Psguard et win32

Résolu
hear Messages postés 24 Statut Membre -  
hear Messages postés 24 Statut Membre -
re bonjour
j espère que vous m apporterez solution pour supprimer ce "psguard" qui m empoisonne
merci. (windows98) je débute.... ce "fichier" inscrusté dans mon pc jusqu'a mon écran. malgré supprimer dans configuration impossible de le virer définitivement.
comment faire je ne comprends pas les termes techniques.
je vous remercie de l'aide apportée

20 réponses

Résumé de la discussion

Suppression du logiciel indésirable psguard sous Windows 98 demeure problématique malgré les tentatives dans les paramètres et des messages d'erreur répétitifs et une présence persistante. Des réponses proposent des outils spécialisés tels que SmitRem et HijackThis, accompagnés de procédures comme l'extraction des fichiers, l'exécution de scripts et l'enregistrement des logs. D'autres conseils suggèrent d'opérer en mode sans échec, puis d'analyser les résultats avec HijackThis et de partager les rapports pour aide complémentaire à des fins diagnostiques. En cas de contexte historique, ces échanges reflètent des pratiques de dépannage d'époque pour Windows 98 et des outils antivirus ou nettoyage obsolètes et disponibles.

Généré automatiquement par IA
sur la base des meilleures réponses
  1. Utilisateur anonyme
     
    télécharge HijackThis ici:
    http://www.hijackthis.de/downloads/hijackthis_199.zip

    Dézippe le dans un dossier prévu à cet effet.
    Par exemple C:\hijackthis < Enregistre le bien dans c : !
    Lance le puis:
    clique sur "do a system scan and save logfile" (cf démo)
    faire un copier coller du log entier sur le forum

    Démo : (merci à balltrap34 pour cette réalisation)
    http://pageperso.aol.fr/balltrap34/demohijack.htm

    Bon courage

    A+
    0
    1. hear Messages postés 24 Statut Membre
       
      re bonjour
      merci aol avait tenté de me lancer dans les explications qui deviennent très compliquées pour mon niveau de compréhension.
      j'aimerais si possible obtenir de l'aide en évitant termes techniques

      merci bcp
      0
    2. hear Messages postés 24 Statut Membre
       
      merci un peu compliqué pour moi.. j'avoue. vais regarder site "balttrap 34"
      vais essayer si je peux avoir appui de ta part ce serait sympa.
      à nouveau merci
      0
    3. hear Messages postés 24 Statut Membre
       
      bonjour Regis59
      je te l envoie j'ai peur d'avoir fait betise. j'ai remarqué que psgard se rééinstalle avec aol. j'ai à nouveau icones en bas + sur écran l'icone.
      merci
      Logfile of HijackThis v1.99.1
      Scan saved at 13:20:21, on 02/10/05
      Platform: Windows 98 SE (Win9x 4.10.2222A)
      MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

      Running processes:
      C:\WINDOWS\SYSTEM\KERNEL32.DLL
      C:\WINDOWS\SYSTEM\MSGSRV32.EXE
      C:\WINDOWS\SYSTEM\MPREXE.EXE
      C:\WINDOWS\SYSTEM\mmtask.tsk
      C:\WINDOWS\SYSTEM\MSTASK.EXE
      C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\ACS\AOLACSD.EXE
      C:\WINDOWS\EXPLORER.EXE
      C:\WINDOWS\SYSTEM\RNAAPP.EXE
      C:\WINDOWS\SYSTEM\TAPISRV.EXE
      C:\WINDOWS\TASKMON.EXE
      C:\WINDOWS\SYSTEM\SYSTRAY.EXE
      C:\WINDOWS\SYSTEM\HPZTSB03.EXE
      C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
      C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
      C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\ACS\AOLDIAL.EXE
      C:\WINDOWS\LOADQM.EXE
      C:\WINDOWS\SYSTEM\SPOOL32.EXE
      C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
      C:\PROGRAM FILES\TECHCITY SOLUTIONS\AOLSAV\AOLAGENT.EXE
      C:\PROGRAM FILES\AOL 9.0\AOLTRAY.EXE
      C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
      C:\PROGRAM FILES\MICRO APPLICATION\MEDIADICO\MEDIADICO.EXE
      C:\WINDOWS\SYSTEM\WMIEXE.EXE
      C:\PROGRAM FILES\MICRO APPLICATION\MEDIADICO\RAC.EXE
      C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
      C:\WINDOWS\SYSTEM\DDHELP.EXE
      C:\WINDOWS\SYSTEM\INTELL32.EXE
      C:\PROGRAM FILES\AOL COMPAGNON\COMPANION.EXE
      C:\PROGRAM FILES\AOL 9.0\WAOL.EXE
      C:\PROGRAM FILES\AOL 9.0\SHELLMON.EXE
      C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\AOLTPSPD.EXE
      C:\MES DOCUMENTS\HIJACKTHIS.EXE

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.recherche.aol.fr/ie.htm
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.fr
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par AOL
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
      O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
      O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
      O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
      O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
      O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
      O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
      O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
      O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
      O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
      O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
      O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\FICHIE~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
      O4 - HKLM\..\Run: [LoadQM] loadqm.exe
      O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
      O4 - HKLM\..\Run: [AOLSAV] C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAGENT.EXE
      O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
      O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
      O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
      O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
      O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\ACS\AOLACSD.EXE"
      O4 - HKCU\..\Run: [MediaDico] C:\Program Files\Micro Application\MediaDICO\LanceMediaDICO.exe Lancement
      O4 - Startup: AOL 9.0 Icône AOL.lnk = C:\Program Files\AOL 9.0\aoltray.exe
      O4 - Startup: AOL Compagnon.lnk = C:\Program Files\AOL Compagnon\companion.exe
      O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
      O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
      O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
      O14 - IERESET.INF: START_PAGE_URL=http://www.aol.fr
      O16 - DPF: {981D847D-2C06-4FB7-A09C-4F0A48601B2C} (DiagSetup Class) - http://techcity.aol.fr/download/img/DiagSetup.cab
      O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
      0
  2. hear Messages postés 24 Statut Membre
     
    Logfile of HijackThis v1.99.1
    Scan saved at 13:53:42, on 01/10/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\ACS\AOLACSD.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\ACS\AOLDIAL.EXE
    C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\TECHCITY SOLUTIONS\AOLSAV\AOLAGENT.EXE
    C:\PROGRAM FILES\AOL 9.0\AOLTRAY.EXE
    C:\WINDOWS\SYSTEM\SYSTEMP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICRO APPLICATION\MEDIADICO\MEDIADICO.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAM FILES\MICRO APPLICATION\MEDIADICO\RAC.EXE
    C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\AOL 9.0\WAOL.EXE
    C:\PROGRAM FILES\AOL 9.0\SHELLMON.EXE
    C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\AOLTPSPD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AOL COMPAGNON\COMPANION.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE
    C:\MES DOCUMENTS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.recherche.aol.fr/ie.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.fr
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par AOL
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\FICHIE~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AOLSAV] C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAGENT.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\ACS\AOLACSD.EXE"
    O4 - HKCU\..\Run: [MediaDico] C:\Program Files\Micro Application\MediaDICO\LanceMediaDICO.exe Lancement
    O4 - Startup: AOL 9.0 Icône AOL.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Startup: AOL Compagnon.lnk = C:\Program Files\AOL Compagnon\companion.exe
    O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.fr
    O16 - DPF: {981D847D-2C06-4FB7-A09C-4F0A48601B2C} (DiagSetup Class) - http://techcity.aol.fr/download/img/DiagSetup.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O21 - SSODL: systemp - {CC27AB80-CC42-11D9-ACEC-0090D085B8EE} - systemp
    0
  3. Utilisateur anonyme
     
    salut
    aol t avais proposer de faire une restauration systeme?

    ***
    Bonjour,

    Méthode à suivre dans l'ordre...
    ----------------------------------------------------------------------------
    ¤Télécharge ces logiciels mais que tu n‘utilises pas tout de suite:

    1/

    Spybot S&D 1.4 <<nouvelle version.
    http://www.safer-networking.org/fr/index.html

    Démo d’utilisation (merci à Balltrap34 pour cette réalisation).
    http://pageperso.aol.fr/Balltrap34/demo%20spybot.htm

    2/

    Ad-Aware SE 1.06 <<nouvelle version.
    http://www.lavasoftusa.com/software/adaware/
    -Une aide:
    http://www.tutopat.com/viewtopic.php?t=1191
    - installe le patch français, tu pourras le trouver ici:
    http://download.lavasoft.de.edgesuite.net/public/pllangs.exe
    et une petite vidéo d'utilisation ici:(merci à Moe31 pour cette réalisation).
    http://pageperso.aol.fr/balltrap34/adawrevid.asf

    3/

    Clean Up 40:
    http://pageperso.aol.fr/balltrap34/CleanUp40.exe
    -aide en image:(merci à Balltrap34).
    http://pageperso.aol.fr/balltrap34/democleanup.htm

    ----------------------------------------------------------------------------
    ¤Vide tes fichiers temps et tempory internet file:

    utilise clean up, et une aide avec la video
    ----------------------------------------------------------------------------
    ¤Relance HijackThis, coche les cases devant ces lignes et ensuite clique sur fix checked :

    O21 - SSODL: systemp - {CC27AB80-CC42-11D9-ACEC-0090D085B8EE} - systemp

    ----------------------------------------------------------------------------
    ¤ Passe Ad-Aware et supprime tout ce qu’il trouve + supprime les quarantaines…
    ----------------------------------------------------------------------------
    ¤ Passe Spybot et corrige tout ce qu’il trouve + vaccine + supprime les quarantaines…
    ----------------------------------------------------------------------------
    ¤ Vide ta Corbeille.
    ----------------------------------------------------------------------------
    ¤ , relance Hijackthis et copie/colle un nouveau rapport sur le forum.

    Précise tes soucis s’il en reste....

