Virus backdoor.pigeon.1604

doc web merci regis59

non doc web me dis virus backdoor.pigeon.1604 merci regis59

bonjour regis59 voici le rapporthttphttp://pchelpbordeaux.free.fr/http://pchelpbordeaux.free.fr/Logfile of HijackThis v1.99.1
Scan saved at 13:17:36, on 11/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\PHILIP~1\VProperty.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Compaq_Propriétaire\Mes documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - C:\Program Files\BitDownload\TorrentManager.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series (Copie 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P33 "EPSON Stylus C42 Series (Copie 1)" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: AOL 9.0 Icône AOL.lnk = C:\Program Files\AOL 9.0c\aoltray.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fr-fr\bin\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Stop Pub - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\JCA2000\StopPub\StopPub.exe
O9 - Extra 'Tools' menuitem: Stop Pub - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\JCA2000\StopPub\StopPub.exe
O9 - Extra button: Aide à la connexion - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Aide à la connexion - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab55668.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

salut regis59 ca marche pas regard j ca Internet Explorer 4+ is required for the Online Scanner to.Click here to download the latest version of Internet Explorer.Click Here for a Special Limited Time Offer

salut regis 59 bien ou bien voici le rapport KASPERSKY ON-LINE SCANNER REPORT
Friday, April 13, 2007 4:36:24 PM
Système d'exploitation : Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version : 5.0.83.0
Dernière mise à jour de la base antivirus Kaspersky : 13/04/2007
Enregistrements dans la base antivirus Kaspersky : 279861
Paramètres d'analyse
Analyser avec la base antivirus suivante standard
Analyser les archives vrai
Analyser les bases de messagerie vrai
Cible de l'analyse Poste de travail
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Statistiques de l'analyse
Total d'objets analysés 86446
Nombre de virus trouvés 3
Nombre d'objets infectés 17 / 0
Nombre d'objets suspects 0
Durée de l'analyse 01:53:22

Nom de l'objet infecté Nom du virus Dernière action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log L'objet est verrouillé ignoré
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log L'objet est verrouillé ignoré
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck L'objet est verrouillé ignoré
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_86b902b1-6c17-4372-b5c4-dfaf34b6cee8 L'objet est verrouillé ignoré
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c46349746b7f06570226ff902d316db_86b902b1-6c17-4372-b5c4-dfaf34b6cee8 L'objet est verrouillé ignoré
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fdbffbf9ccc3d97bf49d42391fa706a8_86b902b1-6c17-4372-b5c4-dfaf34b6cee8 L'objet est verrouillé ignoré
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat L'objet est verrouillé ignoré
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat L'objet est verrouillé ignoré
C:\Documents and Settings\All Users\Application Data\pop does film hole\BatBows.exe Infecté : Trojan.Win32.Obfuscated.en ignoré
C:\Documents and Settings\All Users\Application Data\pop does film hole\InfoIso.exe Infecté : Trojan.Win32.Obfuscated.en ignoré
C:\Documents and Settings\All Users\Application Data\pop does film hole\Loud Bind.exe Infecté : Trojan.Win32.Obfuscated.en ignoré
C:\Documents and Settings\Compaq_Propriétaire\Application Data\TypeTeamBits\hylxuufx.exe Infecté : Trojan.Win32.Obfuscated.en ignoré
C:\Documents and Settings\Compaq_Propriétaire\Application Data\TypeTeamBits\vlrlziwh.exe Infecté : Trojan.Win32.Obfuscated.en ignoré
C:\Documents and Settings\Compaq_Propriétaire\Application Data\TypeTeamBits\yiwqlopc.exe Infecté : Trojan.Win32.Obfuscated.en ignoré
C:\Documents and Settings\Compaq_Propriétaire\Cookies\index.dat L'objet est verrouillé ignoré
C:\Documents and Settings\Compaq_Propriétaire\Incomplete\T-217706-110 Percent Natural 12 (c) Red-Light DVDRiP XViD .zip/Video.exe Infecté : Virus.Win32.Fontra.c ignoré
C:\Documents and Settings\Compaq_Propriétaire\Incomplete\T-217706-110 Percent Natural 12 (c) Red-Light DVDRiP XViD .zip ZIP: infecté - 1 ignoré
C:\Documents and Settings\Compaq_Propriétaire\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat L'objet est verrouillé ignoré
C:\Documents and Settings\Compaq_Propriétaire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat L'objet est verrouillé ignoré
C:\Documents and Settings\Compaq_Propriétaire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG L'objet est verrouillé ignoré
C:\Documents and Settings\Compaq_Propriétaire\Local Settings\Historique\History.IE5\index.dat L'objet est verrouillé ignoré
C:\Documents and Settings\Compaq_Propriétaire\Local Settings\Historique\History.IE5\MSHist012007041320070414\index.dat L'objet est verrouillé ignoré
C:\Documents and Settings\Compaq_Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\index.dat L'objet est verrouillé ignoré
C:\Documents and Settings\Compaq_Propriétaire\Mes documents\Mes fichiers reçus\lcapi0.log L'objet est verrouillé ignoré
C:\Documents and Settings\Compaq_Propriétaire\Mes documents\Mes fichiers reçus\MsnMsgr.txt L'objet est verrouillé ignoré
C:\Documents and Settings\Compaq_Propriétaire\Mes documents\Mes fichiers reçus\Transport0.log L'objet est verrouillé ignoré
C:\Documents and Settings\Compaq_Propriétaire\ntuser.dat L'objet est verrouillé ignoré
C:\Documents and Settings\Compaq_Propriétaire\ntuser.dat.LOG L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\Local Settings\Temp\Fichiers Internet temporaires\Content.IE5\index.dat L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\NTUSER.DAT L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\ntuser.dat.LOG L'objet est verrouillé ignoré
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat L'objet est verrouillé ignoré
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG L'objet est verrouillé ignoré
C:\Documents and Settings\NetworkService\NTUSER.DAT L'objet est verrouillé ignoré
C:\Documents and Settings\NetworkService\ntuser.dat.LOG L'objet est verrouillé ignoré
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat L'objet est verrouillé ignoré
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db L'objet est verrouillé ignoré
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws L'objet est verrouillé ignoré
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log L'objet est verrouillé ignoré
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log L'objet est verrouillé ignoré
C:\Program Files\Alwil Software\Avast4\DATA\report\Protection résidente.txt L'objet est verrouillé ignoré
C:\System Volume Information\MountPointManagerRemoteDatabase L'objet est verrouillé ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP10\A0002165.exe L'objet est verrouillé ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP10\A0002166.exe Infecté : Trojan.Win32.Obfuscated.en ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP10\A0002167.exe Infecté : Trojan.Win32.Obfuscated.en ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP10\A0002168.exe Infecté : Trojan.Win32.Obfuscated.en ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP10\A0002169.exe L'objet est verrouillé ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP11\A0002340.exe L'objet est verrouillé ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP11\A0002342.exe L'objet est verrouillé ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP16\A0002582.exe/data0012 Infecté : Trojan.Win32.Inject.ba ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP16\A0002582.exe Inno: infecté - 1 ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP47\A0009816.exe/data0012 Infecté : Trojan.Win32.Inject.ba ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP47\A0009816.exe Inno: infecté - 1 ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP5\A0001637.exe/data0012 Infecté : Trojan.Win32.Inject.ba ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP5\A0001637.exe Inno: infecté - 1 ignoré
C:\System Volume Information\_restore{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP71\change.log L'objet est verrouillé ignoré
C:\WINDOWS\Debug\PASSWD.LOG L'objet est verrouillé ignoré
C:\WINDOWS\SchedLgU.Txt L'objet est verrouillé ignoré
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log L'objet est verrouillé ignoré
C:\WINDOWS\Sti_Trace.log L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\Antivirus.Evt L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\AppEvent.Evt L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\default L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\default.LOG L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\Internet.evt L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\SAM L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\SAM.LOG L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\SecEvent.Evt L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\SECURITY L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\SECURITY.LOG L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\software L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\software.LOG L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\SysEvent.Evt L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\system L'objet est verrouillé ignoré
C:\WINDOWS\system32\config\system.LOG L'objet est verrouillé ignoré
C:\WINDOWS\system32\h323log.txt L'objet est verrouillé ignoré
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR L'objet est verrouillé ignoré
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP L'objet est verrouillé ignoré
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER L'objet est verrouillé ignoré
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP L'objet est verrouillé ignoré
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP L'objet est verrouillé ignoré
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA L'objet est verrouillé ignoré
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP L'objet est verrouillé ignoré
C:\WINDOWS\Temp\Perflib_Perfdata_e8.dat L'objet est verrouillé ignoré
C:\WINDOWS\Temp\_avast4_\Webshlock.txt L'objet est verrouillé ignoré
C:\WINDOWS\wiadebug.log L'objet est verrouillé ignoré
C:\WINDOWS\wiaservc.log L'objet est verrouillé ignoré
C:\WINDOWS\WindowsUpdate.log L'objet est verrouillé ignoré
Analyse terminée.

salut regis59 voici le rapport Rapport lopxpMH2 version 2.0 fait à 16:36:24,21 le 14/04/2007
C:\Documents and Settings\Compaq_Propriétaire\Bureau

******************************************
## Répertoires Application Data

Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\Administrateur\Application Data

10/04/2007 12:42 <REP> .
10/04/2007 12:42 <REP> ..
10/04/2007 12:42 <REP> Apple Computer
10/04/2007 13:44 <REP> AVG7
10/04/2007 12:42 <REP> Identities
10/04/2007 12:42 <REP> Microsoft
10/04/2007 13:38 <REP> Mozilla
10/04/2007 12:42 <REP> SampleView
10/04/2007 12:42 <REP> Symantec
10/04/2007 13:40 <REP> Talkback
10/04/2007 12:42 62 desktop.ini
1 fichier(s) 62 octets
10 Rép(s) 35 346 026 496 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\Administrateur\Local Settings\Application Data

10/04/2007 12:42 <REP> .
10/04/2007 12:42 <REP> ..
10/04/2007 12:42 <REP> {3248F0A6-6813-11D6-A77B-00B0D0150000}
10/04/2007 12:42 <REP> Apple Computer
10/04/2007 12:42 <REP> ApplicationHistory
10/04/2007 12:42 <REP> Microsoft
10/04/2007 13:38 <REP> Mozilla
10/04/2007 12:42 135 fusioncache.dat
10/04/2007 12:42 6 291 456 IconCache.db
2 fichier(s) 6 291 591 octets
7 Rép(s) 35 346 026 496 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\All Users\Application Data

25/11/2004 05:25 <REP> .
25/11/2004 05:25 <REP> ..
29/11/2006 17:35 <REP> Adobe
14/12/2005 15:55 <REP> AOL
03/01/2005 07:30 <REP> Apple Computer
19/12/2005 18:02 <REP> ArcSoft
30/11/2006 22:01 <REP> avg7
07/06/2006 17:23 <REP> BOONTY
27/01/2006 19:22 <REP> Chic Open Dart 01
12/03/2006 18:43 <REP> city more ball link
08/01/2007 19:36 <REP> CyberLink
05/09/2006 19:07 <REP> Google
28/12/2006 18:00 <REP> Grisoft
03/01/2005 07:25 <REP> InstallShield
24/09/2006 06:32 <REP> Macrovision
03/12/2006 19:19 <REP> Messenger Plus!
25/11/2004 05:25 <REP> Microsoft
28/01/2006 10:37 <REP> MSN Search Toolbar
18/02/2007 12:23 <REP> pixelStorm
27/11/2006 20:03 <REP> pop does film hole
03/01/2005 07:31 <REP> QuickTime
04/01/2007 21:52 <REP> Real
03/01/2005 07:09 <REP> SBSI
02/03/2006 15:16 <REP> Skype
20/07/2006 15:31 <REP> Spybot - Search & Destroy
03/01/2005 07:43 <REP> Symantec
14/02/2007 21:35 <REP> TEMP
26/10/2006 19:02 <REP> TuneUp Software
14/12/2005 15:57 <REP> Viewpoint
24/01/2006 09:33 <REP> Windows Genuine Advantage
04/12/2006 18:07 <REP> Zylom
25/10/2006 21:08 3 120 118300.34
24/11/2004 00:13 62 desktop.ini
2 fichier(s) 3 182 octets
31 Rép(s) 35 346 026 496 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\Compaq_Propriétaire\Application Data

27/11/2006 19:34 <REP> .
27/11/2006 19:34 <REP> ..
12/12/2005 16:25 <REP> Adobe
12/12/2005 16:26 <REP> AdobeUM
25/08/2006 14:56 <REP> Ahead
14/12/2005 16:00 <REP> AOL
27/11/2006 19:34 <REP> Apple Computer
19/12/2005 17:55 <REP> ArcSoft
30/11/2006 22:01 <REP> AVG7
09/12/2006 22:40 <REP> Azureus
27/02/2007 21:12 <REP> BitDownload
11/12/2006 21:48 <REP> BitTorrent
08/01/2007 19:38 <REP> CyberLink
23/10/2006 18:37 <REP> DivX
24/02/2007 15:05 <REP> fltk.org
07/03/2006 14:26 <REP> funkitron
02/02/2006 17:59 <REP> Google
14/12/2005 18:54 <REP> Help
12/12/2005 16:06 <REP> HPQ
27/11/2006 19:34 <REP> Identities
19/12/2005 17:34 <REP> InterTrust
04/01/2006 18:29 <REP> InterVideo
15/02/2006 14:56 <REP> Lavasoft
08/01/2006 13:28 <REP> Leadertech
10/02/2006 23:46 <REP> Macromedia
05/01/2007 17:28 <REP> Media Player Classic
27/11/2006 19:34 <REP> Microsoft
28/09/2006 20:12 <REP> Mozilla
28/01/2006 10:51 <REP> MSN Search Toolbar
21/01/2006 16:49 <REP> MSNInstaller
26/09/2006 16:46 <REP> PlayFirst
03/03/2006 19:33 <REP> Real
27/11/2006 19:34 <REP> SampleView
21/03/2007 11:14 <REP> Screenshot Sender
22/03/2006 13:56 <REP> Shareaza
02/03/2006 15:16 <REP> Skype
08/01/2006 13:28 <REP> Sonic
15/12/2005 19:59 <REP> Sun
27/11/2006 19:34 <REP> Symantec
26/11/2006 12:27 <REP> Talkback
07/02/2007 15:27 <REP> Template
26/10/2006 19:04 <REP> TuneUp Software
27/01/2006 19:21 <REP> TypeTeamBits
15/02/2007 20:41 <REP> UseNeXT
07/11/2006 21:02 <REP> VadeRetro
31/01/2006 16:50 <REP> vlc
28/06/2006 21:39 <REP> Yahoo!
14/12/2005 15:57 <REP> You've Got Pictures Screensaver
27/11/2006 19:34 62 desktop.ini
28/11/2006 14:10 0 wklnhst.dat
2 fichier(s) 62 octets
48 Rép(s) 35 346 022 400 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\Compaq_Propriétaire\Local Settings\Application Data

