"Silent Runners.vbs", revision 69, http://www.silentrunners.org/ Operating System: Microsoft Windows 7 Professional Service Pack 1 (32-bit) Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} swg = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [Google Inc.] ISUSPM = C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [Acresso Corporation] ISUSPM Startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [InstallShield Software Corporation] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} TrueImageMonitor.exe = "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [Acronis] SunJavaUpdateSched = "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [Sun Microsystems, Inc.] SAOB Monitor = C:\Program Files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe [Acronis] Samsung PanelMgr = C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun [empty string] RtHDVCpl = C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [Realtek Semiconductor] RegTool = C:\Program Files\Gemalto\Classic Client\BIN\RegTool.exe [null data] PPort12reminder = "C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini" [Nuance Communications, Inc.] PDFHook = C:\Program Files\Nuance\PDF Viewer Plus\pdfpro5hook.exe [Nuance Communications, Inc.] PDF5 Registry Controller = C:\Program Files\Nuance\PDF Viewer Plus\RegistryController.exe [Nuance Communications, Inc.] PaperPort PTD = "C:\Program Files\Nuance\PaperPort\pptd40nt.exe" [Nuance Communications, Inc.] MSC = "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [MS] LogMeIn GUI = "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [LogMeIn, Inc.] ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [InstallShield Software Corporation] ISUSPM Startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [InstallShield Software Corporation] IndexSearch = "C:\Program Files\Nuance\PaperPort\IndexSearch.exe" [Nuance Communications, Inc.] IAStorIcon = C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [null data] ControlCenter4 = C:\Program Files\ControlCenter4\BrCcBoot.exe /autorun [Brother Industries, Ltd.] BrStsMon00 = C:\Program Files\Browny02\Brother\BrStMonW.exe /AUTORUN [Brother Industries, Ltd.] BCU = "C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe" [DeviceVM, Inc.] Adobe ARM = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [Adobe Systems Incorporated] Acronis Scheduler2 Service = "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [Acronis] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = AcroIEHelperStub -> {HKLM…CLSID} = Adobe PDF Link Helper \InProcServer32\(Default) = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [Adobe Systems Incorporated] {551A852F-39A6-44A7-9C13-AFBEC9185A9D}\(Default) = (no title provided) -> {HKLM…CLSID} = PlusIEEventHelper Class \InProcServer32\(Default) = C:\Program Files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [Zeon Corporation] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM…CLSID} = Java(tm) Plug-In SSV Helper \InProcServer32\(Default) = C:\Program Files\Java\jre7\bin\ssv.dll [Oracle Corporation] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM…CLSID} = Google Toolbar Helper \InProcServer32\(Default) = C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Inc.] {DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided) -> {HKLM…CLSID} = Java(tm) Plug-In 2 SSV Helper \InProcServer32\(Default) = C:\Program Files\Java\jre7\bin\jp2ssv.dll [Oracle Corporation] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ {A70C977A-BF00-412C-90B7-034C51DA2439} = NvCpl DesktopContext Class -> {HKLM…CLSID} = DesktopContext Class \InProcServer32\(Default) = C:\Program Files\NVIDIA Corporation\Display\nvui.dll [NVIDIA Corporation] {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} = NVIDIA Play On My TV Context Menu Extension -> {HKLM…CLSID} = NVIDIA CPL Context Menu Extension \InProcServer32\(Default) = C:\Windows\system32\nvshext.dll [NVIDIA Corporation] {00020D75-0000-0000-C000-000000000046} = Microsoft Office Outlook Desktop Icon Handler -> {HKLM…CLSID} = Microsoft Office Outlook \InProcServer32\(Default) = C:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL [MS] {0006F045-0000-0000-C000-000000000046} = Microsoft Office Outlook Custom Icon Handler -> {HKLM…CLSID} = Outlook File Icon Extension \InProcServer32\(Default) = C:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL [MS] {42042206-2D85-11D3-8CFF-005004838597} = Microsoft Office HTML Icon Handler -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll [MS] {C3DFC144-30F8-4138-81F9-578DBEB9324A} = AxCrypt File Encryption -> {HKLM…CLSID} = axcrypt.File \InProcServer32\(Default) = C:\Program Files\Axantum\AxCrypt\AxCryptShellExt.dll [Axantum Software AB] {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} = Microsoft Office Metadata Handler -> {HKLM…CLSID} = Microsoft Office Metadata Handler \InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll [MS] {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} = Microsoft Office Thumbnail Handler -> {HKLM…CLSID} = Microsoft Office Thumbnail Handler \InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll [MS] {C539A15A-3AF9-4c92-B771-50CB78F5C751} = Acronis True Image Shell Context Menu Extension -> {HKLM…CLSID} = Acronis True Image Shell Context Menu Extension \InProcServer32\(Default) = C:\Program Files\Acronis\TrueImageHome\tishell.dll [Acronis] {C539A15B-3AF9-4c92-B771-50CB78F5C751} = Acronis True Image Shell Extension -> {HKLM…CLSID} = Acronis Secure Zone \InProcServer32\(Default) = C:\Program Files\Acronis\TrueImageHome\tishell.dll [Acronis] {09A47860-11B0-4DA5-AFA5-26D86198A780} = EPP -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = c:\PROGRA~1\Microsoft Security Client\shellext.dll [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\ {65CD7F9B-E8F3-4bb0-82EB-6F6875B745DF}\(Default) = LogMeInCredProv -> {HKLM…CLSID} = LogMeInCredProv \InProcServer32\(Default) = LMIinit.dll [LogMeIn, Inc.] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = {807553E5-5146-11D5-A672-00B0D022E945} -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL [MS] HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\ <> ms-itss\CLSID = {0A9007C0-4076-11D3-8789-0000F8105754} -> {HKLM…CLSID} = Microsoft Infotech Storage Protocol for IE 4.0 \InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [MS] <> mso-offdap\CLSID = {3D9F03FA-7A94-11D3-BE81-0050048385D1} -> {HKLM…CLSID} = Data Page Pluggable Protocol mso-offdap Handler \InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL [MS] <> mso-offdap11\CLSID = {32505114-5902-49B2-880A-1F7738E5A384} -> {HKLM…CLSID} = Data Page Plugable Protocal mso-offdap11 Handler \InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL [MS] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ axcrypt.File\(Default) = {C3DFC144-30F8-4138-81F9-578DBEB9324A} -> {HKLM…CLSID} = axcrypt.File \InProcServer32\(Default) = C:\Program Files\Axantum\AxCrypt\AxCryptShellExt.dll [Axantum Software AB] EPP\(Default) = {09A47860-11B0-4DA5-AFA5-26D86198A780} -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = c:\PROGRA~1\Microsoft Security Client\shellext.dll [MS] VersionsPageShellExt\(Default) = {9E42900A-85F9-4E67-9778-575FBBA0A81C} -> {HKLM…CLSID} = VersionsPageShellExt Class \InProcServer32\(Default) = C:\Program Files\Acronis\TrueImageHome\versions_page.dll [Acronis] {C539A15A-3AF9-4c92-B771-50CB78F5C751}\(Default) = (no title provided) -> {HKLM…CLSID} = Acronis True Image Shell Context Menu Extension \InProcServer32\(Default) = C:\Program Files\Acronis\TrueImageHome\tishell.dll [Acronis] HKLM\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\ {9E42900A-85F9-4E67-9778-575FBBA0A81C}\(Default) = (no title provided) -> {HKLM…CLSID} = VersionsPageShellExt Class \InProcServer32\(Default) = C:\Program Files\Acronis\TrueImageHome\versions_page.dll [Acronis] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3} -> {HKLM…CLSID} = MBAMShlExt Class \InProcServer32\(Default) = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll [Malwarebytes