    Tiens-moi au courant

    A+
    0
    1. hear Messages postés 24 Statut Membre
       
      merci je me mélange déjà les pinceaux tout est écrit en anglais ... pas facile pour une débutante.
      je retente
      je te tiens au courant de ma "galèr" régis59
      0
  4. Utilisateur anonyme
     
    salut
    tu n as juste qu a suivre, c est pas compliqué du tout tu verras, juste a suivre scupulesement les indications...
    si tu es bloqué, des questions ou si tu as des incertitudes ou si tu sais pas faire telles ou telles choses, demande nous sur le forum...

    a+
    0
    1. hear Messages postés 24 Statut Membre
       
      bonjour regis59

      je rame tjrs .. il est réapparu sous forme d'icone par contre j'ai réussi à le faire disparaitre de mon écran . il s'était installé sur tout mon écran. dans msconfig "intell.32 exe" et "P.S.Guard" je supprime la croix mais à l ouverture d'aol reviennent.
      je vais à nouveau recommencer par étape tes instructions.
      merci
      0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. Utilisateur anonyme
     
    ok, pense à sauvegarder les rapports qu'il va générer et poste les ici.

    a+
    0
    1. hear Messages postés 24 Statut Membre
       
      Moé31 j'ai raté ta manipul ... suis pas douée. ça ne fait rien merci . a bientot
      0
    2. hear Messages postés 24 Statut Membre
       
      moe31 merci pour ce tuyau. j expliquais à régis59 avoir effectué la manip mais écrit en anglais j'espère ne pas avoir écrasé tout et n importe quoi. lol
      merci
      0
  7. Utilisateur anonyme
     
    salut,
    recommence la manip mais en postant les rapports lol

    on est de tout coeur avec toi...
    0
    1. hear Messages postés 24 Statut Membre
       
      tout recommencer???? loll j'ai l'impression que j'explose et le pc implose. je recommence TOUT ! lol
      merci du partage de coeur.
      0
  8. Utilisateur anonyme
     
    re,non ce que te demande moe ici

    < 9 > - psguard et win32
    Ajouté par moe31 (02/10/2005 à 12:05 GMT+2)
    salut

    telecharge smitrem ici:
    http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
    double clic sur smitrem.exe (ca va extraire les fichiers)
    lance runthis.bat et laisse toi guider

    a+

    (et un hijack this ensuite)
    0
    1. hear Messages postés 24 Statut Membre
       
      regis59
      les icones en bas ont disparu (déjà un point) à l'écran s'affiche l'icone -- genre petit carré blanc vierge -- p.s.Guard spyware removed

      je t envoie compte rendu merci j'ai testé le smitrem tout est écrit en anglais ... j espère avoir bien effectuer les manip.
      pas en écrasant n importe quoi !

      Logfile of HijackThis v1.99.1
      Scan saved at 14:21:59, on 02/10/05
      Platform: Windows 98 SE (Win9x 4.10.2222A)
      MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

      Running processes:
      C:\WINDOWS\SYSTEM\KERNEL32.DLL
      C:\WINDOWS\SYSTEM\MSGSRV32.EXE
      C:\WINDOWS\SYSTEM\MPREXE.EXE
      C:\WINDOWS\SYSTEM\mmtask.tsk
      C:\WINDOWS\SYSTEM\MSTASK.EXE
      C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\ACS\AOLACSD.EXE
      C:\WINDOWS\EXPLORER.EXE
      C:\WINDOWS\SYSTEM\RNAAPP.EXE
      C:\WINDOWS\SYSTEM\TAPISRV.EXE
      C:\WINDOWS\TASKMON.EXE
      C:\WINDOWS\SYSTEM\SYSTRAY.EXE
      C:\WINDOWS\SYSTEM\HPZTSB03.EXE
      C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
      C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
      C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\ACS\AOLDIAL.EXE
      C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
      C:\WINDOWS\LOADQM.EXE
      C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
      C:\PROGRAM FILES\TECHCITY SOLUTIONS\AOLSAV\AOLAGENT.EXE
      C:\WINDOWS\SYSTEM\SPOOL32.EXE
      C:\PROGRAM FILES\AOL 9.0\AOLTRAY.EXE
      C:\PROGRAM FILES\AOL COMPAGNON\COMPANION.EXE
      C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
      C:\PROGRAM FILES\MICRO APPLICATION\MEDIADICO\MEDIADICO.EXE
      C:\WINDOWS\SYSTEM\WMIEXE.EXE
      C:\PROGRAM FILES\MICRO APPLICATION\MEDIADICO\RAC.EXE
      C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
      C:\MES DOCUMENTS\HIJACKTHIS.EXE

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.recherche.aol.fr/ie.htm
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.fr
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par AOL
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
      O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
      O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
      O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
      O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
      O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
      O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
      O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
      O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
      O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
      O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
      O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\FICHIE~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
      O4 - HKLM\..\Run: [LoadQM] loadqm.exe
      O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
      O4 - HKLM\..\Run: [AOLSAV] C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAGENT.EXE
      O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
      O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
      O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\FICHIERS COMMUNS\AOL\ACS\AOLACSD.EXE"
      O4 - HKCU\..\Run: [MediaDico] C:\Program Files\Micro Application\MediaDICO\LanceMediaDICO.exe Lancement
      O4 - Startup: AOL 9.0 Icône AOL.lnk = C:\Program Files\AOL 9.0\aoltray.exe
      O4 - Startup: AOL Compagnon.lnk = C:\Program Files\AOL Compagnon\companion.exe
      O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
      O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
      O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
      O14 - IERESET.INF: START_PAGE_URL=http://www.aol.fr
      O16 - DPF: {981D847D-2C06-4FB7-A09C-4F0A48601B2C} (DiagSetup Class) - http://techcity.aol.fr/download/img/DiagSetup.cab
      0
  9. Utilisateur anonyme
     
    salut

    normallement, pas de risques avec smitrem, il ne supprime que les fichiers lié à on infection.
    Est ce qu'il te reste des soucis ?
    Sinon, ton hijack semble ok

    a+
    0
    1. hear Messages postés 24 Statut Membre
       
      ouf heureusement que le programme détecte seul les infections pour destruction.
      pour l instant pas de problème mais puis-je supprimer l'icone "p.s.Guard spyware removed" sur écran ? ce petit carré blanc vierge
      merci moe31
      0
  10. Utilisateur anonyme
     
    Quel plaisir de bosser a tes cotés mon cher Olivier ;-)
    0
    1. hear Messages postés 24 Statut Membre
       
      merci chaleureux pour ta patience Régis et tes indications si explicites. bonne journée. sympa d'être votre "patiente" lol
      bonne journée.
      claudie
      0
  11. Utilisateur anonyme
     
    salut regis

    lol, c'est reciproque

    pour hear:
    oui,tu peux supprimer l'icone sans problemes

    a+
    0
    1. hear Messages postés 24 Statut Membre
       
      merci chaleureux pour toi Olivier ... quelle saleté ces bestioles lol
      super de l'aide que vous apportez.
      bonne journée
      a +
      claudie
      0
  12. Utilisateur anonyme
     
    de rien, c'était avec plaisir
    bon dimanche

    a++
    0
  13. Utilisateur anonyme
     
    coucou claudie
    Ravie que tout soit en ordre ^^
    J espere que tu nous inviteras a diner pour ce soir lol (je m incruste...)

    Bon surf desormais, et si tu as besoin tu sais ou venir ....sur CCM !

    Bises
    0
    1. hear Messages postés 24 Statut Membre
       
      lol venez dîner , si vous n'avez pas peur d'attraper un virus !!! (je taquine) encore merci à vous deux
      bises régis
      0
    2. hear Messages postés 24 Statut Membre
       
      bonsoir régis59
      et oui, pas demande que tu dineras à la maison.
      ils sont tenaces sur mon pc.
      j'ai un petit "intell32" tjrs présent
      Olivier m'a donné marche à suivre pour manip. sans échec
      (interdiction de vous moquer !!!)
      a plus tard
      claudie
      0
    3. hear Messages postés 24 Statut Membre
       
      bonjour Regis

      merci pour tous tes conseils...je reformate pc ce week
      merci également de prendre le temps d'aider les novices de la technologie nouvelle lol
      a +++
      bonne journée
      Claudie
      0
  14. Utilisateur anonyme
     
    lol, de rien claudie,

    bon dimanche a vous

    a bientot ^^
    0
  15. Utilisateur anonyme
     
    salut regis

    il ne passe pas sur windows 98

    a++
    0
  16. Utilisateur anonyme
     
    ah oui , desole pas fait attention..merci moe

    Telecharge ceci
    http://www.silentrunners.org/Silent%20Runners.vbs
    Execute le,atends quelques minutes, il va creer ensuite un dossier juste a coté de silent runner sous format texte, copie/colle ce qu il te donnera

    a+
    0
    1. hear Messages postés 24 Statut Membre
       
      coucou Régis.
      j'ai téléchargé ton programme (merci bcp) une longue page apparait en format texte. celle-ci à copier ? (si le cas bonne lecture !!!!)
      j'essaie de bien suivre tes conseils, j'essaie, j'essaie ...
      vais devenir une vraie "forgeronne"
      merci
      0
    2. hear Messages postés 24 Statut Membre
       
      re bonsoir Régis mauvaise manip. scuse. je recommencerai demain
      normal que je vois s'afficher sur ma page de dial ici "psguard et win 32"???? sur la bande bleue? en commençant téléchargement : aieeee deux téléchargements pour exécuter? merci car là je ne comprends pas grande chose
      en téléchargeant silencetrunner un autre téléchargement "Windows Management Instrumentation" à télécharger .. oui ou non
      et ce psguard et win 32. vais devenir chèvre lol
      bonne soirée Bises Régis
      0
    3. hear Messages postés 24 Statut Membre
       
      je te copie seul élément que je trouve .. en espérant que ce soit le bon.

      'Silent Runners.vbs -- find out what programs start up with Windows!
      '
      'DO NOT REMOVE THIS HEADER!
      '
      'Copyright Andrew ARONOFF 28 August 2005, http://www.silentrunners.org/
      'This script is provided without any warranty, either expressed or implied
      'It may not be copied or distributed without permission
      '
      '** YOU RUN THIS SCRIPT AT YOUR OWN RISK! **
      'HEADER ENDS HERE


      Option Explicit

      Dim strRevNo : strRevNo = "40.1"

      Public flagTest : flagTest = False 'True if testing
      'flagTest = True 'Uncomment to test

      'This script is divided into 27 sections.