27/11/2006 19:34 <REP> .
27/11/2006 19:34 <REP> ..
27/11/2006 19:34 <REP> {3248F0A6-6813-11D6-A77B-00B0D0150000}
07/12/2006 13:42 <REP> {3248F0A6-6813-11D6-A77B-00B0D0150010}
12/12/2005 16:25 <REP> Adobe
25/08/2006 14:57 <REP> Ahead
27/11/2006 19:34 <REP> Apple Computer
27/11/2006 19:34 <REP> ApplicationHistory
01/09/2006 20:59 <REP> Google
14/12/2005 18:54 <REP> Help
13/12/2005 12:08 <REP> Identities
07/09/2006 08:36 <REP> IM
27/11/2006 19:34 <REP> Microsoft
19/03/2006 18:24 <REP> MicroVision Applications
28/09/2006 20:16 <REP> Mozilla
28/11/2006 21:36 <REP> PCHealth
19/02/2006 16:27 <REP> RcIncidents
20/02/2006 19:07 <REP> Shareaza
17/12/2005 19:31 <REP> WMTools Downloaded Files
19/12/2005 12:42 51 200 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
27/11/2006 19:34 142 fusioncache.dat
14/12/2005 21:14 35 728 GDIPFONTCACHEV1.DAT
19/03/2007 15:10 4 275 012 IconCache.db
4 fichier(s) 4 362 082 octets
19 Rép(s) 35 346 022 400 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\Default User\Application Data

25/11/2004 05:25 <REP> .
25/11/2004 05:25 <REP> ..
12/12/2005 15:25 <REP> Apple Computer
25/11/2004 05:25 <REP> Identities
25/11/2004 05:25 <REP> Microsoft
12/12/2005 15:25 <REP> SampleView
12/12/2005 15:25 <REP> Symantec
24/11/2004 00:13 62 desktop.ini
1 fichier(s) 62 octets
7 Rép(s) 35 346 018 304 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\Default User\Local Settings\Application Data

25/11/2004 05:25 <REP> .
25/11/2004 05:25 <REP> ..
12/12/2005 15:25 <REP> {3248F0A6-6813-11D6-A77B-00B0D0150000}
12/12/2005 15:25 <REP> Apple Computer
12/12/2005 15:25 <REP> ApplicationHistory
25/11/2004 05:25 <REP> Microsoft
12/12/2005 15:25 135 fusioncache.dat
12/12/2005 15:25 6 291 456 IconCache.db
2 fichier(s) 6 291 591 octets
6 Rép(s) 35 346 018 304 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\LocalService\Application Data

03/01/2005 07:01 <REP> .
03/01/2005 07:01 <REP> ..
30/11/2006 22:08 <REP> AVG7
03/01/2005 07:01 <REP> Microsoft
30/03/2007 13:15 <REP> Mozilla
0 fichier(s) 0 octets
5 Rép(s) 35 346 018 304 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\LocalService\Local Settings\Application Data

03/01/2005 07:01 <REP> .
03/01/2005 07:01 <REP> ..
03/01/2005 07:01 <REP> Microsoft
30/03/2007 13:15 <REP> Mozilla
0 fichier(s) 0 octets
4 Rép(s) 35 346 018 304 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\NetworkService\Application Data

03/01/2005 07:01 <REP> .
03/01/2005 07:01 <REP> ..
21/02/2007 13:06 <REP> AVG7
03/01/2005 07:01 <REP> Microsoft
08/02/2006 10:35 <REP> Symantec
0 fichier(s) 0 octets
5 Rép(s) 35 346 018 304 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\NetworkService\Local Settings\Application Data

03/01/2005 07:01 <REP> .
03/01/2005 07:01 <REP> ..
03/01/2005 07:01 <REP> Microsoft
0 fichier(s) 0 octets
3 Rép(s) 35 346 018 304 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\WINDOWS\system32\config\systemprofile\Application Data

25/11/2004 05:58 <REP> .
25/11/2004 05:58 <REP> ..
27/11/2006 19:32 <REP> Apple Computer
25/11/2004 05:58 <REP> Identities
25/11/2004 05:58 <REP> Microsoft
27/11/2006 19:32 <REP> SampleView
27/11/2006 19:32 <REP> Symantec
24/11/2004 00:13 62 desktop.ini
1 fichier(s) 62 octets
7 Rép(s) 35 346 018 304 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data

25/11/2004 05:58 <REP> .
25/11/2004 05:58 <REP> ..
27/11/2006 19:32 <REP> {3248F0A6-6813-11D6-A77B-00B0D0150000}
27/11/2006 19:32 <REP> Apple Computer
27/11/2006 19:32 <REP> ApplicationHistory
25/11/2004 05:58 <REP> Microsoft
27/11/2006 19:32 135 fusioncache.dat
27/11/2006 19:32 6 291 456 IconCache.db
2 fichier(s) 6 291 591 octets
6 Rép(s) 35 346 018 304 octets libres

******************************************
Recherche des taches planifiées dans C:\WINDOWS\tasks


C:\WINDOWS\Tasks\Connexion
Connexion inexploitable


C:\WINDOWS\Tasks\HPCeeSchedule.job
s   €! ' C : \ P R O G R A ~ 1 \ E A S Y I N ~ 1 \ C e e m e n t \ H P C E E . e x e  H P C e e S c h e d u l e ( n u l l )  C o m p a q _ P r o p r i é t a i r e  
0 ×    À¨ h



C:\WINDOWS\Tasks\Maintenance
Maintenance inexploitable

******************************************
## Répertoires de C:\Program Files

Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Program Files

12/04/2007 11:48 <REP> .
12/04/2007 11:48 <REP> ..
03/01/2005 07:28 <REP> Adobe
01/03/2007 22:04 <REP> Adverts
08/11/2006 13:50 <REP> Agnitum
24/07/2006 14:14 <REP> Alwil Software
18/11/2006 18:10 <REP> Antipub
27/11/2006 23:57 <REP> AOL 9.0
14/12/2005 18:54 <REP> AOL 9.0a
16/12/2005 16:47 <REP> AOL 9.0b
27/11/2006 23:57 <REP> AOL 9.0c
20/01/2006 17:58 <REP> AOL Compagnon
26/01/2006 19:19 <REP> AOL Toolbar
23/01/2006 16:38 <REP> ArcSoft
12/04/2007 13:41 <REP> a-squared Anti-Malware
09/04/2007 20:31 <REP> a-squared Free
03/01/2005 07:18 <REP> ATI Technologies
12/02/2007 18:12 <REP> AxBx
28/01/2007 20:57 <REP> Azureus
27/02/2007 21:12 <REP> BitDownload
15/03/2007 09:37 <REP> BitTorrent
06/11/2006 18:53 <REP> Boonty
06/11/2006 18:58 <REP> BoontyGames
20/02/2007 13:51 <REP> CCleaner
20/01/2006 12:53 <REP> Coktel
23/03/2006 13:55 <REP> Common Files
24/11/2004 03:37 <REP> ComPlus Applications
08/01/2007 19:35 <REP> CyberLink
09/05/2006 19:00 <REP> DAP
24/11/2006 23:16 <REP> Defenza
19/01/2006 19:14 <REP> directx
23/03/2007 19:25 <REP> DivX
31/03/2007 20:24 <REP> Easy Internet signup
19/01/2006 19:12 <REP> Eidos Interactive
21/03/2007 15:01 <REP> Elaborate Bytes
30/03/2007 21:15 <REP> eMule
14/01/2007 20:43 <REP> EPSON
22/12/2006 13:46 <REP> FBM Software
04/04/2007 18:21 <REP> Fichiers communs
12/02/2007 18:11 <REP> FileZilla
27/11/2006 18:47 <REP> Free.fr
12/02/2007 22:03 <REP> FreeGo
13/12/2005 11:54 <REP> FUJIFILM
05/12/2006 19:03 <REP> Google
28/10/2006 11:07 <REP> Goto Software
19/02/2007 13:29 <REP> Grisoft
03/01/2005 07:27 <REP> Hewlett-Packard
07/04/2007 23:16 <REP> Hp
06/03/2007 15:16 <REP> Incomplete
07/09/2006 12:35 <REP> IncrediMail
06/11/2006 20:19 <REP> InterActual
12/04/2007 11:57 <REP> Internet Explorer
04/03/2007 11:50 <REP> InternetGameBox
03/01/2005 07:27 <REP> InterVideo
03/01/2005 07:30 <REP> iPod
03/01/2005 07:30 <REP> iTunes
08/04/2007 20:08 <REP> Java
12/12/2006 16:47 <REP> JCA2000
20/02/2007 14:29 <REP> Lavasoft
14/12/2005 15:57 <REP> Learn2.com
31/03/2007 21:26 <REP> Live Billiards
04/04/2007 18:20 <REP> Logitech
01/12/2006 19:10 <REP> MailSkinner
04/01/2007 21:52 <REP> Media Player Classic
24/09/2006 06:47 <REP> Mes Jeux Téléchargés
03/01/2005 07:15 <REP> Messenger
21/03/2007 11:05 <REP> Messenger Plus! Live
25/11/2004 05:27 <REP> microsoft frontpage
03/01/2005 07:30 <REP> Microsoft Office
03/01/2005 07:30 <REP> Microsoft Works
20/06/2006 09:41 <REP> Mindscape
25/11/2004 05:27 <REP> Movie Maker
14/04/2007 12:35 <REP> Mozilla Firefox
15/01/2007 21:23 <REP> MSN
23/07/2006 15:12 <REP> MSN Apps
25/11/2004 05:27 <REP> MSN Gaming Zone
18/03/2007 19:51 <REP> MSN Messenger
28/01/2006 10:46 <REP> MSN Toolbar Suite
15/11/2006 13:54 <REP> MSXML 4.0
05/03/2007 15:28 <REP> Multi_Media_France
25/08/2006 14:53 <REP> Nero
28/11/2006 03:17 <REP> NetMeeting
16/07/2006 08:17 <REP> Oberon Media
05/04/2007 12:03 <REP> Online Services
27/10/2006 10:13 <REP> OutClock
13/12/2006 20:17 <REP> Outlook Express
07/04/2007 18:13 <REP> Philips ToUcam Camera
03/12/2006 18:21 <REP> Piolet
03/01/2005 07:31 <REP> QuickTime
07/04/2006 19:01 <REP> Race Cars The Extreme Rally
29/09/2006 23:20 <REP> Real
04/01/2007 21:53 <REP> Real Alternative
27/02/2007 13:45 <REP> ReflexiveArcade
06/10/2006 21:34 <REP> Registry Mechanic
29/09/2006 23:14 774 144 RngInterstitial.dll
06/04/2007 17:13 <REP> Samsung
03/01/2005 07:41 <REP> Services en ligne
22/05/2006 17:14 <REP> Shareaza
03/01/2005 07:26 <REP> Sonic
19/01/2007 18:28 <REP> Spybot - Search & Destroy
27/11/2006 23:03 <REP> Symantec
06/02/2006 10:02 <REP> SymNetDrv
14/12/2005 16:00 <REP> TechCity Solutions
03/09/2006 20:14 <REP> THQ
10/12/2006 11:37 <REP> TrackMania Nations ESWC
17/12/2006 20:21 <REP> TribalWeb.net
27/02/2007 21:12 <REP> TypeTeamBits
24/11/2004 03:37 <REP> Uninstall Information
23/03/2007 19:13 <REP> VDCodecPack3.7
12/12/2006 16:42 <REP> VideoLAN
23/01/2006 16:31 <REP> VideoLink Pro
14/12/2005 15:57 <REP> Viewpoint
07/04/2007 23:04 <REP> Winamp
29/11/2006 22:47 <REP> Windows Live Safety Center
28/11/2006 14:31 <REP> Windows Media Connect 2
02/03/2007 22:37 <REP> Windows Media Player
28/11/2006 03:17 <REP> Windows NT
12/02/2007 22:03 <REP> WinPcap
24/02/2007 16:12 <REP> WinRAR
22/12/2006 17:47 <REP> Wolfenstein - Enemy Territory
25/11/2004 05:28 <REP> xerox
22/02/2007 21:19 <REP> Yahoo!
08/02/2007 21:55 <REP> Zylom Games
1 fichier(s) 774 144 octets
122 Rép(s) 35 345 993 728 octets libres

******************************************
## Popups autorisées

* Internet Explorer

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow
mysearchnow.com REG_SZ
www.mysearchnow.com REG_SZ
*.zylom.com REG_BINARY 00000000
zonenxt.msn-int.com REG_BINARY
zonenxt.msn-ppe.com REG_BINARY
zone.msn.com REG_BINARY
netbios-wait.com REG_SZ
www.netbios-wait.com REG_SZ
netsearchsoft.com REG_SZ
www.netsearchsoft.com REG_SZ
*.zylomgames.com REG_BINARY 00000000

* Mozilla Firefox (1 autorisé 2 interdit)

---------- C:\DOCUMENTS AND SETTINGS\COMPAQ_PROPRITAIRE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\II9O9CHB.DEFAULT\HOSTPERM.1

******************************************
## Registre

******************************************
## Zones de sécurité

* HKCU Domains (4)

* P3P History (5)

******************************************
## Recherche C:\WINDOWS\*.htm, "C:\WINDOWS\*.gif"

Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\WINDOWS

31/01/2006 18:29 0 .htm
1 fichier(s) 0 octets
0 Rép(s) 35 345 965 056 octets libres

*************** Fin du rapport ****************

salut regis59 voici le rapport
* HijackThis v1.99.1 *
Written by Merijn - merijn@spywareinfo.com
http://www.merijn.org/files/hijackthis.zip
http://www.merijn.org/index.html

See bottom for version history.

The different sections of hijacking possibilities have been separated into the following groups.
You can get more detailed information about an item by selecting it from the list of found items OR highlighting the relevant line below, and clicking 'Info on selected item'.

