"Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows Vista Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS] "ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS] "swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" ["Google Inc."] "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS] "googletalk" = "C:\Users\Jordan\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart" ["Google"] "WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS] "Aim6" = ""C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp" ["AOL LLC"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide" "High Definition Audio Property Page Shortcut" = "HDAShCut.exe" ["Windows (R) Server 2003 DDK provider"] "IPHSend" = "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" ["America Online, Inc."] "SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."] "PWRISOVM.EXE" = "F:\Programs\PowerISO\PWRISOVM.EXE" ["PowerISO Computing, Inc."] "GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."] "IgfxTray" = "C:\Windows\system32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\Windows\system32\hkcmd.exe" ["Intel Corporation"] "Persistence" = "C:\Windows\system32\igfxpers.exe" ["Intel Corporation"] "QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."] "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "osCheck" = ""C:\Program Files\Norton 360\osCheck.exe"" ["Symantec Corporation"] "AppleSyncNotifier" = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" ["Apple Inc."] "iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string] {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\(Default) = "NCO 2.0 IE BHO" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll" ["Symantec Corporation"] {6D53EC84-6AAE-4787-AEEE-F4628F01010C}\(Default) = "Symantec Intrusion Prevention" -> {HKLM...CLSID} = "Symantec Intrusion Prevention" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll" ["Symantec Corporation"] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided) -> {HKLM...CLSID} = "Groove GFS Browser Helper" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] {7C554162-8CB7-45A4-B8F4-8EA1C75885F9}\(Default) = "AOL Toolbar Launcher" -> {HKLM...CLSID} = "AOL Toolbar Launcher" \InProcServer32\(Default) = "C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll" ["AOL LLC"] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{00020d75-0000-0000-c000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL" [MS] "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO" -> {HKLM...CLSID} = "PowerISO" \InProcServer32\(Default) = "F:\Programs\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\winrar\rarext.dll" [null data] "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper" -> {HKLM...CLSID} = "Groove GFS Browser Helper" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar" -> {HKLM...CLSID} = "Groove Folder Synchronization" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler" -> {HKLM...CLSID} = "Groove GFS Stub Icon Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook" -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler" -> {HKLM...CLSID} = "Groove XML Icon Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL" [MS] "{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS] "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler" -> {HKLM...CLSID} = "Microsoft Office Metadata Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler" -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Copy Hook" -> {HKLM...CLSID} = "SmartFTP Copy Hook" \InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\SmartHook.dll" ["SmartSoft Ltd."] "{39DD67E0-73B6-4a11-AF55-49E1EBBF72BE}" = "SmartFTP Favorites Namespace" -> {HKLM...CLSID} = "FavoritesShellFolder Class" \InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFavorites.dll" ["SmartSoft Ltd."] "{8f7261d0-d2b9-11d2-9909-00605205b24c}" = "CuteFTP 8 Professional Shell Extension" -> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension" \InProcServer32\(Default) = "C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."] "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "My Sharing Folders" \InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS] "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] "{1E15FD41-28D0-4AE0-902F-292FA537F6D5}" = "Add to AnyCount" -> {HKLM...CLSID} = "Add to AnyCount" \InProcServer32\(Default) = "C:\PROGRA~1\ANYCOU~1.0\ACMenu.dll" ["Advanced International Translations"] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."] "{A40526DD-F152-4C1D-844C-CE668D29B77E}" = "Shell extension for NTP" -> {HKLM...CLSID} = "TPContextMenu Class" \InProcServer32\(Default) = "C:\PROGRA~1\NORTON~2\tpShell.dll" ["Symantec Corporation"] "{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}" = "Shell extension for Norton backup" -> {HKLM...CLSID} = "BUContextMenu Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll" ["Symantec Corporation"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> "{E31004D1-A431-41B8-826F-E902F9D95C81}" = "Windows DreamScene" -> {HKLM...CLSID} = "Windows DreamScene" \InProcServer32\(Default) = "C:\Windows\System32\DreamScene.