      'malware launch points:
      ' registry keys (I-XII, XV)
      ' INI/INF-files (XVI-XVIII)
      ' folders (XIX)
      ' enabled scheduled tasks (XX)
      ' Winsock2 service provider DLLs (XXI)
      ' IE toolbars, explorer bars, extensions (XXII)
      ' started services (XXVI)
      ' keyboard driver filters (XXVII)

      'hijack points:
      ' System/Group Policies (XIV)
      ' prefixes for IE URLs (XXIII)
      ' misc IE points (XXIV)
      ' HOSTS file (XXV)

      'Output is suppressed if deemed normal unless the -all parameter is used
      'Sections XVIII & XXII-dormant Explorer Bars are skipped unless the -supp/-all
      ' parameters are used or the first message box is answered "No"

      ' I. HKCU/HKLM... Run/RunOnce/RunOnce\Setup
      ' HKLM... RunOnceEx/RunServices/RunServicesOnce
      ' HKCU/HKLM... Policies\Explorer\Run
      ' II. HKLM... Active Setup\Installed Components\
      ' HKCU... Active Setup\Installed Components\
      ' (StubPath <> "" And HKLM version # > HKCU version #)
      ' III. HKLM... Explorer\Browser Helper Objects\
      ' IV. HKLM... Shell Extensions\Approved\
      ' V. HKLM... Explorer\SharedTaskScheduler/ShellExecuteHooks
      ' VI. HKCU/HKLM... ShellServiceObjectDelayLoad\
      ' VII. HKCU... Command Processor\AutoRun ((default) <> "")
      ' HKCU... Policies\System\Shell (W2K & WXP only)
      ' HKCU... Windows\load & run ((default) <> "")
      ' HKCU... Command Processor\AutoRun ((default) <> "")
      ' HKLM... Windows\AppInit_DLLs ((default) <> "")
      ' HKLM... Winlogon\Shell/Userinit/System/Ginadll/Taskman
      ' ((default) <> explorer.exe, userinit.exe, "", "", "")
      ' VIII. HKLM... Winlogon\Notify\ (subkey names/DLLName values <> O/S-specific dictionary data)
      ' IX. HKLM... Image File Execution Options\ (subkeys with name = "Debugger")
      ' X. HKCU/HKLM... Policies... Startup/Shutdown, Logon/Logoff
      ' XI. HKCR Protocols\Filter
      ' XII. Context menu shell extensions
      ' XIII. HKCR executable file type (bat/cmd/com/exe/hta/pif/scr)
      ' (shell\open\command data <> "%1" %*; hta <> mshta.exe "%1" %*; scr <> "%1" /S)
      ' XIV. System/Group Policies
      ' XV. Enabled Wallpaper & Screen Saver
      ' XVI. WIN.INI (load/run <> ""), SYSTEM.INI (shell <> explorer.exe, scrnsave.exe), WINSTART.BAT
      ' XVII. AUTORUN.INF in root of fixed drive (open/shellexecute <> "")
      'XVIII. DESKTOP.INI in any local fixed disk directory (section skipped by default)
      ' XIX. %WINDIR%... Startup & All Users... Startup (W98/WME) or
      ' %USERNAME%... Startup & All Users... Startup folder contents
      ' XX. Scheduled Tasks
      ' XXI. Winsock2 Service Provider DLLs
      ' XXII. Internet Explorer Toolbars, Explorer Bars, Extensions (dormant
      ' Explorer Bars section skipped by default)
      'XXIII. Internet Explorer URL Prefixes
      ' XXIV. Misc. IE Hijack Points
      ' XXV. HOSTS file
      ' XXVI. Started Services
      'XXVII. Keyboard Driver Filters


      Dim Wshso : Set Wshso = WScript.CreateObject("WScript.Shell")
      Dim WshoArgs : Set WshoArgs = WScript.Arguments
      Dim intErrNum, intMB 'Err.Number, MsgBox return value

      Dim strflagTest : strflagTest = ""
      If flagTest Then
      strflagTest = "TEST "
      Wshso.Popup "Silent Runners is in testing mode.",1, _
      "Testing, testing, 1-2-3...", vbOKOnly + vbExclamation
      End If

      'Configuration Detection Section

      ' FileSystemObject creation error (112)
      ' CScript/WScript (147)
      ' Dim (161)
      ' GetFileVersion(WinVer.exe) (VBScript 5.1) (182)
      ' OS version (223)
      ' WMI (279)
      ' Dim (364)
      ' command line arguments (440)
      ' supplementary search MsgBox (532)
      ' startup MsgBox (557)
      ' CreateTextFile error (583)
      ' output file header (625)
      ' WXP SP2 (629)

      On Error Resume Next
      Dim Fso : Set Fso = CreateObject("Scripting.FileSystemObject")
      intErrNum = Err.Number : Err.Clear
      On Error Goto 0

      If intErrNum <> 0 Then

      strURL = "http://tinyurl.com/7nn6"

      intMB = MsgBox (Chr(34) & "Silent Runners" & Chr(34) &_
      " cannot access file services critical to" & vbCRLF &_
      "proper script operation." & vbCRLF & vbCRLF &_
      "If you are running Windows XP, make sure that the" &_
      vbCRLF & Chr(34) & "Cryptographic Services" & Chr(34) &_
      " service is started." & vbCRLF & vbCRLF &_
      "You can also try reinstalling the latest version of the MS" &_
      vbCRLF & "Windows Script Host." & vbCRLF & vbCRLF &_
      "Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser to " &_
      "the download site or" & vbCRLF & Space(10) & Chr(34) & "Cancel" &_
      Chr(34) & " to quit.", vbOKCancel + vbCritical, _
      "Can't access the FileSystemObject!")

      'if dl wanted now, send browser to dl site
      If intMB = 1 Then Wshso.Run strURL

      WScript.Quit

      End If

      Dim oNetwk : Set oNetwk = WScript.CreateObject("WScript.Network")

      Const HKLM = &H80000002, HKCU = &H80000001
      Const REG_SZ=1, REG_EXPAND_SZ=2, REG_BINARY=3, REG_DWORD=4, REG_MULTI_SZ=7
      Const MS = " [MS]"

      'determine whether output is via MsgBox/PopUp or Echo
      Dim flagOut
      If InStr(LCase(WScript.FullName),"wscript.exe") > 0 Then
      flagOut = "W" 'WScript
      ElseIf InStr(LCase(WScript.FullName),"cscript.exe") > 0 Then
      flagOut = "C" 'CScript
      Else 'echo and continue if it works
      flagOut = "C" 'assume CScript-compatible
      WScript.Echo "Neither " & Chr(34) & "WSCRIPT.EXE" & Chr(34) & " nor " &_
      Chr(34) & "CSCRIPT.EXE" & Chr(34) & " was detected as " &_
      "the script host." & vbCRLF & Chr(34) & "Silent Runners" & Chr(34) &_
      " will assume that the script host is CSCRIPT-compatible and will" & vbCRLF &_
      "use WScript.Echo for all messages."
      End If 'script host

      Const SysFolder = 1 : Const WinFolder = 0
      Dim strOS : strOS = "Unknown"
      Dim strOSLong : strOSLong = "Unknown"
      Dim strOSXP : strOSXP = "Windows XP Home" 'XP Home or Pro
      Public strFPSF : strFPSF = Fso.GetSpecialFolder(SysFolder).Path 'FullPathSystemFolder
      Public strFPWF : strFPWF = Fso.GetSpecialFolder(WinFolder).Path 'FullPathWindowsFolder
      Public strExeBareName 'bare file name w/o windows or system folder prefixes
      Dim strSysVer 'Winver.exe version number
      Dim intErrNum1, intErrNum2, intErrNum3, intErrNum4, intErrNum5, intErrNum6 'error number
      Dim intLenValue 'value length
      Dim strURL 'download URL
      Dim flagGP : flagGP = False 'assume Group Policies cannot be set in the O/S

      'Winver.exe is in \Windows under W98, but in \System32 for other O/S's
      'trap GetFileVersion error for VBScript version < 5.1
      On Error Resume Next
      If Fso.FileExists (strFPSF & "\Winver.exe") Then
      strSysVer = Fso.GetFileVersion(strFPSF & "\Winver.exe")
      Else
      strSysVer = Fso.GetFileVersion(strFPWF & "\Winver.exe")
      End If
      intErrNum = Err.Number : Err.Clear
      On Error Goto 0

      'if old VBScript version
      If intErrNum <> 0 Then

      'store dl URL
      strURL = "http://tinyurl.com/7zh0"

      'if using WScript
      If flagOut = "W" Then

      'explain the problem
      intMB = MsgBox ("This script requires VBScript 5.1 or higher " &_
      "to run." & vbCRLF & vbCRLF & "The latest version of VBScript can " &_
      "be downloaded at: " & strURL & vbCRLF & vbCRLF &_
      "Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser to " &_
      "the download site or " & Chr(34) & "Cancel" & Chr(34) &_
      " to quit." & vbCRLF & vbCRLF & "(WMI is also required. If it's " &_
      "missing, download instructions will appear later.)", _
      vbOKCancel + vbExclamation,"Unsupported VBScript Version!")

      'if dl wanted now, send browser to dl site
      If intMB = 1 Then Wshso.Run strURL

      'if using CScript
      Else 'flagOut = "C"

      'explain the problem
      WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
      "VBScript 5.1 or higher to run." & vbCRLF & vbCRLF &_
      "It can be downloaded at: " & strURL

      End If 'WScript or CScript?

      'quit the script
      WScript.Quit

      End If 'VBScript version error encountered?

      'use WINVER.EXE file version to determine O/S
      If Instr(Left(strSysVer,3),"4.1") > 0 Then
      strOS = "W98" : strOSLong = "Windows 98"

      ElseIf Instr(Left(strSysVer,5),"4.0.1") > 0 Then
      strOS = "NT4" : strOSLong = "Windows NT 4.0"

      ElseIf Instr(Left(strSysVer,8),"4.0.0.95") > 0 Then
      strOS = "W98" : strOSLong = "Windows 95"

      ElseIf Instr(Left(strSysVer,3),"5.0") > 0 Then
      strOS = "W2K" : strOSLong = "Windows 2000" : flagGP = True

      ElseIf Instr(Left(strSysVer,3),"5.1") > 0 Then
      'SP0 & SP1 = 5.1.2600.0, SP2 = 5.1.2600.2180
      strOS = "WXP" : strOSLong = "Windows XP"

      If Instr(strSysVer,".2180") > 0 Then strOSLong = "Windows XP SP2"

      ElseIf Instr(Left(strSysVer,3),"4.9") > 0 Then
      strOS = "WME" : strOSLong = "Windows Me (Millennium Edition)"

      ElseIf Instr(Left(strSysVer,3),"5.2") > 0 Then
      strOS = "WXP" : strOSLong = "Windows Server 2003 (interpreted as Windows XP)"
      flagGP = True

      Else 'unknown strSysVer

      If flagOut = "W" Then

      intMB = MsgBox ("The " & Chr(34) & "Silent Runners" & Chr(34) &_
      " script cannot determine the operating system." & vbCRLF & vbCRLF &_
      "Click " & Chr(34) & "OK" & Chr(34) & " to send an e-mail to the " &_
      "author, providing the following information:" & vbCRLF & vbCRLF &_
      "WINVER.EXE file version = " & strSysVer & vbCRLF & vbCRLF &_
      "or click " & Chr(34) & "Cancel" & Chr(34) & " to quit.", _
      49,"O/S Unknown!")

      If intMB = 1 Then Wshso.Run "mailto:Andrew%20Aronoff%20" &_
      "<%73%72.%6F%73.%76%65%72.%65%72%72%6F%72@%61%61%72%6F%6E%6F%66%66.%63%6F%6D>?" &_
      "subject=Silent%20Runners%20OS%20Version%20Error&body=WINVER.EXE" &_
      "%20file%20version%20=%20" & strSysVer

      Else 'flagOut = "C"

      WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " cannot " &_
      "determine the operating system." & vbCRLF & vbCRLF & "This script will exit."

      End If 'flagOut?

      WScript.Quit

      End If 'OS id'd from strSysVer?