R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services

Command-line parameters:
* /autolog - Automatically scan the system, save a logfile and open it
* /ihatewhitelists - ignore all internal whitelists
* /uninstall - remove all HijackThis Registry entries, backups and quit

* Version history *

[v1.99.1]
* Added Winlogon Notify keys to O20 listing
* Fixed crashing bug on certain Win2000 and WinXP systems at O23 listing
* Fixed lots and lots of 'unexpected error' bugs
* Fixed lots of inproper functioning bugs (i.e. stuff that didn't work)
* Added 'Delete NT Service' function in Misc Tools section
* Added ProtocolDefaults to O15 listing
* Fixed MD5 hashing not working
* Fixed 'ISTSVC' autorun entries with garbage data not being fixed
* Fixed HijackThis uninstall entry not being updated/created on new versions
* Added Uninstall Manager in Misc Tools to manage 'Add/Remove Software' list
* Added option to scan the system at startup, then show results or quit if nothing found
[v1.99]
* Added O23 (NT Services) in light of newer trojans
* Integrated ADS Spy into Misc Tools section
* Added 'Action taken' to info in 'More info on this item'
[v1.98]
* Definitive support for Japanese/Chinese/Korean systems
* Added O20 (AppInit_DLLs) in light of newer trojans
* Added O21 (ShellServiceObjectDelayLoad, SSODL) in light of newer trojans
* Added O22 (SharedTaskScheduler) in light of newer trojans
* Backups of fixed items are now saved in separate folder
* HijackThis now checks if it was started from a temp folder
* Added a small process manager (Misc Tools section)
[v1.96]
* Lots of bugfixes and small enhancements! Among others:
* Fix for Japanese IE toolbars
* Fix for searchwww.com fake CLSID trick in IE toolbars and BHO's
* Attributes on Hosts file will now be restored when scanning/fixing/restoring it.
* Added several files to the LSP whitelist
* Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart
* All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list
[v1.95]
* Added a new regval to check for from Whazit hijack (Start Page_bak).
* Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap).
* New in logfile: Running processes at time of scan.
* Checkmarks for running StartupList with /full and /complete in HijackThis UI.
* New O19 method to check for Datanotary hijack of user stylesheet.
* Google.com IP added to whitelist for Hosts file check.
[v1.94]
* Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems.
* Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!).
* Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist.
* Fixed a bug where DPF could not be deleted.
* Fixed a stupid bug in enumeration of autostarting shortcuts.
* Fixed info on Netscape 6/7 and Mozilla saying '%shitbrowser%' (oops).
* Fixed bug where logfile would not auto-open on systems that don't have .log filetype registered.
* Added support for backing up F0 and F1 items (d'oh!).
[v1.93]
* Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist.
* Fixed a bug in LSP routine for Win95.
* Made taborder nicer.
* Fixed a bug in backup/restore of IE plugins.
* Added UltimateSearch hijack in O17 method (I think).
* Fixed a bug with detecting/removing BHO's disabled by BHODemon.
* Also fixed a bug in StartupList (now version 1.52.1).
[v1.92]
* Fixed two stupid bugs in backup restore function.
* Added DiamondCS file to LSP files safelist.
* Added a few more items to the protocol safelist.
* Log is now opened immediately after saving.
* Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow).
* Updated integrated StartupList to v1.52.
* In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted.
* Rudimentary proxy support for the Check for Updates function.
[v1.91]
* Added rd.yahoo.com to the Nonstandard But Safe Domains list.
* Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18).
* Added listing of programs/links in Startup folders (O4).
* Fixed 'Check for Update' not detecting new versions.
[v1.9]
* Added check for Lop.com 'Domain' hijack (O17).
* Bugfix in URLSearchHook (R3) fix.
* Improved O1 (Hosts file) check.
* Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys.
* Added AutoConfigURL and proxyserver checks (R1).
* IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected.
* Added check for extra protocols (O18).
[v1.81]
* Added 'ignore non-standard but safe domains' option.
* Improved Winsock LSP hijackers detection.
* Integrated StartupList updated to v1.4.
[v1.8]
* Fixed a few bugs.
* Adds detecting of free.aol.com in Trusted Zone.
* Adds checking of URLSearchHooks key, which should have only one value.
* Adds listing/deleting of Download Program Files.
* Integrated StartupList into the new 'Misc Tools' section of the Config screen!
[v1.71]
* Improves detecting of O6.
* Some internal changes/improvements.
[v1.7]
* Adds backup function! Yay!
* Added check for default URL prefix
* Added check for changing of IERESET.INF
* Added check for changing of Netscape/Mozilla homepage and default search engine.
[v1.61]
* Fixes Runtime Error when Hosts file is empty.
[v1.6]
* Added enumerating of MSIE plugins
* Added check for extra options in 'Advanced' tab of 'Internet Options'.
[v1.5]
* Adds 'Uninstall & Exit' and 'Check for update online' functions.
* Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service)
[v1.4]
* Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer
* A few bugfixes/enhancements
[v1.3]
* Adds detecting of extra MSIE context menu items
* Added detecting of extra 'Tools' menu items and extra buttons
* Added 'Confirm deleting/ignoring items' checkbox
[v1.2]
* Adds 'Ignorelist' and 'Info' functions
[v1.1]
* Supports BHO's, some default URL changes
[v1.0]
* Original release

A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes.

merci

resalut j toujour les mémé virusapres avoir fait le scan de KASPERSKY ON-LINE SCANNER comment faire pour les supprimé merci regis59 virus win32 fontra.c win32.obfuscated.en win32.inject.ba

salut regis59 est merci Rapport lopxpMH2 version 2.0 fait à 10:30:54,34 le 16/04/2007
C:\Documents and Settings\Compaq_Propriétaire\Bureau

******************************************
## Répertoires Application Data

Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\Administrateur\Application Data

10/04/2007 12:42 <REP> .
10/04/2007 12:42 <REP> ..
10/04/2007 12:42 <REP> Apple Computer
10/04/2007 13:44 <REP> AVG7
10/04/2007 12:42 <REP> Identities
10/04/2007 12:42 <REP> Microsoft
10/04/2007 13:38 <REP> Mozilla
10/04/2007 12:42 <REP> SampleView
10/04/2007 12:42 <REP> Symantec
10/04/2007 13:40 <REP> Talkback
10/04/2007 12:42 62 desktop.ini
1 fichier(s) 62 octets
10 Rép(s) 38 976 499 712 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\Administrateur\Local Settings\Application Data

10/04/2007 12:42 <REP> .
10/04/2007 12:42 <REP> ..
10/04/2007 12:42 <REP> {3248F0A6-6813-11D6-A77B-00B0D0150000}
10/04/2007 12:42 <REP> Apple Computer
10/04/2007 12:42 <REP> ApplicationHistory
10/04/2007 12:42 <REP> Microsoft
10/04/2007 13:38 <REP> Mozilla
10/04/2007 12:42 135 fusioncache.dat
10/04/2007 12:42 6 291 456 IconCache.db
2 fichier(s) 6 291 591 octets
7 Rép(s) 38 976 499 712 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\All Users\Application Data

25/11/2004 05:25 <REP> .
25/11/2004 05:25 <REP> ..
29/11/2006 17:35 <REP> Adobe
14/12/2005 15:55 <REP> AOL
03/01/2005 07:30 <REP> Apple Computer
19/12/2005 18:02 <REP> ArcSoft
30/11/2006 22:01 <REP> avg7
07/06/2006 17:23 <REP> BOONTY
12/03/2006 18:43 <REP> city more ball link
08/01/2007 19:36 <REP> CyberLink
05/09/2006 19:07 <REP> Google
28/12/2006 18:00 <REP> Grisoft
03/01/2005 07:25 <REP> InstallShield
24/09/2006 06:32 <REP> Macrovision
03/12/2006 19:19 <REP> Messenger Plus!
25/11/2004 05:25 <REP> Microsoft
28/01/2006 10:37 <REP> MSN Search Toolbar
18/02/2007 12:23 <REP> pixelStorm
03/01/2005 07:31 <REP> QuickTime
04/01/2007 21:52 <REP> Real
03/01/2005 07:09 <REP> SBSI
02/03/2006 15:16 <REP> Skype
20/07/2006 15:31 <REP> Spybot - Search & Destroy
03/01/2005 07:43 <REP> Symantec
14/02/2007 21:35 <REP> TEMP
26/10/2006 19:02 <REP> TuneUp Software
14/12/2005 15:57 <REP> Viewpoint
24/01/2006 09:33 <REP> Windows Genuine Advantage
04/12/2006 18:07 <REP> Zylom
25/10/2006 21:08 3 120 118300.34
24/11/2004 00:13 62 desktop.ini
2 fichier(s) 3 182 octets
29 Rép(s) 38 976 499 712 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\Compaq_Propriétaire\Application Data

27/11/2006 19:34 <REP> .
27/11/2006 19:34 <REP> ..
12/12/2005 16:25 <REP> Adobe
12/12/2005 16:26 <REP> AdobeUM
25/08/2006 14:56 <REP> Ahead
14/12/2005 16:00 <REP> AOL
27/11/2006 19:34 <REP> Apple Computer
19/12/2005 17:55 <REP> ArcSoft
30/11/2006 22:01 <REP> AVG7
09/12/2006 22:40 <REP> Azureus
11/12/2006 21:48 <REP> BitTorrent
08/01/2007 19:38 <REP> CyberLink
23/10/2006 18:37 <REP> DivX
24/02/2007 15:05 <REP> fltk.org
07/03/2006 14:26 <REP> funkitron
02/02/2006 17:59 <REP> Google
14/12/2005 18:54 <REP> Help
12/12/2005 16:06 <REP> HPQ
27/11/2006 19:34 <REP> Identities
19/12/2005 17:34 <REP> InterTrust
04/01/2006 18:29 <REP> InterVideo
15/02/2006 14:56 <REP> Lavasoft
08/01/2006 13:28 <REP> Leadertech
10/02/2006 23:46 <REP> Macromedia
05/01/2007 17:28 <REP> Media Player Classic
27/11/2006 19:34 <REP> Microsoft
28/09/2006 20:12 <REP> Mozilla
28/01/2006 10:51 <REP> MSN Search Toolbar
21/01/2006 16:49 <REP> MSNInstaller
26/09/2006 16:46 <REP> PlayFirst
03/03/2006 19:33 <REP> Real
27/11/2006 19:34 <REP> SampleView
21/03/2007 11:14 <REP> Screenshot Sender
22/03/2006 13:56 <REP> Shareaza
02/03/2006 15:16 <REP> Skype
08/01/2006 13:28 <REP> Sonic
15/12/2005 19:59 <REP> Sun
27/11/2006 19:34 <REP> Symantec
26/11/2006 12:27 <REP> Talkback
07/02/2007 15:27 <REP> Template
26/10/2006 19:04 <REP> TuneUp Software
15/02/2007 20:41 <REP> UseNeXT
07/11/2006 21:02 <REP> VadeRetro
31/01/2006 16:50 <REP> vlc
28/06/2006 21:39 <REP> Yahoo!
14/12/2005 15:57 <REP> You've Got Pictures Screensaver
27/11/2006 19:34 62 desktop.ini
28/11/2006 14:10 0 wklnhst.dat
2 fichier(s) 62 octets
46 Rép(s) 38 976 516 096 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\Compaq_Propriétaire\Local Settings\Application Data

27/11/2006 19:34 <REP> .
27/11/2006 19:34 <REP> ..
27/11/2006 19:34 <REP> {3248F0A6-6813-11D6-A77B-00B0D0150000}
07/12/2006 13:42 <REP> {3248F0A6-6813-11D6-A77B-00B0D0150010}
12/12/2005 16:25 <REP> Adobe
25/08/2006 14:57 <REP> Ahead
27/11/2006 19:34 <REP> Apple Computer
27/11/2006 19:34 <REP> ApplicationHistory
01/09/2006 20:59 <REP> Google
14/12/2005 18:54 <REP> Help
13/12/2005 12:08 <REP> Identities
07/09/2006 08:36 <REP> IM
27/11/2006 19:34 <REP> Microsoft
19/03/2006 18:24 <REP> MicroVision Applications
28/09/2006 20:16 <REP> Mozilla
28/11/2006 21:36 <REP> PCHealth
19/02/2006 16:27 <REP> RcIncidents
20/02/2006 19:07 <REP> Shareaza
17/12/2005 19:31 <REP> WMTools Downloaded Files
19/12/2005 12:42 51 200 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
27/11/2006 19:34 142 fusioncache.dat
14/12/2005 21:14 35 728 GDIPFONTCACHEV1.DAT
19/03/2007 15:10 4 275 012 IconCache.db
4 fichier(s) 4 362 082 octets
19 Rép(s) 38 976 495 616 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\Default User\Application Data

25/11/2004 05:25 <REP> .
25/11/2004 05:25 <REP> ..
12/12/2005 15:25 <REP> Apple Computer
25/11/2004 05:25 <REP> Identities
25/11/2004 05:25 <REP> Microsoft
12/12/2005 15:25 <REP> SampleView
12/12/2005 15:25 <REP> Symantec
24/11/2004 00:13 62 desktop.ini
1 fichier(s) 62 octets
7 Rép(s) 38 976 495 616 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\Default User\Local Settings\Application Data

25/11/2004 05:25 <REP> .
25/11/2004 05:25 <REP> ..
12/12/2005 15:25 <REP> {3248F0A6-6813-11D6-A77B-00B0D0150000}
12/12/2005 15:25 <REP> Apple Computer
12/12/2005 15:25 <REP> ApplicationHistory
25/11/2004 05:25 <REP> Microsoft
12/12/2005 15:25 135 fusioncache.dat
12/12/2005 15:25 6 291 456 IconCache.db
2 fichier(s) 6 291 591 octets
6 Rép(s) 38 976 491 520 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\LocalService\Application Data

03/01/2005 07:01 <REP> .
03/01/2005 07:01 <REP> ..
30/11/2006 22:08 <REP> AVG7
03/01/2005 07:01 <REP> Microsoft
30/03/2007 13:15 <REP> Mozilla
0 fichier(s) 0 octets
5 Rép(s) 38 976 491 520 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\LocalService\Local Settings\Application Data

03/01/2005 07:01 <REP> .
03/01/2005 07:01 <REP> ..
03/01/2005 07:01 <REP> Microsoft
30/03/2007 13:15 <REP> Mozilla
0 fichier(s) 0 octets
4 Rép(s) 38 976 491 520 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\NetworkService\Application Data

03/01/2005 07:01 <REP> .
03/01/2005 07:01 <REP> ..
21/02/2007 13:06 <REP> AVG7
03/01/2005 07:01 <REP> Microsoft
08/02/2006 10:35 <REP> Symantec
0 fichier(s) 0 octets
5 Rép(s) 38 976 491 520 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Documents and Settings\NetworkService\Local Settings\Application Data

03/01/2005 07:01 <REP> .
03/01/2005 07:01 <REP> ..
03/01/2005 07:01 <REP> Microsoft
0 fichier(s) 0 octets
3 Rép(s) 38 976 491 520 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\WINDOWS\system32\config\systemprofile\Application Data

25/11/2004 05:58 <REP> .
25/11/2004 05:58 <REP> ..
27/11/2006 19:32 <REP> Apple Computer
25/11/2004 05:58 <REP> Identities
25/11/2004 05:58 <REP> Microsoft
27/11/2006 19:32 <REP> SampleView
27/11/2006 19:32 <REP> Symantec
24/11/2004 00:13 62 desktop.ini
1 fichier(s) 62 octets
7 Rép(s) 38 976 491 520 octets libres
Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data

25/11/2004 05:58 <REP> .
25/11/2004 05:58 <REP> ..
27/11/2006 19:32 <REP> {3248F0A6-6813-11D6-A77B-00B0D0150000}
27/11/2006 19:32 <REP> Apple Computer
27/11/2006 19:32 <REP> ApplicationHistory
25/11/2004 05:58 <REP> Microsoft
27/11/2006 19:32 135 fusioncache.dat
27/11/2006 19:32 6 291 456 IconCache.db
2 fichier(s) 6 291 591 octets
6 Rép(s) 38 976 491 520 octets libres

******************************************
Recherche des taches planifiées dans C:\WINDOWS\tasks


C:\WINDOWS\Tasks\Connexion
Connexion inexploitable


C:\WINDOWS\Tasks\HPCeeSchedule.job
s   €! ' C : \ P R O G R A ~ 1 \ E A S Y I N ~ 1 \ C e e m e n t \ H P C E E . e x e  H P C e e S c h e d u l e ( n u l l )  C o m p a q _ P r o p r i é t a i r e  
0 ×    À¨ h



