows Live Toolbar\msntb.dll” [MS] “{9B393B85-708D-4E61-9529-2FA61D4A4904}” -> {HKLM…CLSID} = “Compete Toolbar” \InProcServer32(Default) = “C:\Program Files\Compete Toolbar\CompeteToolbar.dll” [“Compete, Inc.”] “{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938}” -> {HKLM…CLSID} = “SweetIM For Internet Explorer” \InProcServer32(Default) = “C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll” [“Macrogaming”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll” [“Yahoo! Inc.”] “{9B393B85-708D-4E61-9529-2FA61D4A4904}” = (no title provided) -> {HKLM…CLSID} = “Compete Toolbar” \InProcServer32(Default) = “C:\Program Files\Compete Toolbar\CompeteToolbar.dll” [“Compete, Inc.”] “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar4.dll” [“Google Inc.”] “{2E5E800E-6AC0-411E-940A-369530A35E43}” = (no title provided) -> {HKLM…CLSID} = “The Weather Channel Toolbar” \InProcServer32(Default) = “C:\WINDOWS\system32\TwcToolbarIe7.dll” [null data] “{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}” = (no title provided) -> {HKLM…CLSID} = “Windows Live Toolbar” \InProcServer32(Default) = “C:\Program Files\Windows Live Toolbar\msntb.dll” [MS] “{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938}” = (no title provided) -> {HKLM…CLSID} = “SweetIM For Internet Explorer” \InProcServer32(Default) = “C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll” [“Macrogaming”] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}(Default) = (no title provided) -> {HKLM…CLSID} = “&Yahoo! Messenger” \InProcServer32(Default) = “C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}(Default) = (no title provided) -> {HKLM…CLSID} = “&Yahoo! Messenger” \InProcServer32(Default) = “C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll” [“Yahoo! Inc.”] HKLM\Software\Classes\CLSID{2E5E800E-6AC0-411E-940A-369530A35E43}(Default) = “The Weather Channel Toolbar” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\WINDOWS\system32\TwcToolbarIe7.dll” [null data] HKLM\Software\Classes\CLSID{2E5E800E-6AC0-411E-940A-369530A35E43}(Default) = “The Weather Channel Toolbar” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\WINDOWS\system32\TwcToolbarIe7.dll” [null data] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {2E5E800E-6AC0-411E-940A-369530A35E43}\ “ButtonText” = “The Weather Channel” “MenuText” = “The Weather Channel” {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ “ButtonText” = “Yahoo! Services” “CLSIDExtension” = “{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}” -> {HKLM…CLSID} = “Yahoo! IE Services Button” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Common\yiesrvc.dll” [“Yahoo! Inc.”] {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C}\ {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll” [“Yahoo! Inc.”] <> “{BC4FFE41-DE9F-46fa-B455-AAD49B9F9938}” = (no title provided) -> {HKLM…CLSID} = “SweetIM For Internet Explorer” \InProcServer32(Default) = “C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll” [“Macrogaming”] HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “TuneUp” = “file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Guard, AntiVirService, ““C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe”” [“Avira GmbH”] AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, ““C:\Program Files\AntiVir PersonalEdition Classic\sched.exe”” [“Avira GmbH”] Bluetooth Support Service, BthServ, “C:\WINDOWS\system32\svchost.exe -k bthsvcs” {“C:\WINDOWS\System32\bthserv.dll” [MS]} C-DillaSrv, C-DillaSrv, “C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE” [“C-Dilla Ltd”] Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\system32\CTsvcCDA.EXE” [“Creative Technology Ltd”] iPod Service, iPod Service, ““C:\Program Files\iPod\bin\iPodService.exe”” [“Apple Computer, Inc.”] KService, KService, ““C:\Program Files\KService\KService.exe”” [“Kontiki Inc.”] MSSQL$SONY_MEDIAMGR, MSSQL$SONY_MEDIAMGR, “C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] O&O Defrag, O&O Defrag, “C:\WINDOWS\system32\oodag.exe” [“O&O Software GmbH”] ServiceLayer, ServiceLayer, ““C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe”” [“Nokia.”] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] STI Simulator, STI Simulator, “C:\WINDOWS\System32\PAStiSvc.exe” [null data] Symantec Network Drivers Service, SNDSrvc, ““C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”] TuneUp Theme Extension, UxTuneUp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”]} Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ 730 Series Port\Driver = “lxcflmpm.DLL” [” "] ---------- (launch time: 2007-10-06 20:35:59) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 235 seconds, including 7 seconds for message boxes)