      'use WMI to connect to the registry
      On Error Resume Next
      Dim oReg : Set oReg = GetObject("winmgmts:root\default:StdRegProv")
      intErrNum = Err.Number : Err.Clear
      On Error Goto 0

      'detect WMI connection error
      If intErrNum <> 0 Then

      strURL = ""

      'for W98/NT4, assume WMI not installed and direct to d/l URL
      If strOS = "W98" Or strOS = "NT4" Then

      If strOS = "W98" Then strURL = "http://tinyurl.com/jbxe"
      If strOS = "NT4" Then strURL = "http://tinyurl.com/7wd7"

      'invite user to download WMI & quit
      If flagOut = "W" Then

      intMB = MsgBox ("This script requires " & Chr(34) & "WMI" &_
      Chr(34) & ", Windows Management Instrumentation, to run." &_
      vbCRLF & vbCRLF & "It can be downloaded at: " & strURL &_
      vbCRLF & vbCRLF & "Press " & Chr(34) & "OK" & Chr(34) &_
      " to direct your browser to the download site or " &_
      Chr(34) & "Cancel" & Chr(34) & " to quit.",_
      vbOKCancel + vbCritical,"WMI Not Installed!")

      If intMB = 1 Then Wshso.Run strURL

      'at command line, explain & quit
      Else 'flagOut = "C"

      WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
      Chr(34) & "WMI" & Chr(34) & ", Windows Management Instrumentation, " &_
      "to run." & vbCRLF & vbCRLF & "It can be downloaded at: " & strURL

      End If

      'for W2K Or WXP, explain how to start the WMI service
      ElseIf strOS = "W2K" Or strOS = "WXP" Then

      If strOS = "W2K" Then strLine = "Settings, "

      'explain how to turn on WMI service
      If flagOut = "W" Then

      MsgBox "This script requires Windows Management Instrumentation" &_
      " to run." & vbCRLF & vbCRLF & "Click on Start, " & strLine &_
      "Control Panel, Administrative Tools, Services," & vbCRLF &_
      "and start the " & Chr(34) & "Windows Management Instrumentation" &_
      Chr(34) & " service.",vbOKOnly + vbCritical,"WMI Service not running!"

      'at command line, explain & quit
      Else 'flagOut = "C"

      WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
      "Windows Management Instrumentation to run." & vbCRLF & vbCRLF &_
      "Click on Start, " & strLine & "Control Panel, Administrative " &_
      " Tools, Services," & vbCRLF & "and start the " & Chr(34) &_
      "Windows Management Instrumentation" & Chr(34) & " service."

      End If 'flagOut?

      Else 'WME

      'say there's a WMI problem
      If flagOut = "W" Then

      MsgBox "This script requires WMI (Windows Management Instrumentation)" &_
      " to run," & vbCRLF & "but WMI is not running correctly.", _
      vbOKOnly + vbCritical,"WMI problem!"

      'at command line, explain & quit
      Else 'flagOut = "C"

      WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
      "WMI (Windows Management Instrumentation) to run," & vbCRLF &_
      "but WMI is not running correctly."

      End If 'flagOut?

      End If 'which O/S?

      WScript.Quit

      End If 'WMI execution error

      'array of Run keys, counter x 5, hive member, startup folder file,
      'startup file shortcut, IERESET.INF file
      Dim arRunKeys, i, ii, j, k, l, oHiveElmt, oSUFi, oSUSC
      'dictionary, keys, items, hard disk collection
      Dim arSK, arSKk, arSKi, colDisks

      'arrays: Run key names, keys, sub-keys, value type, Protocol filters
      Dim arNames(), arKeys(), arSubKeys(), arType, arFilter()
      'Sub-Directory DeskTop.Ini array, Sub-Directory Error array
      Public arSDDTI(), arSDErr()
      'DeskTop.Ini counter, Error counter
      Public ctrArDTI, ctrArErr
      Public cntFo : cntFo = 0 'folder counter

      'name member, key array member x 4, O/S, drive root directory, work file
      Dim oName, oKey, oKey2, strMemKey, strMemSubKey, oOS, oRoot, oFileWk
      'values x 7
      Dim strValue, strValue1, strValue2, strValue3, strValue4, strValue5, strValue6, intValue
      'name, single character, startup folder name, startup folder, array member, temp var
      Dim strName, strChr, arSUFN, oSUF, strArMember, strTmp
      'output string x 3
      Dim strOut, strOut1, strOut2

      'output file msg x 2, warning string, title line
      Dim strLine, strLine1, strLine2, strWarn, strTitleLine
      Dim strKey, strKey1, strKey2, strKey3, strSubKey 'register key x 4, sub-key
      'output file name string, PIF path string, single binary character
      Dim strFN, strPIFTgt, bin1C
      Public datLaunch : datLaunch = Now 'script launch time
      Public intCnt 'counter
      'ref time, time taken by 2 pop-up boxes
      Public datRef : datRef = 0
      Public datPUB1 : datPUB1 = 0 : Public datPUB2 : datPUB2 = 0

      'TRUE if show all output (default values not filtered)
      Public flagShowAll : flagShowAll = False
      Dim strRptOutput : strRptOutput = "Output limited to non-default values, " &_
      "except where indicated by " & Chr(34) & "{++}" & Chr(34) 'output file string
      Public strTitle : strTitle = ""
      Public strSubTitle : strSubTitle = ""
      Public strSubSubTitle : strSubSubTitle = ""
      Public flagNVP : flagNVP = False 'existence of name/value pairs in a key
      Dim flagInfect : flagInfect = False 'flag infected condition
      Dim flagMatch 'flag matching keys
      Dim flagAllow 'flag key on approved list
      Dim flagFound 'flag key that exists in Registry
      Dim flagDirArg : flagDirArg = False 'presence of output directory argument
      Dim flagIsCLSID : flagIsCLSID = False 'true if argument in CLSID format
      Dim flagAllArg : flagAllArg = False 'presence of all output argument
      Public flagSupp : flagSupp = False 'do *not* check for DESKTOP.INI in all
      'directories of local fixed disks
      'or for dormant Explorer Bars
      Dim intLBSP 'Last BackSlash Position in path string
      Dim intSS 'lowest sort subscript
      Dim strDLL, strCN 'DLL name, company name
      'string to signal all output by default
      Public strAllOutDefault : strAllOutDefault = ""

      Dim ScrPath : ScrPath = Fso.GetParentFolderName(WScript.ScriptFullName)
      If Right(ScrPath,1) <> "\" Then ScrPath = ScrPath & "\"
      'initialize Path of Output File Folder to script path
      Dim strPathOFFo : strPathOFFo = ScrPath

      'hive array
      Dim arHives(1,1)
      arHives(0,0) = "HKCU" : arHives(1,0) = "HKLM"
      arHives(0,1) = &H80000001 : arHives(1,1) = &H80000002

      'set up argument usage message string

      Dim strLSp, strCSp 'Leading Spaces, Centering Spaces
      strLSp = Space(4) : strCSp = Space(33) 'WScript spacing
      If flagOut = "C" Then 'CScript spacing
      strLsp = Space(3) : strCSp = Space(28)
      End If

      Dim strMsg : strMsg = "Only two arguments are permitted:" &_
      vbCRLF & vbCRLF &_
      "1. the name of an existing directory for the output report" &_
      vbCRLF & strLSp & "(embed in quotes if it contains spaces)" &_
      vbCRLF & vbCRLF & strCSp & "AND:" & vbCRLF & vbCRLF &_
      "2. " & Chr(34) & "-supp" & Chr(34) & " to search " &_
      "all directories for DESKTOP.INI DLL" & vbCRLF &_
      strLSp & "launch points and all Registry CLSIDs for dormant" &_
      vbCRLF & strLSp & "Explorer Bars" &_
      vbCRLF & vbCRLF & strCSp & "-OR-" & vbCRLF & vbCRLF &_
      "3. " & Chr(34) & "-all" & Chr(34) & " to output all non-empty " &_
      "values and all launch" & vbCRLF & strLSp & "points checked"

      'check if output directory or "-all" or "-supp" was supplied as argument
      If WshoArgs.length > 0 And WshoArgs.length <= 2 Then

      For i = 0 To WshoArgs.length-1

      'if directory arg not already passed and arg directory exists
      If Not flagDirArg And Fso.FolderExists(WshoArgs(i)) Then

      'get the path & toggle the directory arg flag
      Dim oOFFo : Set oOFFo = Fso.GetFolder(WshoArgs(i))
      strPathOFFo = oOFFo.Path : flagDirArg = True
      If Right(strPathOFFo,1) <> "\" Then strPathOFFo = strPathOFFo & "\"
      Set oOFFo=Nothing

      'if -all arg not already passed and is this arg
      ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-all" Then

      'toggle ShowAll flag, toggle the all arg flag, fill report string
      flagShowAll = True : flagAllArg = True
      strRptOutput = "Output of all locations checked and all values found."

      'if -all arg not already passed and is this arg
      ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-supp" Then
      flagSupp = True : flagAllArg = True
      strRptOutput = "Search enabled of all directories on local fixed " &_
      "drives for DESKTOP.INI" & vbCRLF & " DLL launch points and of " &_
      "all Registry CLSIDs for dormant Explorer Bars" & vbCRLF & strRptOutput

      'argument can't be interpreted, so explain & quit
      Else

      If flagOut = "W" Then 'pop up a message window

      Wshso.Popup "The argument:" & vbCRLF &_
      Chr(34) & UCase(WshoArgs(i)) & Chr(34) & vbCRLF &_
      "... can't be interpreted." & vbCRLF & vbCRLF &_
      strMsg,10,"Bad Script Argument", vbOKOnly + vbExclamation

      Else 'flagOut = "C" 'write the message to the console

      WScript.Echo vbCRLF & "The argument: " &_
      Chr(34) & UCase(WshoArgs(i)) & Chr(34) &_
      " can't be interpreted." & vbCRLF & vbCRLF &_
      strMsg & vbCRLF

      End If 'WScript host?

      WScript.Quit

      End If 'argument can be interpreted?

      Next 'argument

      'too many args passed
      ElseIf WshoArgs.length > 2 Then

      'explain & quit
      If flagOut = "W" Then 'pop up a message window

      Wshso.Popup "Too many arguments (" & WshoArgs.length & ") were passed." &_
      vbCRLF & vbCRLF & strMsg,10,"Too Many Arguments",_
      vbOKOnly + vbCritical

      Else 'flagOut = "C" 'write the message to the console

      WScript.Echo "Too many arguments (" & WshoArgs.length & ") were passed." &_
      vbCRLF & vbCRLF & strMsg & vbCRLF

      End If 'WScript host?

      WScript.Quit

      End If 'directory arguments passed?