C:\WINDOWS\Tasks\Maintenance
Maintenance inexploitable

******************************************
## Répertoires de C:\Program Files

Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\Program Files

15/04/2007 12:21 <REP> .
15/04/2007 12:21 <REP> ..
03/01/2005 07:28 <REP> Adobe
08/11/2006 13:50 <REP> Agnitum
24/07/2006 14:14 <REP> Alwil Software
18/11/2006 18:10 <REP> Antipub
27/11/2006 23:57 <REP> AOL 9.0
14/12/2005 18:54 <REP> AOL 9.0a
16/12/2005 16:47 <REP> AOL 9.0b
27/11/2006 23:57 <REP> AOL 9.0c
20/01/2006 17:58 <REP> AOL Compagnon
26/01/2006 19:19 <REP> AOL Toolbar
23/01/2006 16:38 <REP> ArcSoft
12/04/2007 13:41 <REP> a-squared Anti-Malware
09/04/2007 20:31 <REP> a-squared Free
03/01/2005 07:18 <REP> ATI Technologies
12/02/2007 18:12 <REP> AxBx
28/01/2007 20:57 <REP> Azureus
15/03/2007 09:37 <REP> BitTorrent
06/11/2006 18:53 <REP> Boonty
06/11/2006 18:58 <REP> BoontyGames
20/02/2007 13:51 <REP> CCleaner
15/04/2007 12:33 <REP> CleanUp!
20/01/2006 12:53 <REP> Coktel
23/03/2006 13:55 <REP> Common Files
24/11/2004 03:37 <REP> ComPlus Applications
08/01/2007 19:35 <REP> CyberLink
09/05/2006 19:00 <REP> DAP
24/11/2006 23:16 <REP> Defenza
19/01/2006 19:14 <REP> directx
23/03/2007 19:25 <REP> DivX
31/03/2007 20:24 <REP> Easy Internet signup
19/01/2006 19:12 <REP> Eidos Interactive
21/03/2007 15:01 <REP> Elaborate Bytes
30/03/2007 21:15 <REP> eMule
14/01/2007 20:43 <REP> EPSON
22/12/2006 13:46 <REP> FBM Software
04/04/2007 18:21 <REP> Fichiers communs
12/02/2007 18:11 <REP> FileZilla
27/11/2006 18:47 <REP> Free.fr
12/02/2007 22:03 <REP> FreeGo
13/12/2005 11:54 <REP> FUJIFILM
05/12/2006 19:03 <REP> Google
28/10/2006 11:07 <REP> Goto Software
19/02/2007 13:29 <REP> Grisoft
03/01/2005 07:27 <REP> Hewlett-Packard
07/04/2007 23:16 <REP> Hp
15/04/2007 11:54 <REP> Incomplete
07/09/2006 12:35 <REP> IncrediMail
06/11/2006 20:19 <REP> InterActual
12/04/2007 11:57 <REP> Internet Explorer
04/03/2007 11:50 <REP> InternetGameBox
03/01/2005 07:27 <REP> InterVideo
03/01/2005 07:30 <REP> iPod
03/01/2005 07:30 <REP> iTunes
08/04/2007 20:08 <REP> Java
12/12/2006 16:47 <REP> JCA2000
20/02/2007 14:29 <REP> Lavasoft
14/12/2005 15:57 <REP> Learn2.com
31/03/2007 21:26 <REP> Live Billiards
04/04/2007 18:20 <REP> Logitech
01/12/2006 19:10 <REP> MailSkinner
04/01/2007 21:52 <REP> Media Player Classic
24/09/2006 06:47 <REP> Mes Jeux Téléchargés
03/01/2005 07:15 <REP> Messenger
21/03/2007 11:05 <REP> Messenger Plus! Live
25/11/2004 05:27 <REP> microsoft frontpage
03/01/2005 07:30 <REP> Microsoft Office
03/01/2005 07:30 <REP> Microsoft Works
20/06/2006 09:41 <REP> Mindscape
25/11/2004 05:27 <REP> Movie Maker
16/04/2007 10:24 <REP> Mozilla Firefox
15/01/2007 21:23 <REP> MSN
23/07/2006 15:12 <REP> MSN Apps
25/11/2004 05:27 <REP> MSN Gaming Zone
18/03/2007 19:51 <REP> MSN Messenger
28/01/2006 10:46 <REP> MSN Toolbar Suite
15/11/2006 13:54 <REP> MSXML 4.0
05/03/2007 15:28 <REP> Multi_Media_France
25/08/2006 14:53 <REP> Nero
28/11/2006 03:17 <REP> NetMeeting
16/07/2006 08:17 <REP> Oberon Media
05/04/2007 12:03 <REP> Online Services
27/10/2006 10:13 <REP> OutClock
13/12/2006 20:17 <REP> Outlook Express
07/04/2007 18:13 <REP> Philips ToUcam Camera
03/12/2006 18:21 <REP> Piolet
03/01/2005 07:31 <REP> QuickTime
07/04/2006 19:01 <REP> Race Cars The Extreme Rally
29/09/2006 23:20 <REP> Real
04/01/2007 21:53 <REP> Real Alternative
27/02/2007 13:45 <REP> ReflexiveArcade
06/10/2006 21:34 <REP> Registry Mechanic
29/09/2006 23:14 774 144 RngInterstitial.dll
06/04/2007 17:13 <REP> Samsung
03/01/2005 07:41 <REP> Services en ligne
22/05/2006 17:14 <REP> Shareaza
03/01/2005 07:26 <REP> Sonic
19/01/2007 18:28 <REP> Spybot - Search & Destroy
27/11/2006 23:03 <REP> Symantec
06/02/2006 10:02 <REP> SymNetDrv
14/12/2005 16:00 <REP> TechCity Solutions
03/09/2006 20:14 <REP> THQ
10/12/2006 11:37 <REP> TrackMania Nations ESWC
17/12/2006 20:21 <REP> TribalWeb.net
24/11/2004 03:37 <REP> Uninstall Information
23/03/2007 19:13 <REP> VDCodecPack3.7
12/12/2006 16:42 <REP> VideoLAN
23/01/2006 16:31 <REP> VideoLink Pro
14/12/2005 15:57 <REP> Viewpoint
07/04/2007 23:04 <REP> Winamp
29/11/2006 22:47 <REP> Windows Live Safety Center
28/11/2006 14:31 <REP> Windows Media Connect 2
02/03/2007 22:37 <REP> Windows Media Player
28/11/2006 03:17 <REP> Windows NT
12/02/2007 22:03 <REP> WinPcap
24/02/2007 16:12 <REP> WinRAR
22/12/2006 17:47 <REP> Wolfenstein - Enemy Territory
25/11/2004 05:28 <REP> xerox
22/02/2007 21:19 <REP> Yahoo!
08/02/2007 21:55 <REP> Zylom Games
1 fichier(s) 774 144 octets
120 Rép(s) 38 976 483 328 octets libres

******************************************
## Popups autorisées

* Internet Explorer

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow
mysearchnow.com REG_SZ
www.mysearchnow.com REG_SZ
*.zylom.com REG_BINARY 00000000
zonenxt.msn-int.com REG_BINARY
zonenxt.msn-ppe.com REG_BINARY
zone.msn.com REG_BINARY
netbios-wait.com REG_SZ
www.netbios-wait.com REG_SZ
netsearchsoft.com REG_SZ
www.netsearchsoft.com REG_SZ
*.zylomgames.com REG_BINARY 00000000

* Mozilla Firefox (1 autorisé 2 interdit)

---------- C:\DOCUMENTS AND SETTINGS\COMPAQ_PROPRITAIRE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\II9O9CHB.DEFAULT\HOSTPERM.1

******************************************
## Registre

******************************************
## Zones de sécurité

* HKCU Domains (4)

* P3P History (5)

******************************************
## Recherche C:\WINDOWS\*.htm, "C:\WINDOWS\*.gif"

Le volume dans le lecteur C s'appelle PRESARIO
Le numéro de série du volume est 2C81-99B4

Répertoire de C:\WINDOWS

31/01/2006 18:29 0 .htm
1 fichier(s) 0 octets
0 Rép(s) 38 976 417 792 octets libres

*************** Fin du rapport ****************

salut regis59 Search Navipromo version 1.1.5 commencé le 16/04/2007 à 11:57:10,53

!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
!!! Poster ce rapport sur le forum pour le faire analyser !!!
!!! Ne pas lancer la partie désinfection sans l'avis d'un spécialiste !!!

Fix lancé depuis C:\Documents and Settings\Compaq_Propri‚taire\Bureau
Mise a jour le 13.04.2007 a 20h00 by IL-MAFIOSO

Executé en mode normal

*** Recherche Programmes installes ***


InternetGameBox


*** Recherche dossiers dans C:\WINDOWS ***


C:\WINDOWS\msskinner trouvé !


*** Recherche dossiers dans C:\Program Files ***


C:\Program Files\MailSkinner trouvé !
C:\Program Files\InternetGameBox trouvé !


*** Recherche dossiers dans C:\Documents and Settings\All Users\Application Data ***




*** Recherche dossiers dans C:\Documents and Settings\Compaq_Propri‚taire\Application Data ***



*** Recherche avec BlackLight Engine/F-secure ***
BlackLight Engine est un produit de F-secure, pour + d'infos :
https://www.f-secure.com/en

Fichier(s) caché(s) dans C:\WINDOWS\system32 :

c:\WINDOWS\system32\nkrziabhoi.dat
C:\windows\system32\nkrziabhoi.exe
c:\WINDOWS\system32\nkrziabhoi_nav.dat
c:\WINDOWS\system32\nkrziabhoi_navps.dat

Processus caché(s) dans C:\WINDOWS\system32 :

C:\windows\system32\nkrziabhoi.exe


*** Recherche fichiers ***


C:\DOCUME~1\COMPAQ~1\Bureau\InternetGameBox.lnk trouvé !
C:\WINDOWS\pack.epk trouvé !
C:\WINDOWS\system32\nvs2.inf trouvé !


*** Recherche cles registre ***


Recherche dans [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]



Recherche dans [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]



Recherche Clé Magic Control

HKEY_CURRENT_USER\Software\Lanconfig trouvé !


*** Module de Recherche complémentaire ***
(Recherche fichiers spécifiques)

1)Recherche fichiers connus:


2)Recherche Heuristique :
*
C:\WINDOWS\system32\nkrziabhoi.dat trouvé !
**
C:\WINDOWS\system32\nkrziabhoi.dat trouvé !
***
****
C:\WINDOWS\system32\nkrziabhoi_navps.dat trouvé !
*****
******
*******
C:\WINDOWS\system32\nkrziabhoi.exe trouvé !
********
C:\WINDOWS\system32\nkrziabhoi.exe trouvé !


*** Analyse Terminé le 16/04/2007 à 12:05:56,67 ***

salut regis59 est merci voici le rapport Clean Navipromo version 1.1.5 commencé le 16/04/2007 à 15:48:30,43

Fix lancé depuis C:\Documents and Settings\Administrateur\Bureau
Mise a jour le 13.04.2007 a 20h00 by IL-MAFIOSO

Executé en mode sans echec

Mode suppression automatique avec prise en charge résultats Blacklight

*** Creation backups fichiers trouvés par Blacklight ***

Copie vers "C:\Documents and Settings\Administrateur\Bureau\Backupnavi"


*** Suppression des fichiers trouvés avec Blacklight ***

c:\WINDOWS\system32\nkrziabhoi.dat supprimé !
C:\windows\system32\nkrziabhoi.exe supprimé !
c:\WINDOWS\system32\nkrziabhoi_nav.dat supprimé !
c:\WINDOWS\system32\nkrziabhoi_navps.dat supprimé !

*** Suppression dossiers dans C:\WINDOWS ***

C:\WINDOWS\msskinner ...suppression...
C:\WINDOWS\msskinner supprimé !


*** Suppression dossiers dans C:\Program Files ***

C:\Program Files\MailSkinner ...suppression...
C:\Program Files\MailSkinner supprimé !

C:\Program Files\InternetGameBox ...suppression...
C:\Program Files\InternetGameBox supprimé !


*** Suppression dossiers dans C:\Documents and Settings\All Users\Application Data ***


*** Suppression dossiers dans C:\Documents and Settings\Administrateur\Application Data ***



*** Suppression fichiers ***

C:\WINDOWS\pack.epk supprimé !
C:\WINDOWS\system32\nvs2.inf supprimé !

*** Suppression fichiers temporaires ***

Nettoyage contenu C:\WINDOWS\Temp effectué !
Nettoyage contenu C:\Documents and Settings\Administrateur\Local Settings\Temp effectué !


*** Sauvegarde du registre vers dossier Backupnavi***


sauvegarde du registre realise avec succes !


*** Nettoyage registre ***


Nettoyage registre Ok

*** Traitement Recherche complémentaire ***
(Recherche fichiers spécifiques)

1)Recherche fichiers connus:


2)Recherche et Suppression Heuristique :

*
**
***
****
*****
******
*******
********

*** Nettoyage termine le 16/04/2007 à 15:50:01,53 ***

salut la suite Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Messenger Plus! Live]
"UninstallString"="\"C:\\Program Files\\Messenger Plus! Live\\Uninstall.exe\""
"DisplayIcon"="\"C:\\Program Files\\Messenger Plus! Live\\Uninstall.exe\""
"InstallLocation"="C:\\Program Files\\Messenger Plus! Live"
"Publisher"="Patchou"
"URLInfoAbout"="http://www.msgpluslive.net"
"URLUpdateInfo"="http://www.msgpluslive.net"
"DisplayVersion"="4.20 (build 262)"
"DisplayName"="Messenger Plus! Live & Sponsor (CiD)"
"SponsorInstalled"=dword:00000001
"SponsorInstalled"=dword:00000001
"SponsorInstalled"=dword:00000001

salut c tout ce que j comme rapport 2 fois fait memé rapport

ca marche pas toujour les meme rapport telecharge htt://sosvirumerci quands.changelog.fr/green day/lopxp.exe .ouvrir option 1 merci regis59

salut regis 59 rien ne marche je suis peut ètre bidon a+

re est merci 'Silent Runners.vbs -- find out what starts up with Windows!
'(compatible with Windows 95/98/Millennium/NT 4.0/2000 Pro/XP Home & Pro/Vista RC1)
'
'DO NOT REMOVE THIS HEADER!
'
'Copyright Andrew ARONOFF 14 January 2007, https://www.silentrunners.org/
'This script is provided without any warranty, either express or implied
'It may not be copied or distributed without permission
'
'** YOU RUN THIS SCRIPT AT YOUR OWN RISK! ** (END OF HEADER)


Option Explicit

Dim strRevNo : strRevNo = "R50"

Public flagTest : flagTest = False 'True if in testing mode
'flagTest = True 'Uncomment to put in testing mode
Public arSecTest : arSecTest = Array() 'array of section numbers to test

Public intSection : intSection = 0 'section counter

'This script is divided into 28 sections.

