Here it is, Sam:
(thanks again for looking)
"Silent Runners.vbs", revision 39,
http://www.silentrunners.org/Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"a-squared" = ""C:\Program Files\a2\a2guard.exe"" [null data]
"internat.exe" = "internat.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TrackPointSrv" = "tp4serv.exe" ["IBM Corporation"]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"AEIWLSTA.EXE" = "AEIWLSTA.EXE" ["Actiontec Electronics, Inc"]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"LTWinModem1" = "ltmsg.exe 9" ["LUCENT TECHNOLOGIES"]
"IgfxTray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"]
"XircWinModem4" = "ltcm000c.exe 9" ["LUCENT TECHNOLOGIES"]
"WinVNC" = ""C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper" ["RealVNC Ltd."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" [file not found]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"(Default)" = (empty string)
"OfficeScanNT Monitor" = ""C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow" ["Trend Micro Inc."]
"QuickPassword" = "C:\Program Files\RBA Direkt\\agquickp.exe" ["ActivCard S.A."]
"AcceleNet Client Application" = "C:\Program Files\VIP.fastnet\AcceleNetClient.exe -startup" ["Intelligent Compression Technologies (ICT)"]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"Easy-PrintToolBox" = "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon" ["CANON INC."]
"Sunkist2k" = "C:\Program Files\Multimedia Card Reader\shwicon2k.exe" ["Alcor Micro, Corp."]
"FLKPT" = "lpt.exe" [file not found]
"HotKeysCmds" = "C:\WINNT\System32\hkcmd.exe" ["Intel Corporation"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\CA\eTrust\InoculateIT\InoShell.dll" [file not found]
"{AF4F7471-FCFB-11d0-80B6-0080C838D5F9}" = "OfficeScan NT"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\OfficeScan Client\tmdshell.dll" ["Trend Micro Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{fc181130-05a0-11d6-8140-000102e745a6}" = "My P910i"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\auexpext.dll" ["Teleca Software Solutions AB"]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a* Context Menu Shell Extension" (unwriteable string)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\a2\A2CONT~1.DLL" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csziq.exe" [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! ScCertProp\DLLName = "wlnotify.dll" [MS]
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\
WARNING! Either "\\poslovno.local\SysVol\poslovno.local\Policies\{239D5A20-7C23-412C-86D1-E0C556262F1E}\Machine\Scripts\scripts.ini"
doesn't exist or there is insufficient permission to read it!
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\CA\eTrust\InoculateIT\InoShell.dll" [file not found]
OfficeScan NT\(Default) = "{AF4F7471-FCFB-11d0-80B6-0080C838D5F9}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\OfficeScan Client\tmdshell.dll" ["Trend Micro Inc."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\CA\eTrust\InoculateIT\InoShell.dll" [file not found]
OfficeScan NT\(Default) = "{AF4F7471-FCFB-11d0-80B6-0080C838D5F9}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\OfficeScan Client\tmdshell.dll" ["Trend Micro Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\a2\A2CONT~1.DLL" [null data]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\logon.scr" [MS]
Startup items in "martink" & "All Users" startup folders:
---------------------------------------------------------
C:\Documents and Settings\martink\Start Menu\Programs\Startup
"Vodafone Mobile Connect Card" -> shortcut to: "C:\Program Files\Vodafone\VodafoneMobileConnectCard\VodafoneMobileConnectCard.exe" ["Vodafone"]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"802.11g WLAN Adapter Utility" -> shortcut to: "C:\Program Files\DrayTek\Vigor560\WLAN_manager.exe" ["DrayTek"]
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Cisco Systems VPN Client" -> shortcut to: "C:\Program Files\Cisco Systems\VPN Client\vpngui.exe "-user_logon"" ["Cisco Systems, Inc."]
"EPSON SMART PANEL for Scanner" -> shortcut to: "C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe /h" ["NewSoft"]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Phone Connection Monitor" -> shortcut to: "C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe" ["Teleca Software Solutions AB"]
"SiWake" -> shortcut to: "C:\Program Files\Wireless LAN Utility\SiWake.exe" [empty string]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\VIP.fastnet\ICTLOAD.DLL ["Intelligent Compression Technologies (ICT)"], 01 - 03, 10
%SystemRoot%\system32\msafd.dll [MS], 04 - 07, 11 - 56
%SystemRoot%\system32\rsvpsp.dll [MS], 08 - 09
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [empty string]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\ = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\ = "Easy-WebPrint"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [empty string]
HOSTS file
----------
C:\WINNT\System32\drivers\etc\HOSTS
maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
ActivCard Gold service, Accoca, "C:\Program Files\RBA Direkt\\ACCOCA.EXE" ["ActivCard"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
HID Input Service, HidServ, "C:\WINNT\system32\hidserv.exe" [MS]
IBM PM Service, IBMPMSVC, "C:\WINNT\System32\ibmpmsvc.exe" [null data]
OfficeScanNT Listener, tmlisten, "C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe" ["Trend Micro Inc."]
OfficeScanNT Personal Firewall, OfcPfwSvc, "C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe" ["Trend Micro Inc."]
OfficeScanNT RealTime Scan, ntrtscan, "C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe" ["Trend Micro Inc."]
TrcBoot, TrcBoot, "C:\WINNT\System32\drivers\trcboot.exe" [null data]
VNC Server, winvnc, ""C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service" ["RealVNC Ltd."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 53 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 4 seconds.
---------- (total run time: 83 seconds)