      Set WshoArgs=Nothing

      datRef = Now

      'if no cmd line argument for flagSupp and not testing, show popup
      If Not flagTest And Not flagShowAll And Not flagSupp And flagOut = "W" Then

      intMB = Wshso.Popup ("Do you want to skip the supplementary searches?" &_
      vbCRLF & "(They typically take several minutes.)" & vbCRLF & vbCRLF &_
      "Press " & Chr(34) & "Yes" & Chr(34) & Space(5) &_
      " to skip the supplementary searches (default)" & vbCRLF & vbCRLF &_
      Space(10) & Chr(34) & "No" & Chr(34) & Space(6) &_
      " to perform them, or" & vbCRLF & vbCRLF &_
      Space(10) & Chr(34) & "Cancel" & Chr(34) &_
      " to get more information at the web site" & vbCRLF &_
      Space(25) & "and exit the script.",_
      15,"Skip supplementary searches?",_
      vbYesNoCancel + vbQuestion + vbDefaultButton1 + vbSystemModal)

      If intMB = vbNo Then
      flagSupp = True
      ElseIf intMB = vbCancel Then
      Wshso.Run "http://www.silentrunners.org/sr_thescript.html#supp"
      WScript.Quit
      End If

      End If

      datPUB1 = DateDiff("s",datRef,Now) : datRef = Now

      'inform user that script has started
      If Not flagTest Then
      If flagOut = "W" Then
      Wshso.PopUp Chr(34) & "Silent Runners" & Chr(34) & " has started." &_
      vbCRLF & vbCRLF & "A message box like this one will appear " &_
      "when it's done." & vbCRLF & vbCRLF & "Please be patient...",3,_
      "Silent Runners R" & strRevNo & " startup", _
      vbOKOnly + vbInformation + vbSystemModal
      Else
      WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " has started." &_
      " Please be patient..."
      End If 'flagOut?
      End If 'flagTest?

      datPUB2 = DateDiff("s",datRef,Now)

      'create output file name with computer name & today's date
      'Startup Programs (pc_name_here) yyyy-mm-dd.txt

      strFN = strPathOFFo & strflagTest & "Startup Programs (" &_
      oNetwk.ComputerName & ") " & FmtDate(datLaunch) & " " &_
      FmtHMS(datLaunch) & ".txt"
      On Error Resume Next
      If Fso.FileExists(strFN) Then Fso.DeleteFile(strFN)
      Err.Clear
      Public oFN : Set oFN = Fso.CreateTextFile(strFN,True)
      intErrNum = Err.Number : Err.Clear
      On Error Goto 0

      'if can't create report file
      If intErrNum > 0 Then

      strURL = "http://www.silentrunners.org/Silent%20Runners%20RED.vbs"

      'invite user to e-mail me & quit
      If flagOut = "W" Then

      intMB = MsgBox ("The script cannot create its report file. " &_
      "This is a known, intermittent" & vbCRLF & "problem under " &_
      strOSLong & "." & vbCRLF & vbCRLF &_
      "An alternative script version is available for download. " &_
      "After it runs, " & vbCRLF & "the script you're using now will " &_
      "run correctly." & vbCRLF & vbCRLF &_
      "Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser " &_
      "to the alternate script location, or" & vbCRLF & Space(10) &_
      Chr(34) & "Cancel" & Chr(34) & " to quit.",49,"CreateTextFile Error!")

      'if alternative script wanted now, send browser to dl site
      If intMB = 1 Then Wshso.Run strURL

      'explain & quit
      Else 'flagOut = "C"

      WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " cannot " &_
      "create the report file." & vbCRLF & vbCRLF &_
      "An alternative script is available. Run it, then rerun this version." &_
      vbCRLF & "The alternative script can be downloaded at: " & vbCRLF &_
      vbCRLF & strURL

      End If

      WScript.Quit

      End If 'report file creation error?

      'add report header
      Set oNetwk=Nothing

      oFN.WriteLine Chr(34) & "Silent Runners.vbs" & Chr(34) &_
      ", revision " & strRevNo & ", http://www.silentrunners.org/" &_
      vbCRLF & "Operating System: " & strOSLong & vbCRLF & strRptOutput

      'use WMI to differentiate between WXP Home & WXP Pro
      If strOS = "WXP" Then

      'get the O/S collection
      Dim colOS : Set colOS = GetObject("winmgmts:\root\cimv2").ExecQuery _
      ("Select * from Win32_OperatingSystem")

      For Each oOS in colOS
      'modify strOSXP if O/S = Pro
      If InStr(1,LCase(oOS.Name),"professional",1) > 0 Then
      strOSXP = "Windows XP Professional"
      flagGP = True
      End If
      'modify strOSXP if SP2
      If Right(strOSLong,3) = "SP2" Then strOSXP = strOSXP & " SP2"
      Next

      Set colOS=Nothing

      End If 'WXP?




      'I. Examine HKCU/HKLM... Run/RunOnce/RunOnceEx/RunServices/RunServicesOnce
      ' and HKCU/HKLM... Policies\Explorer\Run

      If Not flagTest Then 'skip if testing

      'write registry header lines to file
      strTitle = "Startup items buried in registry:"
      TitleLineWrite

      'put keys in array (Key Index 0 - 6)
      arRunKeys = Array ("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", _
      "SOFTWARE\Microsoft\Windows\CurrentVersion\Run", _
      "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce", _
      "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup", _
      "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx", _
      "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices", _
      "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce")

      'Key Execution Flag/Subkey Recursion Flag array
      '
      'first number in the ordered pair in the array immediately below
      ' pertains to execution of the key:
      '0: not executed (ignore)
      '1: may be executed so display with EXECUTION UNLIKELY warning
      '2: executable
      '
      'second number in the ordered pair pertains to subkey recursion
      '0: subkeys not used
      '1: subkey recursion necessary

      'Hive HKCU - 0 HKLM - 1
      '
      'Key 0 1 2 3 4 5 6 0 1 2 3 4 5 6
      'Index
      '
      'O/S:
      'W98 0,0 2,0 2,0 0,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0
      'WME 0,0 2,0 2,0 0,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0
      'NT4 1,0 2,0 2,0 0,0 0,0 0,0 0,0 1,0 2,0 2,0 1,0 2,1 0,0 0,0
      'W2K 2,1 2,1 2,1 0,0 0,0 0,0 0,0 2,1 2,1 2,1 0,0 2,1 0,0 0,0
      'WXP 2,0 2,0 2,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 1,0 2,1 0,0 0,0
      'WS2K3 ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ???

      'arRegFlag(i,j,k): put flags in array by O/S:
      'hive = i (0 or 1), key_# = j (0-6),
      ' flags (key execution/subkey recursion) = k (0 or 1)
      ' k = 0 holds key execution value = 0/1/2
      ' 1 holds subkey recursion value = 0/1
      Dim arRegFlag()
      ReDim arRegFlag(1,6,1)

      'initialize entire array to zero
      For i = 0 To 1 : For j = 0 To 6 : For k = 0 To 1
      arRegFlag(i,j,k) = 0
      Next : Next : Next

      'add data to array for O/S that's running

      'W98 0,0 2,0 2,0 0,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0
      If strOS = "W98" Or strOS = "WME" Then
      arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
      arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
      arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
      arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
      arRegFlag(1,3,0) = 2 'HKLM,RunOnce\Setup = no-warn
      arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
      arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
      arRegFlag(1,5,0) = 2 'HKLM,RunServices = no-warn
      arRegFlag(1,6,0) = 2 'HKLM,RunServicesOnce = no-warn
      End If

      'NT4 1,0 2,0 2,0 0,0 0,0 0,0 0,0 1,0 2,0 2,0 1,0 2,1 0,0 0,0
      If strOS = "NT4" Then
      arRegFlag(0,0,0) = 1 'HKCU,Explorer\Run = warning
      arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
      arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
      arRegFlag(1,0,0) = 1 'HKLM,Explorer\Run = warning
      arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
      arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
      arRegFlag(1,3,0) = 1 'HKLM,RunOnce\Setup = warning
      arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
      arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
      End If

      'W2K 2,1 2,1 2,1 0,0 0,0 0,0 0,0 2,1 2,1 2,1 0,0 2,1 0,0 0,0
      If strOs = "W2K" Then
      arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn
      arRegFlag(0,0,1) = 1 'HKCU,Explorer\Run = sub-keys
      arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
      arRegFlag(0,1,1) = 1 'HKCU,Run = sub-keys
      arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
      arRegFlag(0,2,1) = 1 'HKCU,RunOnce = sub-keys
      arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn
      arRegFlag(1,0,1) = 1 'HKLM,Explorer\Run = sub-keys
      arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
      arRegFlag(1,1,1) = 1 'HKLM,Run = sub-keys
      arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
      arRegFlag(1,2,1) = 1 'HKLM,RunOnce = sub-keys
      arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
      arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
      End If

      'WXP 2,0 2,0 2,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 1,0 2,1 0,0 0,0
      If strOs = "WXP" Then
      arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn
      arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
      arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
      arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn
      arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
      arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
      arRegFlag(1,3,0) = 1 'HKLM,RunOnce\Setup = warning
      arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
      arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
      End If

      'for each hive
      For i = 0 To 1

      'for each key
      For j = 0 To 6

      'if not ShowAll, show all output for Run keys
      If j = 1 And Not flagShowAll Then strAllOutDefault = " {++}"

      'if key is not ignored
      If arRegFlag(i,j,0) > 0 Then

      flagNVP = False

      'intialize string with warning if necessary
      strWarn = ""
      If arRegFlag(i,j,0) = 1 Then strWarn = "EXECUTION UNLIKELY: "

      'with no name/value pairs (sub-keys are identical)
      ' IsArray TypeName UBound
      'W98 True "Variant()" -1
      'WME True "Variant()" -1
      'NT4 True "Variant()" -1
      'W2K False "Null" --
      'WXP False "Null" --
      'WS2K3 True "Variant()" --

      EnumNVP arHives(i,1), arRunKeys(j), arNames, arType

      If flagNVP Then 'name/value pairs exist

      'write the full key name
      oFN.WriteLine vbCRLF & arHives(i,0) & "\" & arRunKeys(j) & "\" & strAllOutDefault

      'for each data type in the names array
      For k = LBound(arNames) To UBound(arNames)

      'use the type to find the value
      strValue = RtnValue (arHives(i,1), arRunKeys(j), arNames(k), arType(k))
      'write the name & value
      WriteValueData arNames(k), strValue, arType(k), strWarn

      Next 'member of names array

      Else 'no name/value pairs

      If flagShowAll Then _
      oFN.WriteLine vbCRLF & arHives(i,0) & "\" & arRunKeys(j) & "\"

      End If 'flagNVP?