'malware launch points:
' registry keys (1-12, 15)
' INI/INF-files (16-18)
' folders (19)
' enabled scheduled tasks (20)
' Winsock2 service provider DLLs (21)
' IE toolbars, explorer bars, extensions (22)
' started services (26)
' keyboard driver filters (27)
' printer monitors (28)

'hijack points:
' System/Group Policies (14)
' prefixes for IE URLs (23)
' misc IE points (24)
' HOSTS file (25)

'Output is suppressed if deemed normal unless the -all parameter is used
'Section XVIII is skipped unless the -supp/-all parameters are used or
'the first message box is answered "No" and the next message box "Yes"

' 1. HKCU/HKLM... Run/RunOnce/RunOnce\Setup/RunOnceEx
' HKLM... RunServices/RunServicesOnce
' HKCU/HKLM... Policies\Explorer\Run
' 2. HKLM... Active Setup\Installed Components\
' HKCU... Active Setup\Installed Components\
' (StubPath <> "" And HKLM version # > HKCU version #)
' 3. HKLM... Explorer\Browser Helper Objects\
' 4. HKLM... Shell Extensions\Approved\
' 5. HKLM... Explorer\SharedTaskScheduler/ShellExecuteHooks
' 6. HKCU/HKLM... ShellServiceObjectDelayLoad\
' 7. HKCU/HKLM... Command Processor\AutoRun
' HKCU... Policies\System\Shell (W2K/WXP/WVa only)
' HKCU... Windows\load & run
' HKLM... Windows\AppInit_DLLs
' HKCU/HKLM... Winlogon\Shell
' HKLM... Winlogon\Userinit, System, Ginadll, Taskman
' HKLM... Control\SafeBoot\Option\UseAlternateShell
' HKLM... Control\SecurityProviders\SecurityProviders
' HKLM... Control\Session Manager\BootExecute
' HKLM... Control\Session Manager\WOW\cmdline, wowcmdline
' 8. HKLM... Winlogon\Notify\ (subkey names/DLLName values <> O/S-specific dictionary data)
' 9. HKLM... Image File Execution Options ("Debugger" subkeys)
'10. HKCU/HKLM... Policies... Startup/Shutdown, Logon/Logoff scripts (W2K/WXP/WVa)
'11. HKCU/HKLM Protocols\Filter
'12. Context menu shell extensions
'13. HKCU/HKLM executable file type (bat/cmd/com/exe/hta/pif/scr)
'14. System/Group Policies
'15. Enabled Wallpaper & Screen Saver
'16. WIN.INI (load/run <> ""), SYSTEM.INI (shell <> explorer.exe, scrnsave.exe), WINSTART.BAT
'17. AUTORUN.INF in root directory of local fixed disks
'18. DESKTOP.INI in any local fixed disk directory (section skipped by default)
'19. %WINDIR%... Startup & All Users... Startup (W98/WMe) or
' %USERNAME%... Startup & All Users... Startup folder contents
'20. Enabled Scheduled Tasks
'21. Winsock2 Service Provider DLLs
'22. Internet Explorer Toolbars, Explorer Bars, Extensions
'23. Internet Explorer URL Prefixes
'24. Misc. IE Hijack Points
'25. HOSTS file
'26. Started Services
'27. Keyboard Driver Filters
'28. Print Monitors

Dim Wshso : Set Wshso = WScript.CreateObject("WScript.Shell")
Dim WshoArgs : Set WshoArgs = WScript.Arguments
Dim intErrNum, intMB, intMB1 'Err.Number, MsgBox return value x 2

Dim strflagTest : strflagTest = ""
If flagTest Then
strflagTest = "TEST "
Wshso.Popup "Silent Runners is in testing mode.",1, _
"Testing, testing, 1-2-3...", vbOKOnly + vbExclamation
End If

'Configuration Detection Section

' FileSystemObject creation error (112)
' CScript/WScript (147)
' Dim (161)
' GetFileVersion(WinVer.exe) (VBScript 5.1) (182)
' OS version (223)
' WMI (279)
' Dim (364)
' command line arguments (440)
' supplementary search MsgBox (532)
' startup MsgBox (557)
' CreateTextFile error (583)
' output file header (625)
' WXP SP2 (629)

On Error Resume Next
Dim Fso : Set Fso = CreateObject("Scripting.FileSystemObject")
intErrNum = Err.Number : Err.Clear
On Error Goto 0

If intErrNum <> 0 Then

strURL = "https://docs.microsoft.com/en-us/"

intMB = MsgBox (Chr(34) & "Silent Runners" & Chr(34) &_
" cannot access file services critical to" & vbCRLF &_
"proper script operation." & vbCRLF & vbCRLF &_
"If you are running Windows XP, make sure that the" &_
vbCRLF & Chr(34) & "Cryptographic Services" & Chr(34) &_
" service is started." & vbCRLF & vbCRLF &_
"You can also try reinstalling the latest version of the MS" &_
vbCRLF & "Windows Script Host." & vbCRLF & vbCRLF &_
"Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser to " &_
"the download site or" & vbCRLF & Space(10) & Chr(34) & "Cancel" &_
Chr(34) & " to quit.", vbOKCancel + vbCritical, _
"Can't access the FileSystemObject!")

'if dl wanted now, send browser to dl site
If intMB = 1 Then Wshso.Run strURL

WScript.Quit

End If

Dim oNetwk : Set oNetwk = WScript.CreateObject("WScript.Network")

Const HKLM = &H80000002, HKCU = &H80000001
Const REG_SZ=1, REG_EXPAND_SZ=2, REG_BINARY=3, REG_DWORD=4, REG_MULTI_SZ=7
Const REG_QWORD = 11
Const MS = " [MS]"
Const DQ = """", LBr = "{"
Const IWarn = "<<!>> ", HWarn = "<<H>> "

'determine whether output is via MsgBox/PopUp or Echo
Dim flagOut
If InStr(LCase(WScript.FullName),"wscript.exe") > 0 Then
flagOut = "W" 'WScript
ElseIf InStr(LCase(WScript.FullName),"cscript.exe") > 0 Then
flagOut = "C" 'CScript
Else 'echo and continue if it works
flagOut = "C" 'assume CScript-compatible
WScript.Echo "Neither " & Chr(34) & "WSCRIPT.EXE" & Chr(34) & " nor " &_
Chr(34) & "CSCRIPT.EXE" & Chr(34) & " was detected as " &_
"the script host." & vbCRLF & Chr(34) & "Silent Runners" & Chr(34) &_
" will assume that the script host is CSCRIPT-compatible and will" & vbCRLF &_
"use WScript.Echo for all messages."
End If 'script host

Const SysFolder = 1 : Const WinFolder = 0
Dim strOS : strOS = "Unknown"
Dim strOSLong : strOSLong = "Unknown"
Dim strOSXP : strOSXP = "Windows XP Home" 'XP Home or Pro
Public strFPSF : strFPSF = Fso.GetSpecialFolder(SysFolder).Path 'FullPathSystemFolder
Public strFPWF : strFPWF = Fso.GetSpecialFolder(WinFolder).Path 'FullPathWindowsFolder
Public strExeBareName 'bare file name w/o windows or system folder prefixes
Dim strSysVer 'Winver.exe version number
Dim intErrNum1, intErrNum2, intErrNum3, intErrNum4, intErrNum5, intErrNum6 'error number
Dim intLenValue 'value length
Dim strURL 'download URL
'assume Group Policies cannot be set in the O/S
Dim flagGP : flagGP = False
'HKCU/HKLM CLSID Lower Limit, default is HKLM for O/S <= NT4
Dim intCLL : intCLL = 1

'Winver.exe is in \Windows under W98, but in \System32 for other O/S's
'trap GetFileVersion error for VBScript version < 5.1
On Error Resume Next
If Fso.FileExists (strFPSF & "\Winver.exe") Then
strSysVer = Fso.GetFileVersion(strFPSF & "\Winver.exe")
Else
strSysVer = Fso.GetFileVersion(strFPWF & "\Winver.exe")
End If
intErrNum = Err.Number : Err.Clear
On Error Goto 0

'if GetFileVersion returns error due to old WSH version
If intErrNum <> 0 Then

'store dl URL
strURL = "http://tinyurl.com/7zh0"

'if using WScript
If flagOut = "W" Then

'explain the problem
intMB = MsgBox ("This script requires Windows Script Host (WSH) 5.1 " &_
"or higher to run." & vbCRLF & vbCRLF & "Press " & Chr(34) & "OK" &_
Chr(34) & " to direct your browser to the WSH download site or " &_
Chr(34) & "Cancel" & Chr(34) & " to quit." & vbCRLF & vbCRLF &_
"(WMI is also required. If it's missing, download instructions " &_
"will appear later.)", vbOKCancel + vbExclamation, _
"Unsupported Windows Script Host Version!")

'if dl wanted now, send browser to dl site
If intMB = 1 Then Wshso.Run strURL

'if using CScript
Else 'flagOut = "C"

'explain the problem
WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
"Windows Script Host 5.1 or higher to run." & vbCRLF & vbCRLF &_
"It can be downloaded at: " & strURL

End If 'WScript or CScript?

'quit the script
WScript.Quit

End If 'VBScript version error encountered?

'use WINVER.EXE file version to determine O/S
If Instr(Left(strSysVer,3),"4.1") > 0 Then
strOS = "W98" : strOSLong = "Windows 98"

ElseIf Instr(Left(strSysVer,5),"4.0.1") > 0 Then
strOS = "NT4" : strOSLong = "Windows NT 4.0"

ElseIf Instr(Left(strSysVer,8),"4.0.0.95") > 0 Then
strOS = "W98" : strOSLong = "Windows 95"

ElseIf Instr(Left(strSysVer,8),"4.0.0.11") > 0 Then
strOS = "W98" : strOSLong = "Windows 95 SR2 (OEM)"

ElseIf Instr(Left(strSysVer,3),"5.0") > 0 Then
strOS = "W2K" : strOSLong = "Windows 2000" : : intCLL = 0 : flagGP = True

ElseIf Instr(Left(strSysVer,3),"5.1") > 0 Then
'SP0 & SP1 = 5.1.2600.0, SP2 = 5.1.2600.2180
strOS = "WXP" : strOSLong = "Windows XP" : intCLL = 0

If Instr(strSysVer,".2180") > 0 Then strOSLong = "Windows XP SP2"

ElseIf Instr(Left(strSysVer,3),"4.9") > 0 Then
strOS = "WME" : strOSLong = "Windows Me (Millennium Edition)"

ElseIf Instr(Left(strSysVer,3),"5.2") > 0 Then
strOS = "WXP" : strOSLong = "Windows Server 2003 (interpreted as Windows XP)"
flagGP = True : intCLL = 0

ElseIf Instr(Left(strSysVer,3),"6.0") > 0 Then
strOS = "WVA" : strOSLong = "Windows Vista RC1"
flagGP = True : intCLL = 0

Else 'unknown strSysVer

If flagOut = "W" Then

intMB = MsgBox ("The " & Chr(34) & "Silent Runners" & Chr(34) &_
" script cannot determine the operating system." & vbCRLF & vbCRLF &_
"Click " & Chr(34) & "OK" & Chr(34) & " to send an e-mail to the " &_
"author, providing the following information:" & vbCRLF & vbCRLF &_
"WINVER.EXE file version = " & strSysVer & vbCRLF & vbCRLF &_
"or click " & Chr(34) & "Cancel" & Chr(34) & " to quit.", _
49,"O/S Unknown!")

If intMB = 1 Then Wshso.Run "mailto:Andrew%20Aronoff%20" &_
"<%6F%73.%76%65%72.%65%72%72%6F%72@%73%69%6C%65%6E%74%72%75%6E%6E%65%72%73.%6F%72%67>?" &_
"subject=Silent%20Runners%20OS%20Version%20Error&body=WINVER.EXE" &_
"%20file%20version%20=%20" & strSysVer

Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " cannot " &_
"determine the operating system." & vbCRLF & vbCRLF & "This script will exit."

End If 'flagOut?

WScript.Quit

End If 'OS id'd from strSysVer?

'use WMI to connect to the registry
On Error Resume Next
Dim oReg : Set oReg = GetObject("winmgmts:\root\default:StdRegProv")
intErrNum = Err.Number : Err.Clear
On Error Goto 0

'detect WMI connection error
If intErrNum <> 0 Then

strURL = ""

'for W98/NT4, assume WMI not installed and direct to d/l URL
If strOS = "W98" Or strOS = "NT4" Then

If strOS = "W98" Then strURL = "http://tinyurl.com/jbxe"
If strOS = "NT4" Then strURL = "http://tinyurl.com/7wd7"

'invite user to download WMI & quit
If flagOut = "W" Then

intMB = MsgBox ("This script requires " & Chr(34) & "WMI" &_
Chr(34) & ", Windows Management Instrumentation, to run." &_
vbCRLF & vbCRLF & "It can be downloaded at: " & strURL &_
vbCRLF & vbCRLF & "Press " & Chr(34) & "OK" & Chr(34) &_
" to direct your browser to the download site or " &_
Chr(34) & "Cancel" & Chr(34) & " to quit.",_
vbOKCancel + vbCritical,"WMI Not Installed!")

If intMB = 1 Then Wshso.Run strURL

'at command line, explain & quit
Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
Chr(34) & "WMI" & Chr(34) & ", Windows Management Instrumentation, " &_
"to run." & vbCRLF & vbCRLF & "It can be downloaded at: " & strURL

End If

'for W2K/WXP/WVa, explain how to start the WMI service
ElseIf strOS = "W2K" Or strOS = "WXP" or strOS = "WVA" Then

If strOS = "W2K" Then strLine = "Settings | Control Panel | "
If strOS = "WXP" Then strLine = "Control Panel | "
If strOS = "WVA" Then strLine = "Control Panel | Classic View | "

'explain how to turn on WMI service
If flagOut = "W" Then

MsgBox "This script requires Windows Management Instrumentation" &_
" to run." & vbCRLF & vbCRLF & "Click on Start | " & strLine &_
"Administrative Tools | Services," & vbCRLF &_
"and start the " & Chr(34) & "Windows Management Instrumentation" &_
Chr(34) & " service.",vbOKOnly + vbCritical,"WMI Service not running!"

'at command line, explain & quit
Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
"Windows Management Instrumentation to run." & vbCRLF & vbCRLF &_
"Click on Start | " & strLine & "Administrative " &_
"Tools | Services" & vbCRLF & "and start the " & Chr(34) &_
"Windows Management Instrumentation" & Chr(34) & " service."

End If 'flagOut?

Else 'WMe

'say there's a WMI problem
If flagOut = "W" Then

MsgBox "This script requires WMI (Windows Management Instrumentation)" &_
" to run," & vbCRLF & "but WMI is not running correctly.", _
vbOKOnly + vbCritical,"WMI problem!"

'at command line, explain & quit
Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
"WMI (Windows Management Instrumentation) to run," & vbCRLF &_
"but WMI is not running correctly."

End If 'flagOut?

End If 'which O/S?

