PDA

View Full Version : Silent Runners log

Fruss Tray Ted
10-02-2006, 05:08 PM
Not having any major issues per-se other than an occasional freeze-up when AVG does a scan and I get a BSOD. After a reboot, I rescan the partition it was in manually and it comes back clean. Therefore I've been pummeling this pc with other tests, all coming back clean except that I have a few questions about if I can get rid of some programs in Startup that I either don't want or don't use anymore.

Those I'd like to remove if possible are in bold below:

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"SmcService" = "C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui" ["Sygate Technologies, Inc."]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services\ {++}
"SmcService" = "C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE" ["Sygate Technologies, Inc."]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]
"KB918547" = "C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_Enable_Inis\(Default) = "Windows Setup - Accessibility"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 C:\WINDOWS\INF\enable.inf" [MS]
PerUser_DCC_Inis\(Default) = "Windows Setup - Direct Cable Connection"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis_remove 64 C:\WINDOWS\INF\rna.inf" [MS]
PerUser_Onlinelnks_Inis\(Default) = "Windows Setup - HyperTerminal"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS]
OlsAolPerUser\(Default) = "Windows Setup - America Online"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
OlsAttPerUser\(Default) = "Windows Setup - AT&T WorldNet Service"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
OlsCompuservePerUser\(Default) = "Windows Setup - CompuServe"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
OlsProdigyPerUser\(Default) = "Windows Setup - Prodigy Internet"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}.Restore\(Default) = "Address Book 5"
\StubPath = "rundll32.exe advpack.dll,UserUnInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL" [null data]
"{F66EA030-786A-11D0-A7E0-0020AF3B9E0A}" = "VueIcons"
-> {HKLM...CLSID} = "VueIcons"
\InProcServer32\(Default) = "vueicons.dll" ["Hamrick Software"]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ROXIO\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL ALTERNATIVE\RPSHELL.DLL" ["RealNetworks, Inc."]
"{5E7D9611-0A92-11D6-BCC6-C117EB0C4E52}" = "RStudio Menu Handler"
-> {HKLM...CLSID} = "RStudioMenuHandler Class"
\InProcServer32\(Default) = "C:\PROGRAM FILES\R-UNDELETE20\RSEXT.DLL" ["R-TT"]
"{3C7BE262-0E51-11D6-BCC6-A29C3C5B2152}" = "R-Undelete"
-> {HKLM...CLSID} = "R-Undelete"
\InProcServer32\(Default) = "C:\PROGRAM FILES\R-UNDELETE20\RSEXT.DLL" ["R-TT"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP~1.1\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP~1.1\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
RStudioMenuExt\(Default) = "{5E7D9611-0A92-11D6-BCC6-C117EB0C4E52}"
-> {HKLM...CLSID} = "RStudioMenuHandler Class"
\InProcServer32\(Default) = "C:\PROGRAM FILES\R-UNDELETE20\RSEXT.DLL" ["R-TT"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP~1.1\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "aČ Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6
Fruss Tray Ted
10-02-2006, 05:08 PM
Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll" ["Sun Microsystems, Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Compaq IJ200 LanguageMonitor\Driver = "C2LANGMN.DLL" ["Compaq Computer Corp. "]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 25 seconds, including 13 seconds for message boxes)
_____________

Also is my IE being hijacked or just redirected to an MS site?

Thanks
Ted