      'recurse subkeys if necessary
      If arRegFlag(i,j,1) = 1 Then

      'put all subkeys into array

      oReg.EnumKey arHives(i,1),arRunKeys(j),arKeys

      'excludes W2K/WXP with no sub-keys
      If IsArray(arKeys) Then

      'excludes W98/WME/NT4/WS2K3 with no sub-keys
      For Each strMemKey in arKeys

      flagNVP = False
      strSubKey = arRunKeys(j) & "\" & strMemKey

      EnumNVP arHives(i,1), arRunKeys(j) & "\" & strMemKey,arNames,arType

      If flagNVP Then 'if name/value pairs exist

      'write the full key name
      oFN.WriteLine vbCRLF & arHives(i,0) & "\" & strSubKey & strAllOutDefault

      'for each data type in the names array
      For k = LBound(arNames) To UBound(arNames)

      'use the type to find the value
      strValue = RtnValue (arHives(i,1), strSubKey, arNames(k), arType(k))
      'write the name & value
      WriteValueData arNames(k), strValue, arType(k), strWarn

      Next 'member of names array

      Else 'no name/value pairs

      If flagShowAll Then _
      oFN.WriteLine vbCRLF & arHives(i,0) & "\" & strSubKey & "\"

      End If 'flagNVP?

      Next 'sub-key

      End If 'sub-keys exist? W2K/WXP/WS2K3

      End If 'enum sub-keys?

      End If 'arRegFlag(i,j,0) > 0

      Next 'Run key

      Next 'Hive

      strAllOutDefault = "" : flagNVP = False

      'recover array memory
      ReDim arRunKeys(0)
      ReDim arKeys(0)
      ReDim arRegFlag(0)

      End If 'flagTest?




      'II. Examine HKLM... Active Setup\Installed Components

      If Not flagTest Then 'skip if testing

      'flags True if only numeric & comma chrs in Version values
      Dim flagHKLMVer, flagHKCUVer
      'StubPath Value string, HKLM Version value, HKCU Version value, HKLM program name
      Dim strSPV, strHKLMVer, strHKCUVer, strPgmName
      Dim arHKLMKeys, arHKCUKeys, strHKLMKey, strHKCUKey

      strKey = "Software\Microsoft\Active Setup\Installed Components"

      strSubTitle = "HKLM" & "\" & strKey & "\"

      'find all the subkeys
      oReg.EnumKey HKLM, strKey, arHKLMKeys 'HKLM
      oReg.EnumKey HKCU, strKey, arHKCUKeys 'HKCU

      'enumerate HKLM keys if present
      If IsArray(arHKLMKeys) Then

      'for each HKLM key
      For Each strHKLMKey In arHKLMKeys

      'Default Value not set:
      'W98/WME: returns 0, strValue = ""
      'NT4/W2K/WXP: returns non-zero, strValue = Null

      'Non-Default name inexistent:
      'W98/WME/NT4/W2K/WXP: returns non-zero, strValue = Null

      'Non-Default Value not set:
      'W2K: returns 0, strValue = unwritable string
      'W98/WME/NT4/WXP: returns 0, strValue = ""

      'get the StubPath value
      intErrNum = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey,"StubPath",strSPV)

      'if the StubPath name exists And value set (exc for W2K!)
      If intErrNum = 0 And strSPV <> "" Then

      flagMatch = False

      'if HKCU keys present
      If IsArray(arHKCUKeys) Then

      'for each HKCU key
      For Each strHKCUKey in arHKCUKeys

      'if identical HKLM key exists
      If LCase(strHKLMKey) = LCase(strHKCUKey) Then

      'assume Version fmts are OK
      flagHKLMVer = True : flagHKCUVer = True

      'get HKLM & HKCU Version values
      intErrNum1 = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey, _
      "Version",strHKLMVer) 'HKLM Version #
      intErrNum2 = oReg.GetStringValue (HKCU,strKey & "\" & strHKCUKey, _
      "Version",strHKCUVer) 'HKCU Version #

      'if HKLM Version name exists And value set (exc for W2K!)
      If intErrNum1 = 0 And strHKLMVer <> "" Then

      'the next two loops check for allowed chars (numeric & comma)
      ' in returned Version values

      For i = 1 To Len(strHKLMVer)
      strChr = Mid(strHKLMVer,i,1)
      If Not IsNumeric(strChr) And strChr <> "," Then flagHKLMVer = False
      Next

      'if HKCU Version name exists And value set (exc for W2K!)
      If intErrNum2 = 0 And strHKCUVer <> "" Then

      'check that value consists only of numeric & comma chrs
      For i = 1 To Len(strHKCUVer)
      strChr = Mid(strHKCUVer,i,1)
      If Not IsNumeric(strChr) And strChr <> "," Then flagHKCUVer = False
      Next

      End If 'HKCU Version null or MT?

      'if HKLM Ver # has illegal fmt (i.e., is not assigned) or doesn't exist (is Null)
      ' or is empty, match = True
      'if HKCU/HKLM Ver # fmts OK And HKCU Ver # >= HKLM Ver #, match = True
      'if HKLM Ver # = "0,0" and HKCU Ver # = "", key will output
      ' but StubPath will not launch
      If Not flagHKLMVer Then flagMatch = True
      If flagHKLMVer And flagHKCUVer And strHKCUVer >= strHKLMVer Then flagMatch = True

      Else 'HKLM Version name doesn't exist Or value not set (exc for W2K!)

      flagMatch = True

      End If 'HKLM Version name exists And value set (exc for W2K!)?

      End If 'HKCU key=HKLM key?

      Next 'HKCU Installed Components key

      End If 'HKCU Installed Components subkeys exist?

      'if the StubPath will launch
      If Not flagMatch Then

      flagAllow = False 'assume StubPath DLL not on approved list
      strCN = CoName(IDExe(strSPV))

      'test for approved StubPath DLL
      If LCase(strHKLMKey) = ">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}" And _
      (InStr(LCase(strSPV),"wmpocm.exe") > 0 Or _
      InStr(LCase(strSPV),"unregmp2.exe") > 0) And _
      strCN = MS And Not flagShowAll Then flagAllow = True

      'StubPath DLL not approved
      If Not flagAllow Then

      'get the default value (program name)
      intErrNum3 = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey,"",strPgmName)
      'enclose pgm name in quotes if name exists and default value isn't empty
      If intErrNum3 = 0 And strPgmName <> "" Then
      strPgmName = Chr(34) & strPgmName & Chr(34)
      Else
      strPgmName = "(no title provided)"
      End If

      TitleLineWrite

      'output the CLSID & pgm name
      oFN.WriteLine strHKLMKey & "\(Default) = " & StringFilter(strPgmName,False)

      On Error Resume Next
      'output the StubPath value
      oFN.WriteLine Space(Len(strHKLMKey)+1) & "\StubPath = " &_
      Chr(34) & strSPV & Chr(34) & strCN
      'error check for W2K if StubPath value not set
      If Err.Number <> 0 Then oFN.WriteLine Space(Len(strHKLMKey)+1) & "\StubPath = " &_
      "(value not set)"
      Err.Clear
      On Error GoTo 0

      End If 'flagAllow false?

      End If 'flagMatch false?

      End If 'StubPath value exists?

      Next 'HKLM Installed Components subkey

      End If 'HKLM Installed Components subkeys exist?

      If flagShowAll Then TitleLineWrite

      'recover array memory
      ReDim arHKLMKeys(0)
      ReDim arHKCUKeys(0)

      strTitle = "" : strSubTitle = "" : strSubSubTitle = ""

      End If 'flagTest?




      'III. Examine HKLM... Explorer\Browser Helper Objects

      If Not flagTest Then 'skip if testing

      strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
      strSubTitle = "HKLM" & "\" & strKey & "\"

      'find all the subkeys
      oReg.EnumKey HKLM, strKey, arSubKeys

      'enumerate data if present
      If IsArray(arSubKeys) Then

      'for each key
      For Each strSubKey In arSubKeys

      TitleLineWrite

      If Len(strSubKey) = 38 Then 'strSubKey is CLSID

      'get the default value
      intErrNum1 = oReg.GetStringValue (HKLM,strKey & "\" & strSubKey,"",strValue)

      'if the BHO title exists, embed it in quotes
      If intErrNum1 = 0 And strValue <> "" Then

      strValue = StringFilter(strValue,True)

      Else 'check the CLSID default value

      strKey2 = "Software\Classes\CLSID\" & strSubKey
      intErrNum2 = oReg.GetStringValue (HKLM,strKey2,"",strValue2)

      'if the CLSID default value exists, embed it in quotes and say where it came from
      If intErrNum2 = 0 And strValue2 <> "" Then
      strValue = StringFilter(strValue2,True) & " [from CLSID]"
      Else 'use a standard string
      strValue = "(no title provided)"
      End If 'CLSID title exists?

      End If 'BHO title exists?

      'resolve the data via HKLM\Software\Classes\CLSID\{data}\InProcServer32
      strKey3 = "Software\Classes\CLSID\" & strSubKey & "\InProcServer32"
      intErrNum3 = oReg.GetExpandedStringValue (HKLM,strKey3,"",strValue3)

      'if InProcServer32 key exists and default value set
      If intErrNum3 = 0 And strValue3 <> "" Then

      strValue3 = StringFilter(strValue3,True) & CoName(IDExe(strValue3))

      'output the quote-delimited names and values
      oFN.WriteLine strSubKey & "\(Default) = " & strValue

      oFN.WriteLine " -> {CLSID}\InProcServer32\(Default) = " & strValue3

      End If 'InProcServer32 key exists And default value set?

      End If 'strSubKey CSID?

      Next 'BHO subkey

      End If 'BHO subkeys exist?

      'if ShowAll, output the key name if not already done
      If flagShowAll Then TitleLineWrite
      strTitle = "" : strSubTitle = "" : strSubSubTitle = ""

      'recover array memory
      ReDim arSubKeys(0)

      End If 'flagTest?