WScript.Quit

End If 'WMI execution error

'array of Run keys, counter x 5, hive member, startup folder file,
'startup file shortcut, IERESET.INF file
Dim arRunKeys, i, ii, j, k, l, oHiveElmt, oSUFi, oSUSC
'dictionary, keys, items, hard disk collection
Dim arSK, arSKk, arSKi, colDisks

'arrays: Run key names, keys, sub-keys, value type, SecurityProviders,
' Protocol filters, values
Dim arNames(), arKeys(), arSubKeys(), arType, arSP, arFilter(), arValues
'Sub-Directory DeskTop.Ini array, Sub-Directory Error array, Error array
'Recognized GP names, allowed GP names
Public arSDDTI(), arSDErr(), arErr(), arRecNames(), arAllowedNames()

'DeskTop.Ini counter, Error counter x 2, Classes data Hive counter
Public ctrArDTI, ctrArErr, ctrErr, ctrCH
Public ctrFo : ctrFo = 0 'folder counter

'name member, key array member x 4, O/S, drive root directory, work file
Dim oName, oKey, oKey2, strMemKey, strMemSubKey, oOS, oRoot, oFileWk
'values x 7
Dim strValue, strValue1, strValue2, strValue3, strValue4, strValue5, strValue6
Dim strVal, intValue, strCmd
'name, single character, startup folder name, startup folder, array member, temp var
Dim strName, strChr, arSUFN, oSUF, strArMember, strTmp, strTmp2
'output string x 3
Public strOut, strOut1, strOut2

'output file msg x 2, warning string, title line
Dim strLine, strLine1, strLine2, strWarn, strTitleLine
'infection/hijack warning detection flags -- add footer note if True
Public flagIWarn : flagIWarn = False
Public flagHWarn : flagHWarn = False
Dim strKey, strKey1, strKey2, strKey3, strSubKey 'register key x 4, sub-key
'output file name string (incl. path), file name (wo path),
'PIF path string, single binary character
Dim strFN, strFNNP, strPIFTgt, bin1C
Public datLaunch : datLaunch = Now 'script launch time
Public intCnt 'counter
'ref time, time taken by 2 pop-up boxes
Public datRef : datRef = 0
Public datPUB1 : datPUB1 = 0 : Public datPUB2 : datPUB2 = 0

'TRUE if show all output (default values not filtered)
Public flagShowAll : flagShowAll = False
Dim strRptOutput : strRptOutput = "Output limited to non-default values, " &_
"except where indicated by " & Chr(34) & "{++}" & Chr(34) 'output file string
Public strTitle : strTitle = ""
Public strSubTitle : strSubTitle = ""
Public strSubSubTitle : strSubSubTitle = ""
Public flagNVP : flagNVP = False 'existence of name/value pairs in a key
Public flagInfect : flagInfect = False 'flag infected condition
Dim flagMatch 'flag matching keys
Dim flagAllow 'flag key on approved list
Dim flagFound 'flag key that exists in Registry
Dim flagDirArg : flagDirArg = False 'presence of output directory argument
Dim flagIsCLSID : flagIsCLSID = False 'true if argument in CLSID format
Dim flagTitle 'True if title has already been written
Dim flagAllArg : flagAllArg = False 'presence of all output argument
Dim flagArray 'flag array containing elements
Public flagSupp : flagSupp = False 'do *not* check for DESKTOP.INI in all
'directories of local fixed disks
Dim intLBSP 'Last BackSlash Position in path string
Dim intSS 'lowest sort subscript
Dim intType 'value type
Dim strDLL, strCN 'DLL name, company name
'string to signal all output by default
Public strAllOutDefault : strAllOutDefault = ""

Dim ScrPath : ScrPath = Fso.GetParentFolderName(WScript.ScriptFullName)
If Right(ScrPath,1) <> "\" Then ScrPath = ScrPath & "\"
'initialize Path of Output File Folder to script path
Dim strPathOFFo : strPathOFFo = ScrPath

'hive array
Public arHives(1,1)
arHives(0,0) = "HKCU" : arHives(1,0) = "HKLM"
arHives(0,1) = &H80000001 : arHives(1,1) = &H80000002

'set up argument usage message string

Dim strLSp, strCSp 'Leading Spaces, Centering Spaces
strLSp = Space(4) : strCSp = Space(33) 'WScript spacing
If flagOut = "C" Then 'CScript spacing
strLsp = Space(3) : strCSp = Space(28)
End If

Dim strMsg : strMsg = "Only two arguments are permitted:" &_
vbCRLF & vbCRLF &_
"1. the name of an existing directory for the output report" &_
vbCRLF & strLSp & "(embed in quotes if it contains spaces)" &_
vbCRLF & vbCRLF & strCSp & "AND:" & vbCRLF & vbCRLF &_
"2. " & Chr(34) & "-supp" & Chr(34) & " to search " &_
"all directories for DESKTOP.INI DLL" & vbCRLF &_
strLSp & "launch points" &_
vbCRLF & vbCRLF & strCSp & "-OR-" & vbCRLF & vbCRLF &_
"3. " & Chr(34) & "-all" & Chr(34) & " to output all non-empty " &_
"values and all launch" & vbCRLF & strLSp & "points checked"

'check if output directory or "-all" or "-supp" was supplied as argument
If WshoArgs.length > 0 And WshoArgs.length <= 2 Then

For i = 0 To WshoArgs.length-1

'if directory arg not already passed and arg directory exists
If Not flagDirArg And Fso.FolderExists(WshoArgs(i)) Then

'get the path & toggle the directory arg flag
Dim oOFFo : Set oOFFo = Fso.GetFolder(WshoArgs(i))
strPathOFFo = oOFFo.Path : flagDirArg = True
If Right(strPathOFFo,1) <> "\" Then strPathOFFo = strPathOFFo & "\"
Set oOFFo=Nothing

'if -all arg not already passed and is this arg
ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-all" Then

'toggle ShowAll flag, toggle the all arg flag, fill report string
flagShowAll = True : flagAllArg = True
strRptOutput = "Output of all locations checked and all values found."

'if -all arg not already passed and is this arg
ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-supp" Then
flagSupp = True : flagAllArg = True
strRptOutput = "Search enabled of all directories on local fixed " &_
"drives for DESKTOP.INI" & vbCRLF & " DLL launch points" &_
vbCRLF & strRptOutput

'argument can't be interpreted, so explain & quit
Else

If flagOut = "W" Then 'pop up a message window

Wshso.Popup "The argument:" & vbCRLF &_
Chr(34) & UCase(WshoArgs(i)) & Chr(34) & vbCRLF &_
"... can't be interpreted." & vbCRLF & vbCRLF &_
strMsg,10,"Bad Script Argument", vbOKOnly + vbExclamation

Else 'flagOut = "C" 'write the message to the console

WScript.Echo vbCRLF & "The argument: " &_
Chr(34) & UCase(WshoArgs(i)) & Chr(34) &_
" can't be interpreted." & vbCRLF & vbCRLF &_
strMsg & vbCRLF

End If 'WScript host?

WScript.Quit

End If 'argument can be interpreted?

Next 'argument

'too many args passed
ElseIf WshoArgs.length > 2 Then

'explain & quit
If flagOut = "W" Then 'pop up a message window

Wshso.Popup "Too many arguments (" & WshoArgs.length & ") were passed." &_
vbCRLF & vbCRLF & strMsg,10,"Too Many Arguments",_
vbOKOnly + vbCritical

Else 'flagOut = "C" 'write the message to the console

WScript.Echo "Too many arguments (" & WshoArgs.length & ") were passed." &_
vbCRLF & vbCRLF & strMsg & vbCRLF

End If 'WScript host?

WScript.Quit

End If 'directory arguments passed?

Set WshoArgs=Nothing

datRef = Now

'if no cmd line argument for flagSupp and not testing, show popup
If Not flagTest And Not flagShowAll And Not flagSupp And flagOut = "W" Then

intMB = Wshso.Popup ("Do you want to skip the supplementary search?" &_
vbCRLF & "(It typically takes several minutes.)" & vbCRLF & vbCRLF &_
"Press " & Chr(34) & "Yes" & Chr(34) & Space(5) &_
" to skip the supplementary search (default)" & vbCRLF & vbCRLF &_
Space(10) & Chr(34) & "No" & Chr(34) & Space(6) &_
" to perform it, or" & vbCRLF & vbCRLF &_
Space(10) & Chr(34) & "Cancel" & Chr(34) &_
" to get more information at the web site" & vbCRLF &_
Space(25) & "and exit the script.",_
15,"Skip supplementary search?",_
vbYesNoCancel + vbQuestion + vbDefaultButton1 + vbSystemModal)

If intMB = vbNo Then

flagSupp = True

intMB1 = MsgBox ("Are you SURE you want to run the supplementary " &_
"search?" & vbCRLF & vbCRLF & "It's _rarely_ necessary " &_
"and it takes a *long* time." & vbCRLF & vbCRLF & "Press " & DQ &_
"Yes" & DQ & " to confirm running the supplementary search, " &_
"or" & vbCRLF & Space(10) & DQ & "No" & DQ & " to run without it.", _
vbYesNo + vbQuestion + vbDefaultButton2 + vbSystemModal,"Are you sure?")

If intMB1 = vbNo Then flagSupp = False

ElseIf intMB = vbCancel Then
Wshso.Run "https://www.silentrunners.org/thescript.html#supp"
WScript.Quit
End If

End If

datPUB1 = DateDiff("s",datRef,Now) : datRef = Now

'inform user that script has started
If Not flagTest Then
If flagOut = "W" Then
Wshso.PopUp Chr(34) & "Silent Runners" & Chr(34) & " has started." &_
vbCRLF & vbCRLF & "A message box like this one will appear " &_
"when it's done." & vbCRLF & vbCRLF & "Please be patient...",3,_
"Silent Runners R" & strRevNo & " startup", _
vbOKOnly + vbInformation + vbSystemModal
Else
WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " has started." &_
" Please be patient..."
End If 'flagOut?
End If 'flagTest?

datPUB2 = DateDiff("s",datRef,Now)

'create output file name with computer name & today's date
'Startup Programs (pc_name_here) yyyy-mm-dd.txt

strFNNP = "Startup Programs (" & oNetwk.ComputerName & ") " &_
FmtDate(datLaunch) & " " & FmtHMS(datLaunch) & ".txt"
strFN = strPathOFFo & strflagTest & strFNNP
On Error Resume Next
If Fso.FileExists(strFN) Then Fso.DeleteFile(strFN)
Err.Clear
Public oFN : Set oFN = Fso.CreateTextFile(strFN,True)
intErrNum = Err.Number : Err.Clear
On Error Goto 0

'if can't create report file
If intErrNum > 0 Then

strURL = "https://www.silentrunners.org/Silent%20Runners%20RED.vbs"

'invite user to run RED version & quit
If flagOut = "W" Then

intMB = MsgBox ("The script cannot create its report file. " &_
"This is a known, intermittent" & vbCRLF & "problem under " &_
strOSLong & "." & vbCRLF & vbCRLF &_
"An alternative script version is available for download. " &_
"After it runs, " & vbCRLF & "the script you're using now will " &_
"run correctly." & vbCRLF & vbCRLF &_
"Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser " &_
"to the alternate script location, or" & vbCRLF & Space(10) &_
Chr(34) & "Cancel" & Chr(34) & " to quit.",49,"CreateTextFile Error!")

'if alternative script wanted now, send browser to dl site
If intMB = 1 Then Wshso.Run strURL

'explain & quit
Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " cannot " &_
"create the report file." & vbCRLF & vbCRLF &_
"An alternative script is available. Run it, then rerun this version." &_
vbCRLF & "The alternative script can be downloaded at: " & vbCRLF &_
vbCRLF & strURL

End If

WScript.Quit

End If 'report file creation error?

'add report header
Set oNetwk=Nothing

oFN.WriteLine Chr(34) & "Silent Runners.vbs" & Chr(34) &_
", revision " & strRevNo & ", https://www.silentrunners.org/" &_
vbCRLF & "Operating System: " & strOSLong & vbCRLF & strRptOutput

'test for WMI corruption and use WMI to differentiate between
'WXP Home & WXP Pro

'get the O/S collection
Dim colOS : Set colOS = GetObject("winmgmts:\root\cimv2").ExecQuery _
("Select * from Win32_OperatingSystem")

On Error Resume Next

Err.Clear

For Each oOS in colOS

If strOS = "WXP" Then

'modify strOSXP if O/S = Pro
If InStr(1,LCase(oOS.Name),"professional",1) > 0 Then
strOSXP = "Windows XP Professional"
flagGP = True
End If
'modify strOSXP if SP2
If Right(strOSLong,3) = "SP2" Then strOSXP = strOSXP & " SP2"

End If 'WXP?

Next 'oOS

If Err.Number <> 0 Then

strURL = "http://go.microsoft.com/fwlink/?LinkId=62562"

oFN.WriteLine vbCRLF & "FATAL ERROR!" & vbCRLF & String(12,"-") &_
vbCRLF & vbCRLF & DQ & "Silent Runners" & DQ &_
" cannot use WMI to identify the operating system." &_
vbCRLF & "This is caused by corruption of the WMI installation." &_
vbCRLF & vbCRLF &_
"WMI is complex and it is recommended that you use a Microsoft" &_
vbCRLF & "tool, " & DQ & "WMIDiag.vbs," & DQ & " to diagnose WMI " &_
"on your system." & vbCRLF & vbCRLF & "It can be downloaded here:" &_
vbCRLF & vbCRLF & strURL

intMB = MsgBox (DQ & "Silent Runners" & DQ & " cannot use WMI to " &_
"identify the operating system." & vbCRLF & "This is caused by " &_
"corruption of the WMI installation." &_
vbCRLF & vbCRLF &_
"WMI is complex and it is recommended that you use a Microsoft" &_
vbCRLF & "tool, " & DQ & "WMIDiag.vbs," & DQ & " to diagnose WMI " &_
"on your system." &_
vbCRLF & vbCRLF &_
"Press " & DQ & "OK" & DQ & " to direct your browser to the " &_
"WMIDiag download site or" &_
vbCRLF & Space(10) & DQ & "Cancel" & DQ & " to quit.",_
vbOKCancel + vbCritical + + vbSystemModal + vbDefaultButton2,_
"Can't iterate Win32_OperatingSystem!")

'if dl wanted now, send browser to dl site
If intMB = 1 Then Wshso.Run strURL

WScript.Quit

End If 'Err.Number<>0?