Corporation] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ EPP\(Default) = {09A47860-11B0-4DA5-AFA5-26D86198A780} -> {HKLM…CLSID} = (no title provided) \InProcServer32\(Default) = c:\PROGRA~1\Microsoft Security Client\shellext.dll [MS] HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\ NvCplDesktopContext\(Default) = {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} -> {HKLM…CLSID} = NVIDIA CPL Context Menu Extension \InProcServer32\(Default) = C:\Windows\system32\nvshext.dll [NVIDIA Corporation] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = PDF Column Info -> {HKLM…CLSID} = PDF Shell Extension \InProcServer32\(Default) = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll [Adobe Systems, Inc.] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ axcrypt.File\(Default) = {C3DFC144-30F8-4138-81F9-578DBEB9324A} -> {HKLM…CLSID} = axcrypt.File \InProcServer32\(Default) = C:\Program Files\Axantum\AxCrypt\AxCryptShellExt.dll [Axantum Software AB] MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3} -> {HKLM…CLSID} = MBAMShlExt Class \InProcServer32\(Default) = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll [Malwarebytes Corporation] VersionsPageShellExt\(Default) = {9E42900A-85F9-4E67-9778-575FBBA0A81C} -> {HKLM…CLSID} = VersionsPageShellExt Class \InProcServer32\(Default) = C:\Program Files\Acronis\TrueImageHome\versions_page.dll [Acronis] {C539A15A-3AF9-4c92-B771-50CB78F5C751}\(Default) = (no title provided) -> {HKLM…CLSID} = Acronis True Image Shell Context Menu Extension \InProcServer32\(Default) = C:\Program Files\Acronis\TrueImageHome\tishell.dll [Acronis] HKLM\SOFTWARE\Classes\Folder\shellex\PropertySheetHandlers\ {9E42900A-85F9-4E67-9778-575FBBA0A81C}\(Default) = (no title provided) -> {HKLM…CLSID} = VersionsPageShellExt Class \InProcServer32\(Default) = C:\Program Files\Acronis\TrueImageHome\versions_page.dll [Acronis] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ NoChangingWallpaper = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Disable changing wallpaper} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoLowDiskSpaceChecks = (REG_DWORD) dword:0x00000000 {unrecognized setting} NoInstrumentation = (REG_SZ) 1 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ DisableRegistryTools = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} DisableTaskMgr = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ ConsentPromptBehaviorAdmin = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} EnableLUA = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} PromptOnSecureDesktop = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Switch to the secure desktop when prompting for elevation} EnableLinkedConnections = (REG_DWORD) dword:0x00000001 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ Wallpaper = C:\Users\JBW\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ PaperPort11AutoPlay\ Provider = PaperPort 12 InvokeProgID = PaperPort.AutoplayHandler InvokeVerb = open HKLM\SOFTWARE\Classes\PaperPort.AutoplayHandler\shell\open\command\(Default) = C:\Program Files\Nuance\PaperPort\PaprPort.exe /folder %L [Nuance Communications, Inc.] WIA_{18D2DC36-AFA6-4EC5-B507-B26E7051D5E1}\ Provider = Microsoft Office Document Scanning CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24} InitCmdLine = /WiaCmd;C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPSCAN.EXE; -> {HKLM…CLSID} = WPDShextAutoplay \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS] WIA_{3A35D608-B860-44BC-BE53-D9F5D8BB48E1}\ Provider = Microsoft Office Document Scanning CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24} InitCmdLine = /WiaCmd;C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPSCAN.EXE; -> {HKLM…CLSID} = WPDShextAutoplay \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS] WIA_{47335CCE-0C4E-4085-AAD0-75A77768C91D}\ Provider = PaperPort CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24} InitCmdLine = /WiaCmd;C:\Program Files\Nuance\PaperPort\PaprPort.exe /StillImage /StiDevice:%1 /StiEvent:%2; -> {HKLM…CLSID} = WPDShextAutoplay \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS] WIA_{5E967A62-A2C0-4C1E-9B3A-718B241C6B29}\ Provider = ControlCenter4 CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24} InitCmdLine = /WiaCmd;C:\Program Files\ControlCenter4\BrCcBoot.exe /StiDevice:%1 /StiEvent:%2; -> {HKLM…CLSID} = WPDShextAutoplay \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS] WIA_{654D30F9-8407-45B3-8EB0-3F96D85E1DA6}\ Provider = Microsoft Office Document Scanning CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24} InitCmdLine = /WiaCmd;C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPSCAN.EXE; -> {HKLM…CLSID} = WPDShextAutoplay \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS] WIA_{B9A5D695-0B59-4E8E-A716-A48F5A027BC1}\ Provider = Microsoft Office Document Scanning CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24} InitCmdLine = /WiaCmd;C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPSCAN.EXE; -> {HKLM…CLSID} = WPDShextAutoplay \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS] WIA_{E1A1B4AC-3596-47B6-AEE6-A288CC986BAF}\ Provider = Microsoft Office Document Scanning CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24} InitCmdLine = /WiaCmd;C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPSCAN.EXE; -> {HKLM…CLSID} = WPDShextAutoplay \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS] Startup items in "JBW" & "All Users" startup folders: ----------------------------------------------------- C:\Users\JBW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup {++} <> Relcon Auto Copy.exe [Relcon] Non-disabled Scheduled Tasks: {++} ----------------------------- C:\Windows\System32\Tasks CreateChoiceProcessTask -> launches: C:\Windows\System32\browserchoice.exe /launch [MS] GoogleUpdateTaskMachineCore -> launches: C:\Program Files\Google\Update\GoogleUpdate.exe /c [Google Inc.] GoogleUpdateTaskMachineUA -> launches: C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler [Google Inc.] SidebarExecute -> launches: C:\Program Files\Windows Sidebar\sidebar.exe /addGadget [MS] TdQVDMu -> (HIDDEN!) launches: C:\Windows\system32\TdQVDMu.exe [file not found] User_Feed_Synchronization-{9C489543-74E6-46C3-9471-93E17D7D32CD} -> (HIDDEN!) launches: C:\Windows\system32\msfeedssync.exe sync [MS] {D186CD76-AEA0-49DD-B1D3-321432CDE1A2} -> launches: C:\Windows\system32\pcalua.exe -a D:\Install.exe -d D:\ [MS] C:\Windows\System32\Tasks\Microsoft\Microsoft Antimalware Microsoft Antimalware Scheduled Scan -> launches: c:\Program Files\Microsoft Security Client\MpCmdRun.exe Scan -ScheduleJob -RestrictPrivileges [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client AD RMS Rights Policy Template Management (Manual) -> launches: {BF5CB148-7C77-4d8a-A53E-D81C70CF743C} -> {HKLM…CLSID} = AD RMS Rights Policy Template Management (Manual) Task Handler \InProcServer32\(Default) = C:\Windows\system32\msdrm.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience AitAgent -> launches: aitagent [MS] ProgramDataUpdater -> launches: %windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Autochk Proxy -> launches: %windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth UninstallDeviceTask -> launches: BthUdTask.exe $(Arg0) [MS] C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient SystemTask -> launches: {58fb76b9-ac85-4e55-ac04-427593b1d060} -> {HKLM…CLSID} = Certificate Services Client Task Handler \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS] UserTask -> launches: {58fb76b9-ac85-4e55-ac04-427593b1d060} -> {HKLM…CLSID} = Certificate Services Client Task Handler \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program Consolidator -> launches: %SystemRoot%\System32\wsqmcons.exe [MS] KernelCeipTask -> (HIDDEN!) launches: {e7ed314f-2816-4c26-aeb5-54a34d02404c} -> {HKLM…CLSID} = KernelCeipCustomHandler \InProcServer32\(Default) = C:\Windows\System32\kernelceip.dll [MS] UsbCeip -> (HIDDEN!) launches: {c27f6b1d-fe0b-45e4-9257-38799fa69bc8} -> {HKLM…CLSID} = UsbCeip \InProcServer32\(Default) = C:\Windows\System32\usbceip.