      'IV. Examine HKLM... Shell Extensions\Approved\

      If Not flagTest Then 'skip if testing

      'CLSID value, InProcessServer32 DLL name & output file version
      Dim strCLSID, strIPSDLL, strIPSDLLOut, strCLSIDTitle

      'Shell Extension Approved array
      Dim arSEA()
      ReDim arSEA(243,1)
      'WXP
      arSEA(0,0) = "{00022613-0000-0000-C000-000000000046}" : arSEA(0,1) = "mmsys.cpl"
      arSEA(1,0) = "{176d6597-26d3-11d1-b350-080036a75b03}" : arSEA(1,1) = "icmui.dll"
      arSEA(2,0) = "{1F2E5C40-9550-11CE-99D2-00AA006E086C}" : arSEA(2,1) = "rshx32.dll"
      arSEA(3,0) = "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" : arSEA(3,1) = "docprop.dll"
      arSEA(4,0) = "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" : arSEA(4,1) = "ntshrui.dll"
      arSEA(5,0) = "{41E300E0-78B6-11ce-849B-444553540000}" : arSEA(5,1) = "themeui.dll"
      arSEA(6,0) = "{42071712-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(6,1) = "deskadp.dll"
      arSEA(7,0) = "{42071713-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(7,1) = "deskmon.dll"
      arSEA(8,0) = "{42071714-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(8,1) = "deskpan.dll"
      arSEA(9,0) = "{4E40F770-369C-11d0-8922-00A024AB2DBB}" : arSEA(9,1) = "dssec.dll"
      arSEA(10,0) = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" : arSEA(10,1) = "SlayerXP.dll"
      arSEA(11,0) = "{56117100-C0CD-101B-81E2-00AA004AE837}" : arSEA(11,1) = "shscrap.dll"
      arSEA(12,0) = "{59099400-57FF-11CE-BD94-0020AF85B590}" : arSEA(12,1) = "diskcopy.dll"
      arSEA(13,0) = "{59be4990-f85c-11ce-aff7-00aa003ca9f6}" : arSEA(13,1) = "ntlanui2.dll"
      arSEA(14,0) = "{5DB2625A-54DF-11D0-B6C4-0800091AA605}" : arSEA(14,1) = "icmui.dll"
      arSEA(15,0) = "{675F097E-4C4D-11D0-B6C1-0800091AA605}" : arSEA(15,1) = "icmui.dll"
      arSEA(16,0) = "{764BF0E1-F219-11ce-972D-00AA00A14F56}" : arSEA(16,1) = ""
      arSEA(17,0) = "{77597368-7b15-11d0-a0c2-080036af3f03}" : arSEA(17,1) = "printui.dll"
      arSEA(18,0) = "{7988B573-EC89-11cf-9C00-00AA00A14F56}" : arSEA(18,1) = "dskquoui.dll"
      arSEA(19,0) = "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}" : arSEA(19,1) = ""
      arSEA(20,0) = "{85BBD920-42A0-1069-A2E4-08002B30309D}" : arSEA(20,1) = "syncui.dll"
      arSEA(21,0) = "{88895560-9AA2-1069-930E-00AA0030EBC8}" : arSEA(21,1) = "hticons.dll"
      arSEA(22,0) = "{BD84B380-8CA2-1069-AB1D-08000948F534}" : arSEA(22,1) = "fontext.dll"
      arSEA(23,0) = "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" : arSEA(23,1) = "icmui.dll"
      arSEA(24,0) = "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" : arSEA(24,1) = "rshx32.dll"
      arSEA(25,0) = "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" : arSEA(25,1) = "ntshrui.dll"
      arSEA(26,0) = "{f92e8c40-3d33-11d2-b1aa-080036a75b03}" : arSEA(26,1) = "deskperf.dll"
      arSEA(27,0) = "{7444C717-39BF-11D1-8CD9-00C04FC29D45}" : arSEA(27,1) = "cryptext.dll"
      arSEA(28,0) = "{7444C719-39BF-11D1-8CD9-00C04FC29D45}" : arSEA(28,1) = "cryptext.dll"
      arSEA(29,0) = "{7007ACC7-3202-11D1-AAD2-00805FC1270E}" : arSEA(29,1) = "NETSHELL.dll"
      arSEA(30,0) = "{992CFFA0-F557-101A-88EC-00DD010CCC48}" : arSEA(30,1) = "NETSHELL.dll"
      arSEA(31,0) = "{E211B736-43FD-11D1-9EFB-0000F8757FCD}" : arSEA(31,1) = "wiashext.dll"
      arSEA(32,0) = "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}" : arSEA(32,1) = "wiashext.dll"
      arSEA(33,0) = "{905667aa-acd6-11d2-8080-00805f6596d2}" : arSEA(33,1) = "wiashext.dll"
      arSEA(34,0) = "{3F953603-1008-4f6e-A73A-04AAC7A992F1}" : arSEA(34,1) = "wiashext.dll"
      arSEA(35,0) = "{83bbcbf3-b28a-4919-a5aa-73027445d672}" : arSEA(35,1) = "wiashext.dll"
      arSEA(36,0) = "{F0152790-D56E-4445-850E-4F3117DB740C}" : arSEA(36,1) = "remotepg.dll"
      arSEA(37,0) = "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" : arSEA(37,1) = "wuaucpl.cpl"
      arSEA(38,0) = "{60254CA5-953B-11CF-8C96-00AA00B8708C}" : arSEA(38,1) = "wshext.dll"
      arSEA(39,0) = "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" : arSEA(39,1) = "oledb32.dll"
      arSEA(40,0) = "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" : arSEA(40,1) = "mstask.dll"
      arSEA(41,0) = "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" : arSEA(41,1) = "mstask.dll"
      arSEA(42,0) = "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" : arSEA(42,1) = "mstask.dll"
      arSEA(43,0) = "{0DF44EAA-FF21-4412-828E-260A8728E7F1}" : arSEA(43,1) = ""
      arSEA(44,0) = "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(44,1) = "shdocvw.dll"
      arSEA(45,0) = "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(45,1) = "shdocvw.dll"
      arSEA(46,0) = "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(46,1) = "shdocvw.dll"
      arSEA(47,0) = "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(47,1) = "shdocvw.dll"
      arSEA(48,0) = "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(48,1) = "shdocvw.dll"
      arSEA(49,0) = "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(49,1) = "shdocvw.dll"
      arSEA(50,0) = "{D20EA4E1-3957-11d2-A40B-0C5020524152}" : arSEA(50,1) = "shdocvw.dll"
      arSEA(51,0) = "{D20EA4E1-3957-11d2-A40B-0C5020524153}" : arSEA(51,1) = "shdocvw.dll"
      arSEA(52,0) = "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" : arSEA(52,1) = "shmedia.dll"
      arSEA(53,0) = "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" : arSEA(53,1) = "shmedia.dll"
      arSEA(54,0) = "{E4B29F9D-D390-480b-92FD-7DDB47101D71}" : arSEA(54,1) = "shmedia.dll"
      arSEA(55,0) = "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}" : arSEA(55,1) = "shmedia.dll"
      arSEA(56,0) = "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}" : arSEA(56,1) = "shmedia.dll"
      arSEA(57,0) = "{c5a40261-cd64-4ccf-84cb-c394da41d590}" : arSEA(57,1) = "shmedia.dll"
      arSEA(58,0) = "{5E6AB780-7743-11CF-A12B-00AA004AE837}" : arSEA(58,1) = "browseui.dll"
      arSEA(59,0) = "{22BF0C20-6DA7-11D0-B373-00A0C9034938}" : arSEA(59,1) = "browseui.dll"
      arSEA(60,0) = "{91EA3F8B-C99B-11d0-9815-00C04FD91972}" : arSEA(60,1) = "browseui.dll"
      arSEA(61,0) = "{6413BA2C-B461-11d1-A18A-080036B11A03}" : arSEA(61,1) = "browseui.dll"
      arSEA(62,0) = "{F61FFEC1-754F-11d0-80CA-00AA005B4383}" : arSEA(62,1) = "browseui.dll"
      arSEA(63,0) = "{7BA4C742-9E81-11CF-99D3-00AA004AE837}" : arSEA(63,1) = "browseui.dll"
      arSEA(64,0) = "{30D02401-6A81-11d0-8274-00C04FD5AE38}" : arSEA(64,1) = "browseui.dll"
      arSEA(65,0) = "{32683183-48a0-441b-a342-7c2a440a9478}" : arSEA(65,1) = "browseui.dll"
      arSEA(66,0) = "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" : arSEA(66,1) = "browseui.dll"
      arSEA(67,0) = "{07798131-AF23-11d1-9111-00A0C98BA67D}" : arSEA(67,1) = "browseui.dll"
      arSEA(68,0) = "{AF4F6510-F982-11d0-8595-00AA004CD6D8}" : arSEA(68,1) = "browseui.dll"
      arSEA(69,0) = "{01E04581-4EEE-11d0-BFE9-00AA005B4383}" : arSEA(69,1) = "browseui.dll"
      arSEA(70,0) = "{A08C11D2-A228-11d0-825B-00AA005B4383}" : arSEA(70,1) = "browseui.dll"
      arSEA(71,0) = "{00BB2763-6A77-11D0-A535-00C04FD7D062}" : arSEA(71,1) = "browseui.dll"
      arSEA(72,0) = "{7376D660-C583-11d0-A3A5-00C04FD706EC}" : arSEA(72,1) = "browseui.dll"
      arSEA(73,0) = "{6756A641-DE71-11d0-831B-00AA005B4383}" : arSEA(73,1) = "browseui.dll"
      arSEA(74,0) = "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" : arSEA(74,1) = "browseui.dll"
      arSEA(75,0) = "{7e653215-fa25-46bd-a339-34a2790f3cb7}" : arSEA(75,1) = "browseui.dll"
      arSEA(76,0) = "{acf35015-526e-4230-9596-becbe19f0ac9}" : arSEA(76,1) = "browseui.dll"
      arSEA(77,0) = "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}" : arSEA(77,1) = "browseui.dll"
      arSEA(78,0) = "{00BB2764-6A77-11D0-A535-00C04FD7D062}" : arSEA(78,1) = "browseui.dll"
      arSEA(79,0) = "{03C036F1-A186-11D0-824A-00AA005B4383}" : arSEA(79,1) = "browseui.dll"
      arSEA(80,0) = "{00BB2765-6A77-11D0-A535-00C04FD7D062}" : arSEA(80,1) = "browseui.dll"
      arSEA(81,0) = "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" : arSEA(81,1) = "browseui.dll"
      arSEA(82,0) = "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" : arSEA(82,1) = "browseui.dll"
      arSEA(83,0) = "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" : arSEA(83,1) = "browseui.dll"
      arSEA(84,0) = "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" : arSEA(84,1) = "browseui.dll"
      arSEA(85,0) = "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" : arSEA(85,1) = "browseui.dll"
      arSEA(86,0) = "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" : arSEA(86,1) = "browseui.dll"
      arSEA(87,0) = "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" : arSEA(87,1) = "shdocvw.dll"
      arSEA(88,0) = "{0A89A860-D7B1-11CE-8350-444553540000}" : arSEA(88,1) = "shdocvw.dll"
      arSEA(89,0) = "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" : arSEA(89,1) = "shdocvw.dll"
      arSEA(90,0) = "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" : arSEA(90,1) = "shdocvw.dll"
      arSEA(91,0) = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" : arSEA(91,1) = "shdocvw.dll"
      arSEA(92,0) = "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" : arSEA(92,1) = "shdocvw.dll"
      arSEA(93,0) = "{FF393560-C2A7-11CF-BFF4-444553540000}" : arSEA(93,1) = "shdocvw.dll"
      arSEA(94,0) = "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" : arSEA(94,1) = "shdocvw.dll"
      arSEA(95,0) = "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" : arSEA(95,1) = "shdocvw.dll"
      arSEA(96,0) = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" : arSEA(96,1) = "shdocvw.dll"
      arSEA(97,0) = "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" : arSEA(97,1) = "shdocvw.dll"
      arSEA(98,0) = "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" : arSEA(98,1) = "shdocvw.dll"
      arSEA(99,0) = "{131A6951-7F78-11D0-A979-00C04FD705A2}" : arSEA(99,1) = "shdocvw.dll"
      arSEA(100,0) = "{9461b922-3c5a-11d2-bf8b-00c04fb93661}" : arSEA(100,1) = "shdocvw.dll"
      arSEA(101,0) = "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" : arSEA(101,1) = "shdocvw.dll"
      arSEA(102,0) = "{871C5380-42A0-1069-A2EA-08002B30309D}" : arSEA(102,1) = "shdocvw.dll"
      arSEA(103,0) = "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" : arSEA(103,1) = "shdocvw.dll"
      arSEA(104,0) = "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}" : arSEA(104,1) = "sendmail.dll"
      arSEA(105,0) = "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" : arSEA(105,1) = "sendmail.dll"
      arSEA(106,0) = "{88C6C381-2E85-11D0-94DE-444553540000}" : arSEA(106,1) = "occache.dll"
      arSEA(107,0) = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" : arSEA(107,1) = "webcheck.dll"
      arSEA(108,0) = "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}" : arSEA(108,1) = "webcheck.dll"
      arSEA(109,0) = "{F5175861-2688-11d0-9C5E-00AA00A45957}" : arSEA(109,1) = "webcheck.dll"
      arSEA(110,0) = "{08165EA0-E946-11CF-9C87-00AA005127ED}" : arSEA(110,1) = "webcheck.dll"
      arSEA(111,0) = "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}" : arSEA(111,1) = "webcheck.dll"
      arSEA(112,0) = "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}" : arSEA(112,1) = "webcheck.dll"
      arSEA(113,0) = "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}" : arSEA(113,1) = "webcheck.dll"
      arSEA(114,0) = "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}" : arSEA(114,1) = "webcheck.dll"
      arSEA(115,0) = "{D8BD2030-6FC9-11D0-864F-00AA006809D9}" : arSEA(115,1) = "webcheck.dll"
      arSEA(116,0) = "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}" : arSEA(116,1) = "webcheck.dll"
      arSEA(117,0) = "{352EC2B7-8B9A-11D1-B8AE-006008059382}" : arSEA(117,1) = "appwiz.cpl"
      arSEA(118,0) = "{0B124F8F-91F0-11D1-B8B5-006008059382}" : arSEA(118,1) = "appwiz.cpl"
      arSEA(119,0) = "{CFCCC7A0-A282-11D1-9082-006008059382}" : arSEA(119,1) = "appwiz.cpl"
      arSEA(120,0) = "{e84fda7c-1d6a-45f6-b725-cb260c236066}" : arSEA(120,1) = "shimgvw.dll"
      arSEA(121,0) = "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}" : arSEA(121,1) = "shimgvw.dll"
      arSEA(122,0) = "{3F30C968-480A-4C6C-862D-EFC0897BB84B}" : arSEA(122,1) = "shimgvw.dll"
      arSEA(123,0) = "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}" : arSEA(123,1) = "shimgvw.dll"
      arSEA(124,0) = "{EAB841A0-9550-11cf-8C16-00805F1408F3}" : arSEA(124,1) = "shimgvw.dll"
      arSEA(125,0) = "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}" : arSEA(125,1) = "shimgvw.dll"
      arSEA(126,0) = "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}" : arSEA(126,1) = "netplwiz.dll"
      arSEA(127,0) = "{add36aa8-751a-4579-a266-d66f5202ccbb}" : arSEA(127,1) = "netplwiz.dll"
      arSEA(128,0) = "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}" : arSEA(128,1) = "netplwiz.dll"
      arSEA(129,0) = "{58f1f272-9240-4f51-b6d4-fd63d1618591}" : arSEA(129,1) = "netplwiz.dll"
      arSEA(130,0) = "{7A9D77BD-5403-11d2-8785-2E0420524153}" : arSEA(130,1) = ""
      arSEA(131,0) = "{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}" : arSEA(131,1) = "zipfldr.dll"
      arSEA(132,0) = "{BD472F60-27FA-11cf-B8B4-444553540000}" : arSEA(132,1) = "zipfldr.dll"
      arSEA(133,0) = "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}" : arSEA(133,1) = "zipfldr.dll"
      arSEA(134,0) = "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}" : arSEA(134,1) = "cdfview.dll"
      arSEA(135,0) = "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}" : arSEA(135,1) = "cdfview.dll"
      arSEA(136,0) = "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}" : arSEA(136,1) = "cdfview.dll"
      arSEA(137,0) = "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}" : arSEA(137,1) = "cdfview.dll"
      arSEA(138,0) = "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}" : arSEA(138,1) = "cdfview.dll"
      arSEA(139,0) = "{63da6ec0-2e98-11cf-8d82-444553540000}" : arSEA(139,1) = "msieftp.dll"
      arSEA(140,0) = "{883373C3-BF89-11D1-BE35-080036B11A03}" : arSEA(140,1) = "docprop2.dll"
      arSEA(141,0) = "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}" : arSEA(141,1) = "docprop2.dll"
      arSEA(142,0) = "{8EE97210-FD1F-4B19-91DA-67914005F020}" : arSEA(142,1) = "docprop2.dll"
      arSEA(143,0) = "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}" : arSEA(143,1) = "docprop2.dll"
      arSEA(144,0) = "{6A205B57-2567-4A2C-B881-F787FAB579A3}" : arSEA(144,1) = "docprop2.dll"
      arSEA(145,0) = "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}" : arSEA(145,1) = "docprop2.dll"
      arSEA(146,0) = "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" : arSEA(146,1) = "dsquery.dll"
      arSEA(147,0) = "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}" : arSEA(147,1) = "dsquery.dll"
      arSEA(148,0) = "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}" : arSEA(148,1) = "dsquery.dll"
      arSEA(149,0) = "{F020E586-5264-11d1-A532-0000F8757D7E}" : arSEA(149,1) = "dsquery.dll"
      arSEA(150,0) = "{0D45D530-764B-11d0-A1CA-00AA00C16E65}" : arSEA(150,1) = "dsuiext.dll"
      arSEA(151,0) = "{62AE1F9A-126A-11D0-A14B-0800361B1103}" : arSEA(151,1) = "dsuiext.dll"
      arSEA(152,0) = "{ECF03A33-103D-11d2-854D-006008059367}" : arSEA(152,1) = "mydocs.dll"
      arSEA(153,0) = "{ECF03A32-103D-11d2-854D-006008059367}" : arSEA(153,1) = "mydocs.dll"
      arSEA(154,0) = "{4a7ded0a-ad25-11d0-98a8-0800361b1103}" : arSEA(154,1) = "mydocs.dll"
      arSEA(155,0) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}" : arSEA(155,1) = "cscui.dll"
      arSEA(156,0) = "{10CFC467-4392-11d2-8DB4-00C04FA31A66}" : arSEA(156,1) = "cscui.dll"
      arSEA(157,0) = "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}" : arSEA(157,1) = "cscui.dll"
      arSEA(158,0) = "{143A62C8-C33B-11D1-84FE-00C04FA34A14}" : arSEA(158,1) = "agentpsh.dll"
      arSEA(159,0) = "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}" : arSEA(159,1) = "dfsshlex.dll"
      arSEA(160,0) = "{60fd46de-f830-4894-a628-6fa81bc0190d}" : arSEA(160,1) = "photowiz.dll"
      arSEA(161,0) = "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}" : arSEA(161,1) = "mmcshext.dll"
      arSEA(162,0) = "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}" : arSEA(162,1) = "cabview.dll"
      arSEA(163,0) = "{32714800-2E5F-11d0-8B85-00AA0044F941}" : arSEA(163,1) = "wabfind.dll"
      arSEA(164,0) = "{8DD448E6-C188-4aed-AF92-44956194EB1F}" : arSEA(164,1) = "wmpshell.dll"
      arSEA(165,0) = "{CE3FB1D1
      0
  17. Utilisateur anonyme
     