On Error Goto 0

Set colOS=Nothing




'#1. HKCU/HKLM... Run/RunOnce/RunOnce\Setup/RunOnceEx
' HKLM... RunServices/RunServicesOnce
' HKCU/HKLM... Policies\Explorer\Run

intSection = intSection + 1

'execute section if not in testing mode or (in testing mode And this section selected for testing)
If Not flagTest Or (flagTest And SecTest) Then

'write registry header lines to file
strTitle = "Startup items buried in registry:"
TitleLineWrite

'put keys in array (Key Index 0 - 6)
arRunKeys = Array ("Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", _
"Software\Microsoft\Windows\CurrentVersion\Run", _
"Software\Microsoft\Windows\CurrentVersion\RunOnce", _
"Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup", _
"Software\Microsoft\Windows\CurrentVersion\RunOnceEx", _
"Software\Microsoft\Windows\CurrentVersion\RunServices", _
"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce")

'Key Execution Flag/Subkey Recursion Flag array
'
'first number in the ordered pair in the array immediately below
' pertains to execution of the key:
'0: not executed (ignore)
'1: may be executed so display with EXECUTION UNLIKELY warning
'2: executable
'
'second number in the ordered pair pertains to subkey recursion
'0: subkeys not used
'1: subkey recursion necessary

'0 Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
'1 Software\Microsoft\Windows\CurrentVersion\Run
'2 Software\Microsoft\Windows\CurrentVersion\RunOnce
'3 Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup
'4 Software\Microsoft\Windows\CurrentVersion\RunOnceEx
'5 Software\Microsoft\Windows\CurrentVersion\RunServices
'6 Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

'Hive HKCU - 0 HKLM - 1
'
'Key 0 1 2 3 4 5 6 0 1 2 3 4 5 6
'Index

'O/S:
'W95 0,0 2,0 2,0 0,0 2,1 0,0 0,0 0,0 2,0 2,0 0,0 2,1 2,0 2,0
'W98 0,0 2,0 2,0 0,0 2,1 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0
'WMe 2,1 2,1 2,0 2,0 2,1 0,0 0,0 2,1 2,1 2,0 2,0 2,1 2,0 2,0
'NT4 0,0 2,0 2,0 0,0 2,1 0,0 0,0 0,0 2,0 2,0 0,0 2,1 0,0 0,0
'W2K 2,1 2,1 2,1 0,0 2,1 0,0 0,0 2,1 2,1 2,1 0,0 2,1 0,0 0,0
'WXP 2,0 2,0 2,0 0,0 2,1 0,0 0,0 2,0 2,0 2,0 0,0 2,1 0,0 0,0
'WS2K3 ??? <-------------------- ??? --------------------> ???
'WVa 2,0 2,0 2,0 0,0 2,1 0,0 0,0 2,0 2,0 2,0 0,0 2,1 0,0 0,0

'arRegFlag(i,j,k): put flags in array by O/S:
'hive = i (0 or 1), key_# = j (0-6),
' flags (key execution/subkey recursion) = k (0 or 1)
' k = 0 holds key execution value = 0/1/2
' 1 holds subkey recursion value = 0/1
Dim arRegFlag()
ReDim arRegFlag(1,6,1)

'initialize entire array to zero
For i = 0 To 1 : For j = 0 To 6 : For k = 0 To 1
arRegFlag(i,j,k) = 0
Next : Next : Next

'add data to array for O/S that's running

'W98
If strOS = "W98" Then
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn
arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
'don't set HKLM,RunOnce\Setup for W95
If strOSLong = "Windows 98" Then _
arRegFlag(1,3,0) = 2 'HKLM,RunOnce\Setup = no-warn
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
arRegFlag(1,5,0) = 2 'HKLM,RunServices = no-warn
arRegFlag(1,6,0) = 2 'HKLM,RunServicesOnce = no-warn
End If

If strOS = "WME" Then
arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn
arRegFlag(0,0,1) = 1 'HKCU,Explorer\Run = sub-keys
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,1,1) = 1 'HKCU,Run = sub-keys
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(0,3,0) = 2 'HKCU,RunOnce\Setup = no-warn
arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn
arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys
arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn
arRegFlag(1,0,1) = 1 'HKLM,Explorer\Run = sub-keys
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,1,1) = 1 'HKLM,Run = sub-keys
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
arRegFlag(1,3,0) = 2 'HKLM,RunOnce\Setup = no-warn
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
arRegFlag(1,5,0) = 2 'HKLM,RunServices = no-warn
arRegFlag(1,6,0) = 2 'HKLM,RunServicesOnce = no-warn
End If

'NT4
If strOS = "NT4" Then
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn
arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
End If

'W2K
If strOs = "W2K" Then
arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn
arRegFlag(0,0,1) = 1 'HKCU,Explorer\Run = sub-keys
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,1,1) = 1 'HKCU,Run = sub-keys
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(0,2,1) = 1 'HKCU,RunOnce = sub-keys (incl. Setup)
arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn
arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys
arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn
arRegFlag(1,0,1) = 1 'HKLM,Explorer\Run = sub-keys
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,1,1) = 1 'HKLM,Run = sub-keys
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
arRegFlag(1,2,1) = 1 'HKLM,RunOnce = sub-keys (incl. Setup)
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
End If

'WXP/WVa
If strOs = "WXP" Or strOS = "WVA" Then
arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(0,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(0,4,1) = 1 'HKLM,RunOnceEx = sub-keys
arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
End If

'for each hive
For i = 0 To 1

'for each key
For j = 0 To 6

'if not ShowAll, show all output for Run keys
If j = 1 And Not flagShowAll Then strAllOutDefault = " {++}"

'if key is not ignored
If arRegFlag(i,j,0) > 0 Then

flagNVP = False

'intialize string with warning if necessary
strWarn = ""
If arRegFlag(i,j,0) = 1 Then strWarn = "EXECUTION UNLIKELY: "

'INFO
'with no name/value pairs (sub-keys are identical)
' IsArray TypeName UBound
'W98 True "Variant()" -1
'WMe True "Variant()" -1
'NT4 True "Variant()" -1
'W2K False "Null" error (--)
'WXP False "Null" error (--)
'WS2K3 True "Variant()" error (--)
'WVa False "Null" error (--)

EnumNVP arHives(i,1), arRunKeys(j), arNames, arType

If flagNVP Then 'name/value pairs exist

'write the full key name
oFN.WriteLine vbCRLF & arHives(i,0) & "\" & arRunKeys(j) & "\" & strAllOutDefault

'for each data type in the names array
For k = LBound(arNames) To UBound(arNames)

'use the type to find the value
strValue = RtnValue (arHives(i,1), arRunKeys(j), arNames(k), arType(k))
'write the name & value
WriteValueData arNames(k), strValue, arType(k), strWarn

Next 'member of names array

Else 'no name/value pairs

If flagShowAll Then _
oFN.WriteLine vbCRLF & arHives(i,0) & "\" & arRunKeys(j) & "\"

End If 'flagNVP?

'recurse subkeys if necessary
If arRegFlag(i,j,1) = 1 Then

'put all subkeys into array
oReg.EnumKey arHives(i,1),arRunKeys(j),arKeys

'excludes W2K/WXP/WVa with no sub-keys
If IsArray(arKeys) Then

'excludes W98/WMe/NT4/WS2K3 with no sub-keys
For Each strMemKey in arKeys

flagNVP = False
strSubKey = arRunKeys(j) & "\" & strMemKey

EnumNVP arHives(i,1), arRunKeys(j) & "\" & strMemKey,arNames,arType

If flagNVP Then 'if name/value pairs exist

'write the full key name
oFN.WriteLine vbCRLF & arHives(i,0) & "\" & strSubKey &_
"\" & strAllOutDefault

'for each data type in the names array
For k = LBound(arNames) To UBound(arNames)

'use the type to find the value
strValue = RtnValue (arHives(i,1), strSubKey, arNames(k), arType(k))
'write the name & value
WriteValueData arNames(k), strValue, arType(k), strWarn

Next 'member of names array

Else 'no name/value pairs

If flagShowAll Then _
oFN.WriteLine vbCRLF & arHives(i,0) & "\" & strSubKey & "\"

End If 'flagNVP?

Next 'sub-key

End If 'sub-keys exist? W2K/WXP/WS2K3/WVa

End If 'enum sub-keys?

End If 'arRegFlag(i,j,0) > 0

Next 'Run key

Next 'Hive

strAllOutDefault = "" : flagNVP = False

'recover array memory
ReDim arRunKeys(0)
ReDim arKeys(0)
ReDim arRegFlag(0)

End If 'flagTest And SecTest?




'#2. HKLM... Active Setup\Installed Components\
' HKCU... Active Setup\Installed Components\

intSection = intSection + 1

'execute section if not in testing mode or (in testing mode And this section selected for testing)
If Not flagTest Or (flagTest And SecTest) Then

'flags True if only numeric & comma chrs in Version values
Dim flagHKLMVer, flagHKCUVer
'StubPath Value string, HKLM Version value, HKCU Version value, HKLM program name
Dim strSPV, strHKLMVer, strHKCUVer, strPgmName
Dim arHKLMKeys, arHKCUKeys, strHKLMKey, strHKCUKey

strKey = "Software\Microsoft\Active Setup\Installed Components"

strSubTitle = "HKLM" & "\" & strKey & "\"

'find all the subkeys
oReg.EnumKey HKLM, strKey, arHKLMKeys 'HKLM
oReg.EnumKey HKCU, strKey, arHKCUKeys 'HKCU

'enumerate HKLM keys if present
If IsArray(arHKLMKeys) Then

'for each HKLM key
For Each strHKLMKey In arHKLMKeys

'INFO
'Default Value not set:
'W98/WMe: returns 0, strValue = ""
'NT4/W2K/WXP/WVa: returns non-zero, strValue = Null

'Non-Default name inexistent:
'W98/WMe/NT4/W2K/WXP/WVa: returns non-zero, strValue = Null

'Non-Default Value not set:
'W2K: returns 0, strValue = unwritable string
'W98/WMe/NT4/WXP/WVa: returns 0, strValue = ""

'get the StubPath value
intErrNum = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey,"StubPath",strSPV)

'if the StubPath name exists And value set (exc for W2K!)
If intErrNum = 0 And strSPV <> "" Then

flagMatch = False

'if HKCU keys present
If IsArray(arHKCUKeys) Then

'for each HKCU key
For Each strHKCUKey in arHKCUKeys

'if identical HKLM key exists
If LCase(strHKLMKey) = LCase(strHKCUKey) Then

'assume Version fmts are OK
flagHKLMVer = True : flagHKCUVer = True

'get HKLM & HKCU Version values
intErrNum1 = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey, _
"Version",strHKLMVer) 'HKLM Version #
intErrNum2 = oReg.GetStringValue (HKCU,strKey & "\" & strHKCUKey, _
"Version",strHKCUVer) 'HKCU Version #

'if HKLM Version name exists And value set (exc for W2K!)
If intErrNum1 = 0 And strHKLMVer <> "" Then

'the next two loops check for allowed chars (numeric & comma)
' in returned Version values

For i = 1 To Len(strHKLMVer)
strChr = Mid(strHKLMVer,i,1)
If Not IsNumeric(strChr) And strChr <> "," Then flagHKLMVer = False
Next

'if HKCU Version name exists And value set (exc for W2K!)
If intErrNum2 = 0 And strHKCUVer <> "" Then

'check that value consists only of numeric & comma chrs
For i = 1 To Len(strHKCUVer)
strChr = Mid(strHKCUVer,i,1)
If Not IsNumeric(strChr) And strChr <> "," Then flagHKCUVer = False
Next

End If 'HKCU Version null or MT?

'if HKLM Ver # has illegal fmt (i.e., is not assigned) or doesn't exist (is Null)
' or is empty, match = True
'if HKCU/HKLM Ver # fmts OK And HKCU Ver # >= HKLM Ver #, match = True
'if HKLM Ver # = "0,0" and HKCU Ver # = "", key will output
' but StubPath will not launch
If Not flagHKLMVer Then flagMatch = True
If flagHKLMVer And flagHKCUVer And strHKCUVer >= strHKLMVer Then flagMatch = True

Else 'HKLM Version name doesn't exist Or value not set (exc for W2K!)

flagMatch = True

End If 'HKLM Version name exists And value set (exc for W2K!)?

End If 'HKCU key=HKLM key?

Next 'HKCU Installed Components key

End If 'HKCU Installed Components subkeys exist?

'if the StubPath will launch
If Not flagMatch Then

flagAllow = False 'assume StubPath DLL not on approved list
strCN = CoName(IDExe(strSPV))

'test for approved StubPath DLL
If LCase(strHKLMKey) = ">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}" And _
(InStr(LCase(strSPV),"wmpocm.exe") > 0 Or _
InStr(LCase(strSPV),"unregmp2.exe") > 0) And _
strCN = MS And Not flagShowAll Then flagAllow = True

'StubPath DLL not approved
If Not flagAllow Then

'get the default value (program name)
intErrNum3 = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey,"",strPgmName)
'enclose pgm name in quotes if name exists and default value isn't empty
If intErrNum3 = 0 And strPgmName <> "" Then
strPgmName = Chr(34) & strPgmName & Chr(34)
Else
strPgmName = "(no title provided)"
End If

TitleLineWrite

'output the CLSID & pgm name
oFN.WriteLine strHKLMKey & "\(Default) = " & StringFilter(strPgmName,False)

On Error Resume Next
'output the StubPath value
oFN.WriteLine Space(Len(strHKLMKey)+1) & "\StubPath = " &_
Chr(34) & strSPV & Chr(34) & strCN
'error check for W2K if StubPath value not set
If Err.Number <> 0 Then oFN.WriteLine Space(Len(strHKLMKey)+1) & "\StubPath = " &_
"(value not set)"
Err.Clear
On Error GoTo 0

End If 'flagAllow false?

End If 'flagMatch false?

End If 'StubPath value exists?

Next 'HKLM Installed Components subkey

End If 'HKLM Installed Components subkeys exist?

If flagShowAll Then TitleLineWrite

'recover array memory
ReDim arHKLMKeys(0)
ReDim arHKCUKeys(0)

strTitle = "" : strSubTitle = "" : strSubSubTitle = ""

End If 'SecTest?




'#3. HKLM... Explorer\Browser Helper Objects

intSection = intSection + 1

'execute section if not in testing mode or (in testing mode And this section selected for testing)
If Not flagTest Or (flagTest And SecTest) Then

strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
strSubTitle = "HKLM" & "\" & strKey & "\"

'find all the subkeys
oReg.EnumKey HKLM, strKey, arSubKeys

'enumerate data if present
If IsArray(arSubKeys) Then

'for each key
For Each strSubKey In arSubKeys

flagTitle = False

CLSIDLocTitle HKLM, strKey & "\" & strSubKey, "", strLocTitle

For ctrCH = intCLL To 1

ResolveCLSID strSubKey, arHives(ctrCH,1), strCLSIDTitle, strIPSDLL

If strIPSDLL <> "" Then

'output the title line if not already done
TitleLineWrite

If Not flagTitle Then

'error check for W2K if value not set
On Error Resume Next
oFN.WriteLine strSubKey & "\(Default) = " & strLocTitle
intErrNum = Err.Number : Err.Clear
If intErrNum <> 0 Then oFN.WriteLine strSubKey &_
"\(Default) = (no title provided)"
flagTitle = True
On Error GoTo 0

End If

'output CLSID title, InProcServer32 DLL & CoName
oFN.WriteLine " -> {" & arHives(ctrCH,0) & "...CLSID} = " &_
strCLSIDTitle & vbCRLF & Space(19) & "\InProcServer32\(Default) = " &_
StringFilter(strIPSDLL,True) & CoName(IDExe(strIPSDLL))

End If 'strIPSDLL exists?

Next 'CLSID hive

Next 'BHO subkey

End If 'BHO subkeys exist?

'if ShowAll, output the key name if not already done
If flagShowAll Then TitleLineWrite
strTitle = "" : strSubTitle = "" : strSubSubTitle = ""

'recover array memory
ReDim arSubKeys(0)

End If 'SecTest?