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook" -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] AnyCountMenu\(Default) = "{1E15FD41-28D0-4AE0-902F-292FA537F6D5}" -> {HKLM...CLSID} = "Add to AnyCount" \InProcServer32\(Default) = "C:\PROGRA~1\ANYCOU~1.0\ACMenu.dll" ["Advanced International Translations"] BUContextMenu\(Default) = "{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}" -> {HKLM...CLSID} = "BUContextMenu Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll" ["Symantec Corporation"] CuteFTP 8 Professional\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}" -> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension" \InProcServer32\(Default) = "C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."] MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}" -> {HKLM...CLSID} = "MShellExtMenu Class" \InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."] PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" -> {HKLM...CLSID} = "PowerISO" \InProcServer32\(Default) = "F:\Programs\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."] TPContextMenu\(Default) = "{A40526DD-F152-4C1D-844C-CE668D29B77E}" -> {HKLM...CLSID} = "TPContextMenu Class" \InProcServer32\(Default) = "C:\PROGRA~1\NORTON~2\tpShell.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\winrar\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] CuteFTP 8 Professional\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}" -> {HKLM...CLSID} = "CuteFTP 8 Professional Shell Extension" \InProcServer32\(Default) = "C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll" ["GlobalSCAPE Texas, LP."] MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}" -> {HKLM...CLSID} = "MShellExtMenu Class" \InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."] PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" -> {HKLM...CLSID} = "PowerISO" \InProcServer32\(Default) = "F:\Programs\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\winrar\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ BUContextMenu\(Default) = "{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}" -> {HKLM...CLSID} = "BUContextMenu Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll" ["Symantec Corporation"] MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}" -> {HKLM...CLSID} = "MShellExtMenu Class" \InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."] MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"] PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" -> {HKLM...CLSID} = "PowerISO" \InProcServer32\(Default) = "F:\Programs\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."] TPContextMenu\(Default) = "{A40526DD-F152-4C1D-844C-CE668D29B77E}" -> {HKLM...CLSID} = "TPContextMenu Class" \InProcServer32\(Default) = "C:\PROGRA~1\NORTON~2\tpShell.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\winrar\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] Default executables: -------------------- HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile" <> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "DisableRegistryTools" = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKCU\Software\Policies\Microsoft\Windows\System\ "DisableCMD" = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to the command prompt} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} "ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Standard Users} "EnableInstallerDetection" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Detect Application Installations And Prompt For Elevation} "EnableLUA" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} "EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Only elevate UIAccess applications that are installed in secure locations} "EnableVirtualization" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Virtualize file and registry write failures to per-user locations} "PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Switch to the secure desktop when prompting for elevation} "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "FilterAdministratorToken" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Admin Approval Mode for the Built-in Administrator Account} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Windows\Web\Wallpaper\img18.jpg" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ BridgeCS3ImportMediaOnArrival\ "Provider" = "Adobe Bridge CS3" "InvokeProgID" = "Adobe.adobebridge" "InvokeVerb" = "launch" HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "F:\Program Files\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."] DVDDecrypterPlayDVDMovieOnArrival\ "Provider" = "DVD Decrypter" "InvokeProgID" = "DVDDecrypter" "InvokeVerb" = "PlayDVDMovieOnArrival_Decrypt" HKLM\SOFTWARE\Classes\DVDDecrypter\shell\PlayDVDMovieOnArrival_Decrypt\Command\(Default) = ""C:\Program Files\DVD Decrypter\DVDDecrypter.exe" /MODE READ /SOURCE "%1"" ["LIGHTNING UK!"] ExpressBurnCDBurningOnArrival\ "Provider" = "Express Burn" "InvokeProgID" = "expressburn.AutoPlay" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\expressburn.AutoPlay\shell\open\command\(Default) = "C:\Program Files\NCH Swift Sound\ExpressBurn\burn.exe" [null data] ImgBurnCDBurningOnArrival_BuildImage\ "Provider" = "ImgBurn" "InvokeProgID" = "ImgBurn.AutoPlay.1" "InvokeVerb" = "HandleCDBurningOnArrival_BuildImage" HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE ISOBUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"] ImgBurnCDBurningOnArrival_BurnImage\ "Provider" = "ImgBurn" "InvokeProgID" = "ImgBurn.AutoPlay.1" "InvokeVerb" = "HandleCDBurningOnArrival_BurnImage" HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE ISOWRITE /DEST "%1"" ["LIGHTNING UK!"] ImgBurnDVDBurningOnArrival_BuildImage\ "Provider" = "ImgBurn" "InvokeProgID" = "ImgBurn.AutoPlay.1" "InvokeVerb" = "HandleDVDBurningOnArrival_BuildImage" HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE ISOBUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"] ImgBurnDVDBurningOnArrival_BurnImage\ "Provider" = "ImgBurn" "InvokeProgID" = "ImgBurn.AutoPlay.1" "InvokeVerb" = "HandleDVDBurningOnArrival_BurnImage" HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE ISOWRITE /DEST "%1"" ["LIGHTNING UK!"] iTunesBurnCDOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.BurnCD" "InvokeVerb" = "burn" HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."] iTunesImportSongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.ImportSongsOnCD" "InvokeVerb" = "import" HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."] iTunesPlaySongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.PlaySongsOnCD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."] iTunesShowSongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.ShowSongsOnCD" "InvokeVerb" = "showsongs" HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."] DESKTOP.INI DLL launch in local fixed drive directories: -------------------------------------------------------- C:\Windows\Tasks\DESKTOP.INI -- cannot be opened! Startup items in "Jordan" & "All Users" startup folders: -------------------------------------------------------- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup "hp psc 1000 series" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."] "hpoddt01.exe" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"] "VPN Client" -> shortcut to: "C:\Windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico -user_logon" [null data] "WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, S.L."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS] 000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000007\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 26 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] "{DE9C389F-3316-41A7-809B-AA305ED9D922}" -> {HKLM...CLSID} = "AIM Toolbar" \InProcServer32\(Default) = "C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll" ["AOL LLC"] "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" -> {HKLM...CLSID} = "Show Norton Toolbar" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll" ["Symantec Corporation"] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] "{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar" -> {HKLM...CLSID} = "AIM Toolbar" \InProcServer32\(Default) = "C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll" ["AOL LLC"] "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" = "NCO Toolbar 2.0" -> {HKLM...CLSID} = "Show Norton Toolbar" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll" ["Symantec Corporation"] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {2670000A-7350-4F3C-8081-5663EE0C6C49}\ "ButtonText" = "Send to OneNote" "MenuText" = "S&end to OneNote" "CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}" -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll" [MS] {3369AF0D-62E9-4BDA-8103-B4C75499B578}\ "ButtonText" = "AIM Toolbar" "CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}" -> {HKLM...CLSID} = "AIM Toolbar" \InProcServer32\(Default) = "C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll" ["AOL LLC"] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Research" {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\ "ButtonText" = "AIM" "Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."] {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ "ButtonText" = "PartyPoker.com" "MenuText" = "PartyPoker.com" {F47C1DB5-ED21-4DC1-853E-D1495792D4C5}\ "ButtonText" = "Bodog Poker" Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> "{EA756889-2338-43DB-8F07-D1CA6FB9C90D}" = "AIM Search" -> {HKLM...CLSID} = "AOLTBSearch Class" \InProcServer32\(Default) = "C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll" ["AOL LLC"] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft"] Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."] Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe"" ["Symantec Corporation"] Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."] Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."] CNG Key Isolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS] Computer Browser, Browser, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]} Extensible Authentication Protocol, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]} Human Interface Device Access, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]} iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."] Juniper Network Connect Service, dsNcService, "C:\Program Files\Juniper Networks\Common Files\dsNcService.exe" ["Juniper Networks"] LiveUpdate Notice, LiveUpdate Notice, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"] Messenger Sharing Folders USN Journal Reader service, usnjsvc, ""C:\Program Files\MSN Messenger\usnsvc.exe"" [MS] SL UI Notification Service, SLUINotify, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\SLUINotify.dll" [MS]} Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"] Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"] Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Program Files\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"] Windows Driver Foundation - User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]} Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]} Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" [MS] WLAN AutoConfig, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]} Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ LIDIL hpzlllhn\Driver = "hpzlllhn.dll" ["Hewlett-Packard Company"] Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS] ---------- (launch time: 2008-07-22 21:07:53) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 166 seconds. ---------- (total run time: 234 seconds)