"Silent Runners.vbs", revision 60, http://www.silentrunners.org/ Operating System: Windows XP SP3 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "avgnt" = ""C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min" ["Avira GmbH"] HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer" \StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub" -> {HKLM...CLSID} = "Adobe PDF Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"] {201f27d4-3704-41d6-89c1-aa35e39143ed}\(Default) = "AskBar BHO" -> {HKLM...CLSID} = "AskBar BHO" \InProcServer32\(Default) = "C:\Program Files\AskBarDis\bar\bin\askBar.dll" ["Ask.com"] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll" [null data] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Notifier BHO" \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll" ["Google Inc."] {b0cda128-b425-4eef-a174-61a11ac5dbf8}\(Default) = "AIM Toolbar Loader" -> {HKLM...CLSID} = "AIM Toolbar Loader" \InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\aimtb.dll" ["AOL LLC."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ {4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}\(Default) = "{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}" -> {HKLM...CLSID} = "PismoFileMountAuditPackage" \InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension" -> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"] "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] ""%SYSTEMROOT%\system32\rundll32.exe" C:\WINDOWS\system32\pfmshx_201.dll,RunDllEntry newpfolder "%1"" = "PismoFileMountAuditPackage" -> {HKLM...CLSID} = "PismoFileMountAuditPackage" \InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."] "{4BBAAAE9-0005-4201-9AA5-1BBD98C86E9B}" = "PismoFileMountAuditPackage" -> {HKLM...CLSID} = "PismoFileMountAuditPackage" \InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."] "{4BBAAAE9-0001-4201-9AA5-1BBD98C86E9B}" = "PismoFileMountAuditPackage" -> {HKLM...CLSID} = "PismoFileMountAuditPackage" \InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."] "{4BBAAAE9-0002-4201-9AA5-1BBD98C86E9B}" = "PismoFileMountAuditPackage" -> {HKLM...CLSID} = "PismoFileMountAuditPackage" \InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."] "{4BBAAAE9-0003-4201-9AA5-1BBD98C86E9B}" = "PismoFileMountAuditPackage" -> {HKLM...CLSID} = "PismoFileMountAuditPackage" \InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."] "{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}" = "PismoFileMountAuditPackage" -> {HKLM...CLSID} = "PismoFileMountAuditPackage" \InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"] "{6230EF55-8E71-4F40-861A-DBA282584FF5}" = "AVS VideoConverter 6" -> {HKLM...CLSID} = "AVSVideoConverter Object" \InProcServer32\(Default) = "C:\PROGRA~1\AVS4YOU\AVSVID~1\AVSVID~1.DLL" ["Online Media Technologies Ltd."] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ <> "AppInit_DLLs" = "C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL" [file not found] HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ <> "Authentication Packages" = "msv1_0"|"wvauth" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> gemsafe\DLLName = "C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll" ["Gemplus"] HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\ <> skype4com\CLSID = "{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}" -> {HKLM...CLSID} = "IEProtocolHandler Class" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL" ["Skype Technologies"] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ AVSVideoConverter6\(Default) = "{6230EF55-8E71-4F40-861A-DBA282584FF5}" -> {HKLM...CLSID} = "AVSVideoConverter Object" \InProcServer32\(Default) = "C:\PROGRA~1\AVS4YOU\AVSVID~1\AVSVID~1.DLL" ["Online Media Technologies Ltd."] EncryptDocMgr\(Default) = "{52C70C7B-98B9-4626-8BD0-4D00FF028488}" -> {HKLM...CLSID} = "EncryptMenuItem Class" \InProcServer32\(Default) = "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\ContextMenuItem.dll" ["Wave Systems Corp."] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"] {4BBAAAE9-0001-4201-9AA5-1BBD98C86E9B}\(Default) = "{4BBAAAE9-0001-4201-9AA5-1BBD98C86E9B}" -> {HKLM...CLSID} = "PismoFileMountAuditPackage" \InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ EncryptDocMgr\(Default) = "{52C70C7B-98B9-4626-8BD0-4D00FF028488}" -> {HKLM...CLSID} = "EncryptMenuItem Class" \InProcServer32\(Default) = "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\ContextMenuItem.dll" ["Wave Systems Corp."