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Defrag ScheduledDefrag -> launches: %windir%\system32\defrag.exe -c [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis Scheduled -> (HIDDEN!) launches: {c1f85ef8-bcc2-4606-bb39-70c523715eb3} -> {HKLM…CLSID} = ScheduledDiagnosticCustomHandler \InProcServer32\(Default) = C:\Windows\System32\sdiagschd.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Location Notifications -> launches: %windir%\System32\LocationNotifications.exe [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance WinSAT -> launches: {A9A33436-678B-4C9C-A211-7CC38785E79D} -> {HKLM…CLSID} = WinSAT Task Manger Task \InProcServer32\(Default) = C:\Windows\system32\WinSATAPI.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Media Center ActivateWindowsSearch -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch [MS] ConfigureInternetTimeService -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService [MS] DispatchRecoveryTasks -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0) [MS] ehDRMInit -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DRMInit [MS] InstallPlayReady -> launches: %SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0) [MS] mcupdate -> launches: %SystemRoot%\ehome\mcupdate $(Arg0) [MS] MediaCenterRecoveryTask -> launches: %SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask [MS] ObjectStoreRecoveryTask -> launches: %SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask [MS] OCURActivate -> launches: %SystemRoot%\ehome\ehPrivJob.exe /OCURActivate [MS] OCURDiscovery -> launches: %SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0) [MS] PBDADiscovery -> launches: %SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery [MS] PBDADiscoveryW1 -> launches: %SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery [MS] PBDADiscoveryW2 -> launches: %SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery [MS] PvrRecoveryTask -> launches: %SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask [MS] PvrScheduleTask -> launches: %SystemRoot%\ehome\mcupdate.exe -PvrSchedule [MS] RegisterSearch -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0) [MS] ReindexSearchRoot -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot [MS] SqlLiteRecoveryTask -> launches: %SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask [MS] StartRecording -> launches: %SystemRoot%\ehome\ehrec /StartRecording [MS] UpdateRecordPath -> launches: %SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0) [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic CorruptionDetector -> (HIDDEN!) launches: {190BA3F6-0205-4f46-B589-95C6822899D2} -> {HKLM…CLSID} = MemoryDiagnosticCustomHandler \InProcServer32\(Default) = C:\Windows\System32\memdiag.dll [MS] DecompressionFailureDetector -> (HIDDEN!) launches: {190BA3F6-0205-4f46-B589-95C6822899D2} -> {HKLM…CLSID} = MemoryDiagnosticCustomHandler \InProcServer32\(Default) = C:\Windows\System32\memdiag.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC HotStart -> launches: {06DA0625-9701-43da-BFD7-FBEEA2180A1E} -> {HKLM…CLSID} = HotStart User Agent \InProcServer32\(Default) = C:\Windows\System32\HotStartUserAgent.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MUI LPRemove -> launches: %windir%\system32\lpremove.exe [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia SystemSoundsService -> launches: {2DEA658F-54C1-4227-AF9B-260AB5FC3543} -> {HKLM…CLSID} = Microsoft PlaySoundService Class \InProcServer32\(Default) = C:\Windows\System32\PlaySndSrv.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace GatherNetworkInfo -> launches: %windir%\system32\gatherNetworkInfo.vbs [null data] C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics AnalyzeSystem -> launches: %SystemRoot%\System32\powercfg.exe -energy -auto [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RAC RacTask -> (HIDDEN!) launches: {42060D27-CA53-41f5-96E4-B1E8169308A6} -> {HKLM…CLSID} = ReliabilityAnalysisCustomHandler \InProcServer32\(Default) = C:\Windows\system32\RacEngn.