"Silent Runners.vbs", revision 58,
http://www.silentrunners.org/Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SUPERAntiSpyware" = "C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE" ["SUPERAntiSpyware.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"Zone Labs Client" = "C:\Program Files\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"BitDefender Live Service" = ""C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe"" ["SOFTWIN S.R.L."]
"BitDefender Virus Shield" = ""C:\Program Files\BitDefender10\vsserv.exe"" ["SOFTWIN S.R.L."]
"BDMCon" = ""C:\Program Files\BitDefender10\bdmcon.exe" /reg" ["SOFTWIN S.R.L."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs, LLC"]
"KB918547" = "C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE" [MS]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]
"BitDefender Scan Server" = "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" [null data]
"BitDefender Communicator" = "C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" ["SOFTWIN S.R.L"]
"BitDefender Live! Init" = ""C:\Program Files\BitDefender10\bdinit.exe"" [null data]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
PerUser_Enable_Inis\(Default) = "Windows Setup - Accessibility"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 C:\WINDOWS\INF\enable.inf" [MS]
PerUser_Wingames_Inis\(Default) = "Windows Setup - Classic Games"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS]
PerUser_ZoneGame_Inis\(Default) = "Windows Setup - Internet Games"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS]
PerUser_PBGame_Inis\(Default) = "Windows Setup - Plus! Games"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS]
PerUser_Sysmon_Inis\(Default) = "Windows Setup - System Monitor"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS]
PerUser_Sysmeter_Inis\(Default) = "Windows Setup - System Meter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Rem_Inis 64 C:\WINDOWS\INF\appletpp.inf" [MS]
PerUser_netwatch_Inis\(Default) = "Windows Setup - Netwatch"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Rem_Inis 64 C:\WINDOWS\INF\appletpp.inf" [MS]
PerUser_Onlinelnks_Inis\(Default) = "Windows Setup - HyperTerminal"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS]
PerUser_Dialer_Inis\(Default) = "Windows Setup - Phone Dialer"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS]
OlsAolPerUser\(Default) = "Windows Setup - America Online"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
OlsAttPerUser\(Default) = "Windows Setup - AT&T WorldNet Service"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
OlsProdigyPerUser\(Default) = "Windows Setup - Prodigy Internet"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
OlsEarthlinkPerUser\(Default) = "Windows Setup - Earthlink Internet"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Web Publishing Wizard 1.6"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie5x86.inf,PerUserRemove" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\PROGRAM FILES\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX" ["("]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL" ["PC Tools"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Site Guard"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL" ["PC Tools"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVCPL.DLL" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\PROGRAM FILES\SUPERANTISPYWARE\SASSEH.DLL" ["SuperAdBlocker.com"]
System Policies {policy setting}:
---------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"CDRAutoRun" = (REG_BINARY) hex:00 00 00 00
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by System Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\background.bmp"
Displayed if Active Desktop disabled and wallpaper not set by System Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\background.bmp"
WIN.INI & SYSTEM.INI launch points:
-----------------------------------
SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\SCROLL~1.SCR" (Scrolling Marquee.scr) [MS]
Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------
C:\WINDOWS\Start Menu\Programs\StartUp
"DK Notes" -> shortcut to: "C:\Program Files\DKZNOTE\dkznote.exe" [" "]
Enabled Scheduled Tasks:
------------------------
"Video Reminder" -> launches: "C:\WINDOWS\TUNEUP.EXE /COOL" [MS]
"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="
http://www.microsoft...5.5&ar=msnhome"[Strings]: MS_START_PAGE_URL="
http://www.microsoft...5.5&ar=msnhome"Missing lines (compared with English-language version):
[Strings]: 2 lines
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
SYSFMON\Driver = "SYSFMON.DLL" ["Smart Technology Enablers Inc."]
BJ Language Monitor (US)\Driver = "CJPLM.DLL" ["CANON INC."]
PDF Port\Driver = "C:\WINDOWS\SYSTEM\pdfports.dll" ["Adobe Systems Incorporated."]
PostScript Language Monitor\Driver = "C:\WINDOWS\SYSTEM\PSMON.DLL" [MS]
---------- (launch time: 2008-06-15 23:54:29)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 3 seconds.
---------- (total run time: 41 seconds)