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"] HKLM\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\ PIDirectoryHook\(Default) = "{E8244BEF-0200-4A1A-BE4E-35A4A9F51C3F}" -> {HKLM...CLSID} = "PI5 CopyHook" \InProcServer32\(Default) = "C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll" [null data] Roxio DragToDisc Shell Extension\(Default) = "{5E44E225-A408-11CF-B581-008029601108}" -> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"] HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"] {5E44E225-A408-11CF-B581-008029601108}\(Default) = "Roxio DragToDisc Shell Extension" -> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"] HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\ 00nView\(Default) = "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] NvCplDesktopContext\(Default) = "{A70C977A-BF00-412C-90B7-034C51DA2439}" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"] {4BBAAAE9-0002-4201-9AA5-1BBD98C86E9B}\(Default) = "{4BBAAAE9-0002-4201-9AA5-1BBD98C86E9B}" -> {HKLM...CLSID} = "PismoFileMountAuditPackage" \InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."] HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"] HKLM\SOFTWARE\Classes\Folder\shellex\PropertySheetHandlers\ {4BBAAAE9-0003-4201-9AA5-1BBD98C86E9B}\(Default) = "{4BBAAAE9-0003-4201-9AA5-1BBD98C86E9B}" -> {HKLM...CLSID} = "PismoFileMountAuditPackage" \InProcServer32\(Default) = "C:\WINDOWS\system32\pfmshx_201.dll" ["Pismo Technic Inc."] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\ "Disable Config" = (REG_DWORD) dword:0x00000001 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Max\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS] Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ iTunesBurnCDOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.BurnCD" "InvokeVerb" = "burn" HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."] iTunesImportSongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.ImportSongsOnCD" "InvokeVerb" = "import" HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."] iTunesPlaySongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.PlaySongsOnCD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."] iTunesShowSongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.ShowSongsOnCD" "InvokeVerb" = "showsongs" HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."] MSWPDShellNamespaceHandler\ "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS] muveeVideoCameraArrival\ "Provider" = "muvee autoProducer 4.0" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Program Files\muvee Technologies\muvee autoProducer 4.1 - Aiptek\muveeapp.exe" /RECORD" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] PDVD7DXPlayDVDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPDVDDX" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPDVDDX\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."] PDVD7DXPlayVideoCDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "VCD" "InvokeVerb" = "PlayWithPDVDDX" HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPDVDDX\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."] RoxioSCAudioCDTask33\ "Provider" = "Roxio Creator Audio" "InvokeProgID" = "Roxio.RoxioCentral33" "InvokeVerb" = "AudioCDTask" HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {8E376824-EA6C-4CB7-AA05-A30CB84D359B}" [null data] RoxioSCCopyCD33\ "Provider" = "Roxio Creator Copy" "InvokeProgID" = "Roxio.RoxioCentral33" "InvokeVerb" = "ExactCopyJob" HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data] RoxioSCCopyDisc33\ "Provider" = "Roxio Creator Copy" "InvokeProgID" = "Roxio.RoxioCentral33" "InvokeVerb" = "ExactCopyJob" HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data] RoxioSCDataProject33\ "Provider" = "Roxio Creator Data" "InvokeProgID" = "Roxio.RoxioCentral33" "InvokeVerb" = "DataGuide" HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch Data" [null data] RoxioSCDataTask33\ "Provider" = "Roxio Creator Data" "InvokeProgID" = "Roxio.RoxioCentral33" "InvokeVerb" = "DataTask" HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {D085B12D-4D9B-49C2-8323-5053831CBD54}" [null data] Enabled Scheduled Tasks: ------------------------ "AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."] "Google Software Updater" -> launches: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe scheduled_start" ["Google"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 30 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google Toolbar" \InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll" [null data] "{61539ECD-CC67-4437-A03C-9AACCBD14326}" -> {HKLM...CLSID} = "AIM Toolbar" \InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\aimtb.dll" ["AOL LLC."] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}" -> {HKLM...CLSID} = "Ask Toolbar" \InProcServer32\(Default) = "C:\Program Files\AskBarDis\bar\bin\askBar.dll" ["Ask.com"] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google Toolbar" \InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll" [null data] "{61539ECD-CC67-4437-A03C-9AACCBD14326}" = "AIM Toolbar" -> {HKLM...CLSID} = "AIM Toolbar" \InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\aimtb.dll" ["AOL LLC."] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}" = (no title provided) -> {HKLM...CLSID} = "Ask Toolbar" \InProcServer32\(Default) = "C:\Program Files\AskBarDis\bar\bin\askBar.dll" ["Ask.com"] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{B0DE3308-5D5A-470D-81B9-634FC078393B}\(Default) = "Ask Toolbar Quick View" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] HKLM\SOFTWARE\Classes\CLSID\{E16DC1FE-7C34-43F2-B754-F3AD12DDF97C}\(Default) = "Google Find Bar" Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll" [null data] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."] {0B83C99C-1EFA-4259-858F-BCB33E007A5B}\ "ButtonText" = "AIM Toolbar" "CLSIDExtension" = "{61539ecd-cc67-4437-a03c-9aaccbd14326}" -> {HKLM...CLSID} = "AIM Toolbar" \InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\aimtb.dll" ["AOL LLC."] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> "{03402f96-3dc7-4285-bc50-9e81fefafe43}" = (no title provided) -> {HKLM...CLSID} = "AIM Toolbar Search Class" \InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\aimtb.dll" ["AOL LLC."] HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\ <> "bkup_Tabs" = "res://ieframe.dll/tabswelcome.htm" [MS] <> "tbNumber" = "1" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ a-squared Free Service, a2free, ""C:\Program Files\a-squared Free\a2service.exe"" ["Emsi Software GmbH"] Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."] ArcSoft Connect Daemon, ACDaemon, "C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe" ["ArcSoft Inc."] Avira AntiVir Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir Desktop\avguard.exe"" ["Avira GmbH"] Avira AntiVir Scheduler, AntiVirSchedulerService, ""C:\Program Files\Avira\AntiVir Desktop\sched.exe"" ["Avira GmbH"] Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."] Broadcom ASF IP and SMBIOS Mailbox Monitor, ASFIPmon, ""C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service" ["Broadcom Corporation"] Intel(R) PROSet/Wireless SSO Service, WLANKEEPER, "C:\Program Files\Intel\WiFi\bin\WLKeeper.exe" ["Intel(R) Corporation"] Intel® PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\WiFi\bin\EvtEng.exe" ["Intel(R) Corporation"] Intel® PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe" ["Intel(R) Corporation"] Intel® PROSet/Wireless WiFi Service, S24EventMonitor, "C:\Program Files\Intel\WiFi\bin\S24EvMon.exe" ["Intel(R) Corporation"] Maxtor Service, Maxtor Sync Service, ""C:\Program Files\Maxtor\Sync\SyncServices.exe"" ["Seagate Technology LLC"] NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe" ["Dell Inc."] NTRU TSS v1.2.1.25 TCS, tcsd_win32.exe, ""C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe"" [null data] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data] PnkBstrB, PnkBstrB, "C:\WINDOWS\system32\PnkBstrB.exe" [null data] SafeConnect Manager, SCManager, "C:\Program Files\SafeConnect\scManager.sys servicestart" ["Impulse Point, LLC"] SigmaTel Audio Service, STacSV, "C:\WINDOWS\system32\StacSV.exe" ["SigmaTel, Inc."] TdmService, TdmService, "C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe" ["Wave Systems Corp."] Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Program Files\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"] Wave UCSPlus, Wave UCSPlus, "C:\WINDOWS\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75}" [MS] Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]} Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- (launch time: 2010-02-10 20:25:53) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 164 seconds. ---------- (total run time: 194 seconds)