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Ras MobilityManager -> launches: {c463a0fc-794f-4fdf-9201-01938ceacafa} -> {HKLM…CLSID} = RasMobilityManager \InProcServer32\(Default) = C:\Windows\system32\rasmbmgr.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Registry RegIdleBackup -> (HIDDEN!) launches: {ca767aa8-9157-4604-b64b-40747123d5f2} -> {HKLM…CLSID} = RegistryIdleBackupHandler \InProcServer32\(Default) = C:\Windows\System32\regidle.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance RemoteAssistanceTask -> (HIDDEN!) launches: %windir%\system32\RAServer.exe /offerraupdate [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SideShow GadgetManager -> launches: {FF87090D-4A9A-4f47-879B-29A80C355D61} -> {HKLM…CLSID} = GadgetsManager Class \InProcServer32\(Default) = C:\Windows\System32\AuxiliaryDisplayServices.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore SR -> launches: %windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Task Manager Interactive -> (HIDDEN!) launches: {855fec53-d2e4-4999-9e87-3414e9cf0ff4} -> {HKLM…CLSID} = RunTask \InProcServer32\(Default) = C:\Windows\system32\wdc.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip IpAddressConflict1 -> launches: %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem [MS] IpAddressConflict2 -> launches: %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem [MS] C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework MsCtfMonitor -> (HIDDEN!) launches: {01575cfe-9a55-4003-a5e1-f38d1ebdcbe1} -> {HKLM…CLSID} = MsCtfMonitor task handler \InProcServer32\(Default) = C:\Windows\system32\MsCtfMonitor.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization SynchronizeTime -> launches: %windir%\system32\sc.exe start w32time task_started [MS] C:\Windows\System32\Tasks\Microsoft\Windows\UPnP UPnPHostConfig -> launches: sc.exe config upnphost start= auto [MS] C:\Windows\System32\Tasks\Microsoft\Windows\WDI ResolutionHost -> (HIDDEN!) launches: {900be39d-6be8-461a-bc4d-b0fa71f5ecb1} -> {HKLM…CLSID} = DiagnosticInfrastructureCustomHandler \InProcServer32\(Default) = C:\Windows\System32\wdi.dll [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Windows Activation Technologies ValidationTask -> (HIDDEN!) launches: %SystemRoot%\system32\Wat\WatAdminSvc.exe /run [MS] ValidationTaskDeadline -> (HIDDEN!) launches: %SystemRoot%\system32\schtasks.exe /run /I /TN "\Microsoft\Windows\Windows Activation Technologies\ValidationTask" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting QueueReporting -> launches: %windir%\system32\wermgr.exe -queuereporting [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform BfeOnServiceStartTypeChange -> (HIDDEN!) launches: %windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing UpdateLibrary -> launches: "%ProgramFiles%\Windows Media Player\wmpnscfg.exe" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup ConfigNotification -> launches: %systemroot%\System32\sdclt.exe /CONFIGNOTIFICATION [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Wininet CacheTask -> launches: {0358b920-0ac7-461f-98f4-58e32cd89148} -> {HKLM…CLSID} = Wininet Cache task object \InProcServer32\(Default) = C:\Windows\system32\wininet.dll [MS] C:\Windows\System32\Tasks\WPD SqmUpload_S-1-5-21-1566624508-482922642-3542228847-1000 -> (HIDDEN!) launches: %windir%\system32\rundll32.exe portabledeviceapi.dll,#1 [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = %SystemRoot%\system32\NLAapi.dll [MS] 000000000002\LibraryPath = %SystemRoot%\system32\napinsp.dll [MS] 000000000003\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS] 000000000004\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS] 000000000005\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS] 000000000006\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 26 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ {2318C2B1-4965-11D4-9B18-009027A5CD4F} -> {HKLM…CLSID} = Google Toolbar \InProcServer32\(Default) = C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Inc.] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ {2318C2B1-4965-11D4-9B18-009027A5CD4F} = (no title provided) -> {HKLM…CLSID} = Google Toolbar \InProcServer32\(Default) = C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [Google Inc.] Explorer Bars HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = &Research Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ ButtonText = Research BandCLSID = {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -> {HKLM…CLSID} = &Research \InProcServer32\(Default) = C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AcfXAudioService, AcfXAudioService, C:\Windows\system32\svchost.exe -k AcfXAudioService {C:\Windows\system32\ACFXAU32.dll [Conexant Systems, Inc.]} Acronis Nonstop Backup Service, afcdpsrv, C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [Acronis] Acronis Scheduler2 Service, AcrSch2Svc, "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" [Acronis] Adobe Acrobat Update Service, AdobeARMservice, "C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe" [Adobe Systems Incorporated] AFD Registration Service, afdReg, C:\Postcode\AFDService.exe [AFD Computers] Browser Configuration Utility Service, BCUService, C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe [DeviceVM, Inc.] BrYNSvc, BrYNSvc, "C:\Program Files\Browny02\BrYNSvc.exe" [Brother Industries, Ltd.] GSL Share Memory, GslShmSrvc, "C:\Program Files\Gemalto\Classic Client\BIN\GslShmSrvc.exe" [Gemalto] Intel(R) Rapid Storage Technology, IAStorDataMgrSvc, "C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe" [null data] LMIGuardianSvc, LMIGuardianSvc, "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [LogMeIn, Inc.] LogMeIn, LogMeIn, "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [LogMeIn, Inc.] LogMeIn Maintenance Service, LMIMaint, "C:\Program Files\LogMeIn\x86\RaMaint.exe" [LogMeIn, Inc.] Machine Debug Manager, MDM, "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" [MS] Microsoft Antimalware Service, MsMpSvc, "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [MS] Microsoft Network Inspection, NisSrv, "c:\Program Files\Microsoft Security Client\NisSrv.exe" [MS] NVIDIA Display Driver Service, NVSvc, "C:\Windows\system32\nvvsvc.exe" [NVIDIA Corporation] NVIDIA Stereoscopic 3D Driver Service, Stereo Service, "C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe" [NVIDIA Corporation] NVIDIA Update Service Daemon, nvUpdatusService, "C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe" [NVIDIA Corporation] OCP Client Service, OCPService, c:\programs\focus\ocp\OCPClient.EXE /startedbyscm:CA72C453-40E33A77-OCPService [Ocuco Ltd.] OCP Daemon, OCPDaemon, C:\Reltem\OCPDaemon.exe /startedbyscm:46CF1CAA-40E35917-SvComOCPDaemon [Ocuco Ltd.] PDFProFiltSrvPP, PDFProFiltSrvPP, C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe [Nuance Communications, Inc.] Sage AutoUpdate Manager Service, Sage AutoUpdate Manager Service, "C:\Program Files\Common Files\Sage\Central\AutoUpdateClient\Sage.Central.AutoUpdateManager.Service.exe" [null data] Safe Mode Drivers & Services (subkey name, subkey default value): ----------------------------------------------------------------- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\ <> hitmanpro36, <> hitmanpro36.sys, <> HitmanPro36Crusader, <> HitmanPro36CrusaderBoot, <> MsMpSvc, Service HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ <> hitmanpro36, <> hitmanpro36.sys, <> HitmanPro36Crusader, <> HitmanPro36CrusaderBoot, <> MsMpSvc, Service Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor iP4700 series\Driver = CNMLMA1.DLL [CANON INC.] LogMeIn Printer Port Monitor\Driver = LMIport.dll [LogMeIn, Inc.] Microsoft Document Imaging Writer Monitor\Driver = mdimon.dll [MS] spd__ Langmon\Driver = spd__l.dll [empty string] SST3C Langmon\Driver = sst3cl3.dll [empty string] ---------- (launch time: 2013-04-19 08:18:38) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 61 seconds, including 9 seconds for message boxes)