    salut
    sur la bande bleu oui normal
    vire les telechargement en cours

    puisTelecharge ceci
    http://www.silentrunners.org/Silent%20Runners.vbs
    Execute le,atends quelques minutes, il va creer ensuite un dossier juste a coté de silent runner sous format texte, copie/colle ce qu il te donnera

    a+ (c est un lon rapport qui ressemble a ca:
    Voilà le log obtenu avec Silent Runners:

    "Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
    Operating System: Windows XP
    Output limited to non-default values, except where indicated by "{++}"

    Startup items buried in registry:
    ---------------------------------

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
    "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "STDSB" = "C:\WINDOWS\System32\STDSB.exe" [null data]
    "SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
    "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
    "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
    "VCSPlayer" = ""C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"" ["H+H Software GmbH"]
    "TkBellExe" = ""C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
    "NeroCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]
    "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
    "TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
    "System service72" = "C:\WINDOWS\etb\pokapoka72.exe" [** WMI GetObject error **]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extension icône HyperTerminal"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
    INFECTION WARNING! "Userinit" = "userinit.exe,xpjava.exe" [MS], [null data]

    HKLM\Software\Classes\PROTOCOLS\Filter\
    INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\Amélie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
    "ButtonText" = "Recherche"

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Messenger"
    "Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

    Miscellaneous IE Hijack Points
    ------------------------------

    C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

    Added lines (compared with English-language version):
    (unwritable string)

    Missing lines (compared with English-language version):
    [Version]: 2 lines
    [RestoreHomePage]: 1 line
    [RestoreHomePage.reg]: 1 line
    [RestoreBrowserSettings.reg]: 12 lines
    [DeleteTemplates.reg]: 5 lines
    [DeleteAutosearch.reg]: 1 line
    [Strings]: 1 line
    [RestoreBrowserSettings]: 2 lines
    [Strings]: 3 lines

    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
    AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
    Machine Debug Manager, MDM, ""C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
    SmartLinkService, SLService, "slserv.exe" [" "]
    Virtual CD v4 Security service (SDK - Version), VCSSecS, "C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe" ["H+H Software GmbH"]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

    ----------
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
    use the -supp parameter or answer "No" at the first message box.
    ---------- (total run time: 84 seconds, including 18 seconds for message boxes)

    bises

    a+, douce nuit le forum (enfin presque tout le forum)
    0
    1. hear Messages postés 24 Statut Membre
       
      bonjour Régis
      merci pour ton aide (sincèrement) je reforme le pc ce week au moins cette plaie disparatra de ma vue
      sympa ta patience.
      bonne journée a +++
      Claudie
      0
  18. Utilisateur anonyme
     
    Dommage de formater...

    si t en profite pour formater, n oublie pas des ta 1ere connection d avoir spybot+adaware+antivirus et pare feu actif

    tout ca mis a jour

    bise

    a+
    0
    1. hear Messages postés 24 Statut Membre
       
      bonsoir régis
      oui, c'est dommage mais je rame bcp malgré tes explications simplifiées.
      tu as eu "le rapport"? c'était le bon?
      je te remercie à nouveau.
      bonne soirée.

      Bise à ++
      0
  19. Utilisateur anonyme
     
    Oui mais quel interet que je te regle le soucis si tu formates dans 2 jours? lol
    0
    1. hear Messages postés 24 Statut Membre
       
      je n'aurais pas besoin de reformater lol ;-)
      0