'#4. HKLM... Shell Extensions\Approved\

intSection = intSection + 1

'execute section if not in testing mode or (in testing mode And this section selected for testing)
If Not flagTest Or (flagTest And SecTest) Then

'CLSID value, InProcessServer32 DLL name & output file version,
'CLSID Key Title display flag
Dim strCLSID, strIPSDLL, strIPSDLLOut, strCLSIDTitle, strLocTitle

'Shell Extension Approved array
Dim arSEA()
ReDim arSEA(388,1)
'WXP
arSEA(0,0) = "{00022613-0000-0000-C000-000000000046}" : arSEA(0,1) = "mmsys.cpl"
arSEA(1,0) = "{176d6597-26d3-11d1-b350-080036a75b03}" : arSEA(1,1) = "icmui.dll"
arSEA(2,0) = "{1F2E5C40-9550-11CE-99D2-00AA006E086C}" : arSEA(2,1) = "rshx32.dll"
arSEA(3,0) = "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" : arSEA(3,1) = "docprop.dll"
arSEA(4,0) = "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" : arSEA(4,1) = "ntshrui.dll"
arSEA(5,0) = "{41E300E0-78B6-11ce-849B-444553540000}" : arSEA(5,1) = "themeui.dll"
arSEA(6,0) = "{42071712-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(6,1) = "deskadp.dll"
arSEA(7,0) = "{42071713-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(7,1) = "deskmon.dll"
arSEA(8,0) = "{42071714-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(8,1) = "deskpan.dll"
arSEA(9,0) = "{4E40F770-369C-11d0-8922-00A024AB2DBB}" : arSEA(9,1) = "dssec.dll"
arSEA(10,0) = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" : arSEA(10,1) = "SlayerXP.dll"
arSEA(11,0) = "{56117100-C0CD-101B-81E2-00AA004AE837}" : arSEA(11,1) = "shscrap.dll"
arSEA(12,0) = "{59099400-57FF-11CE-BD94-0020AF85B590}" : arSEA(12,1) = "diskcopy.dll"
arSEA(13,0) = "{59be4990-f85c-11ce-aff7-00aa003ca9f6}" : arSEA(13,1) = "ntlanui2.dll"
arSEA(14,0) = "{5DB2625A-54DF-11D0-B6C4-0800091AA605}" : arSEA(14,1) = "icmui.dll"
arSEA(15,0) = "{675F097E-4C4D-11D0-B6C1-0800091AA605}" : arSEA(15,1) = "icmui.dll"
arSEA(16,0) = "{764BF0E1-F219-11ce-972D-00AA00A14F56}" : arSEA(16,1) = ""
arSEA(17,0) = "{77597368-7b15-11d0-a0c2-080036af3f03}" : arSEA(17,1) = "printui.dll"
arSEA(18,0) = "{7988B573-EC89-11cf-9C00-00AA00A14F56}" : arSEA(18,1) = "dskquoui.dll"
arSEA(19,0) = "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}" : arSEA(19,1) = ""
arSEA(20,0) = "{85BBD920-42A0-1069-A2E4-08002B30309D}" : arSEA(20,1) = "syncui.dll"
arSEA(21,0) = "{88895560-9AA2-1069-930E-00AA0030EBC8}" : arSEA(21,1) = "hticons.dll"
arSEA(22,0) = "{BD84B380-8CA2-1069-AB1D-08000948F534}" : arSEA(22,1) = "fontext.dll"
arSEA(23,0) = "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" : arSEA(23,1) = "icmui.dll"
arSEA(24,0) = "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" : arSEA(24,1) = "rshx32.dll"
arSEA(25,0) = "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" : arSEA(25,1) = "ntshrui.dll"
arSEA(26,0) = "{f92e8c40-3d33-11d2-b1aa-080036a75b03}" : arSEA(26,1) = "deskperf.dll"
arSEA(27,0) = "{7444C717-39BF-11D1-8CD9-00C04FC29D45}" : arSEA(27,1) = "cryptext.dll"
arSEA(28,0) = "{7444C719-39BF-11D1-8CD9-00C04FC29D45}" : arSEA(28,1) = "cryptext.dll"
arSEA(29,0) = "{7007ACC7-3202-11D1-AAD2-00805FC1270E}" : arSEA(29,1) = "NETSHELL.dll"
arSEA(30,0) = "{992CFFA0-F557-101A-88EC-00DD010CCC48}" : arSEA(30,1) = "NETSHELL.dll"
arSEA(31,0) = "{E211B736-43FD-11D1-9EFB-0000F8757FCD}" : arSEA(31,1) = "wiashext.dll"
arSEA(32,0) = "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}" : arSEA(32,1) = "wiashext.dll"
arSEA(33,0) = "{905667aa-acd6-11d2-8080-00805f6596d2}" : arSEA(33,1) = "wiashext.dll"
arSEA(34,0) = "{3F953603-1008-4f6e-A73A-04AAC7A992F1}" : arSEA(34,1) = "wiashext.dll"
arSEA(35,0) = "{83bbcbf3-b28a-4919-a5aa-73027445d672}" : arSEA(35,1) = "wiashext.dll"
arSEA(36,0) = "{F0152790-D56E-4445-850E-4F3117DB740C}" : arSEA(36,1) = "remotepg.dll"
arSEA(37,0) = "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" : arSEA(37,1) = "wuaucpl.cpl"
arSEA(38,0) = "{60254CA5-953B-11CF-8C96-00AA00B8708C}" : arSEA(38,1) = "wshext.dll"
arSEA(39,0) = "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" : arSEA(39,1) = "oledb32.dll"
arSEA(40,0) = "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" : arSEA(40,1) = "mstask.dll"
arSEA(41,0) = "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" : arSEA(41,1) = "mstask.dll"
arSEA(42,0) = "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" : arSEA(42,1) = "mstask.dll"
arSEA(43,0) = "{0DF44EAA-FF21-4412-828E-260A8728E7F1}" : arSEA(43,1) = ""
arSEA(44,0) = "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(44,1) = "shdocvw.dll"
arSEA(45,0) = "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(45,1) = "shdocvw.dll"
arSEA(46,0) = "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(46,1) = "shdocvw.dll"
arSEA(47,0) = "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(47,1) = "shdocvw.dll"
arSEA(48,0) = "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(48,1) = "shdocvw.dll"
arSEA(49,0) = "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(49,1) = "shdocvw.dll"
arSEA(50,0) = "{D20EA4E1-3957-11d2-A40B-0C5020524152}" : arSEA(50,1) = "shdocvw.dll"
arSEA(51,0) = "{D20EA4E1-3957-11d2-A40B-0C5020524153}" : arSEA(51,1) = "shdocvw.dll"
arSEA(52,0) = "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" : arSEA(52,1) = "shmedia.dll"
arSEA(53,0) = "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" : arSEA(53,1) = "shmedia.dll"
arSEA(54,0) = "{E4B29F9D-D390-480b-92FD-7DDB47101D71}" : arSEA(54,1) = "shmedia.dll"
arSEA(55,0) = "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}" : arSEA(55,1) = "shmedia.dll"
arSEA(56,0) = "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}" : arSEA(56,1) = "shmedia.dll"
arSEA(57,0) = "{c5a40261-cd64-4ccf-84cb-c394da41d590}" : arSEA(57,1) = "shmedia.dll"
arSEA(58,0) = "{5E6AB780-7743-11CF-A12B-00AA004AE837}" : arSEA(58,1) = "browseui.dll"
arSEA(59,0) = "{22BF0C20-6DA7-11D0-B373-00A0C9034938}" : arSEA(59,1) = "browseui.dll"
arSEA(60,0) = "{91EA3F8B-C99B-11d0-9815-00C04FD91972}" : arSEA(60,1) = "browseui.dll"
arSEA(61,0) = "{6413BA2C-B461-11d1-A18A-080036B11A03}" : arSEA(61,1) = "browseui.dll"
arSEA(62,0) = "{F61FFEC1-754F-11d0-80CA-00AA005B4383}" : arSEA(62,1) = "browseui.dll"
arSEA(63,0) = "{7BA4C742-9E81-11CF-99D3-00AA004AE837}" : arSEA(63,1) = "browseui.dll"
arSEA(64,0) = "{30D02401-6A81-11d0-8274-00C04FD5AE38}" : arSEA(64,1) = "browseui.dll"
arSEA(65,0) = "{32683183-48a0-441b-a342-7c2a440a9478}" : arSEA(65,1) = "browseui.dll"
arSEA(66,0) = "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" : arSEA(66,1) = "browseui.dll"
arSEA(67,0) = "{07798131-AF23-11d1-9111-00A0C98BA67D}" : arSEA(67,1) = "browseui.dll"
arSEA(68,0) = "{AF4F6510-F982-11d0-8595-00AA004CD6D8}" : arSEA(68,1) = "browseui.dll"
arSEA(69,0) = "{01E04581-4EEE-11d0-BFE9-00AA005B4383}" : arSEA(69,1) = "browseui.dll"
arSEA(70,0) = "{A08C11D2-A228-11d0-825B-00AA005B4383}" : arSEA(70,1) = "browseui.dll"
arSEA(71,0) = "{00BB2763-6A77-11D0-A535-00C04FD7D062}" : arSEA(71,1) = "browseui.dll"
arSEA(72,0) = "{7376D660-C583-11d0-A3A5-00C04FD706EC}" : arSEA(72,1) = "browseui.dll"
arSEA(73,0) = "{6756A641-DE71-11d0-831B-00AA005B4383}" : arSEA(73,1) = "browseui.dll"
arSEA(74,0) = "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" : arSEA(74,1) = "browseui.dll"
arSEA(75,0) = "{7e653215-fa25-46bd-a339-34a2790f3cb7}" : arSEA(75,1) = "browseui.dll"
arSEA(76,0) = "{acf35015-526e-4230-9596-becbe19f0ac9}" : arSEA(76,1) = "browseui.dll"
arSEA(77,0) = "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}" : arSEA(77,1) = "browseui.dll"
arSEA(78,0) = "{00BB2764-6A77-11D0-A535-00C04FD7D062}" : arSEA(78,1) = "browseui.dll"
arSEA(79,0) = "{03C036F1-A186-11D0-824A-00AA005B4383}" : arSEA(79,1) = "browseui.dll"
arSEA(80,0) = "{00BB2765-6A77-11D0-A535-00C04FD7D062}" : arSEA(80,1) = "browseui.dll"
arSEA(81,0) = "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" : arSEA(81,1) = "browseui.dll"
arSEA(82,0) = "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" : arSEA(82,1) = "browseui.dll"
arSEA(83,0) = "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" : arSEA(83,1) = "browseui.dll"
arSEA(84,0) = "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" : arSEA(84,1) = "browseui.dll"
arSEA(85,0) = "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" : arSEA(85,1) = "browseui.dll"
arSEA(86,0) = "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" : arSEA(86,1) = "browseui.dll"
arSEA(87,0) = "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" : arSEA(87,1) = "shdocvw.dll"
arSEA(88,0) = "{0A89A860-D7B1-11CE-8350-444553540000}" : arSEA(88,1) = "shdocvw.dll"
arSEA(89,0) = "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" : arSEA(89,1) = "shdocvw.dll"
arSEA(90,0) = "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" : arSEA(90,1) = "shdocvw.dll"
arSEA(91,0) = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" : arSEA(91,1) = "shdocvw.dll"
arSEA(92,0) = "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" : arSEA(92,1) = "shdocvw.dll"
arSEA(93,0) = "{FF393560-C2A7-11CF-BFF4-444553540000}" : arSEA(93,1) = "shdocvw.dll"
arSEA(94,0) = "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" : arSEA(94,1) = "shdocvw.dll"
arSEA(95,0) = "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" : arSEA(95,1) = "shdocvw.dll"
arSEA(96,0) = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" : arSEA(96,1) = "shdocvw.dll"
arSEA(97,0) = "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" : arSEA(97,1) = "shdocvw.dll"
arSEA(98,0) = "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" : arSEA(98,1) = "shdocvw.dll"
arSEA(99,0) = "{131A6951-7F78-11D0-A979-00C04FD705A2}" : arSEA(99,1) = "shdocvw.dll"
arSEA(100,0) = "{9461b922-3c5a-11d2-bf8b-00c04fb93661}" : arSEA(100,1) = "shdocvw.dll"
arSEA(101,0) = "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" : arSEA(101,1) = "shdocvw.dll"

ok 'Silent Runners.vbs -- find out what starts up with Windows!
'(compatible with Windows 95/98/Millennium/NT 4.0/2000 Pro/XP Home & Pro/Vista RC1)
'
'DO NOT REMOVE THIS HEADER!
'
'Copyright Andrew ARONOFF 14 January 2007, https://www.silentrunners.org/
'This script is provided without any warranty, either express or implied
'It may not be copied or distributed without permission
'
'** YOU RUN THIS SCRIPT AT YOUR OWN RISK! ** (END OF HEADER)


Option Explicit

Dim strRevNo : strRevNo = "R50"

Public flagTest : flagTest = False 'True if in testing mode
'flagTest = True 'Uncomment to put in testing mode
Public arSecTest : arSecTest = Array() 'array of section numbers to test

Public intSection : intSection = 0 'section counter

'This script is divided into 28 sections.

'malware launch points:
' registry keys (1-12, 15)
' INI/INF-files (16-18)
' folders (19)
' enabled scheduled tasks (20)
' Winsock2 service provider DLLs (21)
' IE toolbars, explorer bars, extensions (22)
' started services (26)
' keyboard driver filters (27)
' printer monitors (28)

'hijack points:
' System/Group Policies (14)
' prefixes for IE URLs (23)
' misc IE points (24)
' HOSTS file (25)

'Output is suppressed if deemed normal unless the -all parameter is used
'Section XVIII is skipped unless the -supp/-all parameters are used or
'the first message box is answered "No" and the next message box "Yes"

' 1. HKCU/HKLM... Run/RunOnce/RunOnce\Setup/RunOnceEx
' HKLM... RunServices/RunServicesOnce
' HKCU/HKLM... Policies\Explorer\Run
' 2. HKLM... Active Setup\Installed Components\
' HKCU... Active Setup\Installed Components\
' (StubPath <> "" And HKLM version # > HKCU version #)
' 3. HKLM... Explorer\Browser Helper Objects\
' 4. HKLM... Shell Extensions\Approved\
' 5. HKLM... Explorer\SharedTaskScheduler/ShellExecuteHooks
' 6. HKCU/HKLM... ShellServiceObjectDelayLoad\
' 7. HKCU/HKLM... Command Processor\AutoRun
' HKCU... Policies\System\Shell (W2K/WXP/WVa only)
' HKCU... Windows\load & run
' HKLM... Windows\AppInit_DLLs
' HKCU/HKLM... Winlogon\Shell
' HKLM... Winlogon\Userinit, System, Ginadll, Taskman
' HKLM... Control\SafeBoot\Option\UseAlternateShell
' HKLM... Control\SecurityProviders\SecurityProviders
' HKLM... Control\Session Manager\BootExecute
' HKLM... Control\Session Manager\WOW\cmdline, wowcmdline
' 8. HKLM... Winlogon\Notify\ (subkey names/DLLName values <> O/S-specific dictionary data)
' 9. HKLM... Image File Execution Options ("Debugger" subkeys)
'10. HKCU/HKLM... Policies... Startup/Shutdown, Logon/Logoff scripts (W2K/WXP/WVa)
'11. HKCU/HKLM Protocols\Filter
'12. Context menu shell extensions
'13. HKCU/HKLM executable file type (bat/cmd/com/exe/hta/pif/scr)
'14. System/Group Policies
'15. Enabled Wallpaper & Screen Saver
'16. WIN.INI (load/run <> ""), SYSTEM.INI (shell <> explorer.exe, scrnsave.exe), WINSTART.BAT
'17. AUTORUN.INF in root directory of local fixed disks
'18. DESKTOP.INI in any local fixed disk directory (section skipped by default)
'19. %WINDIR%... Startup & All Users... Startup (W98/WMe) or
' %USERNAME%... Startup & All Users... Startup folder contents
'20. Enabled Scheduled Tasks
'21. Winsock2 Service Provider DLLs
'22. Internet Explorer Toolbars, Explorer Bars, Extensions
'23. Internet Explorer URL Prefixes
'24. Misc. IE Hijack Points
'25. HOSTS file
'26. Started Services
'27. Keyboard Driver Filters
'28. Print Monitors

Dim Wshso : Set Wshso = WScript.CreateObject("WScript.Shell")
Dim WshoArgs : Set WshoArgs = WScript.Arguments
Dim intErrNum, intMB, intMB1 'Err.Number, MsgBox return value x 2

Dim strflagTest : strflagTest = ""
If flagTest Then
strflagTest = "TEST "
Wshso.Popup "Silent Runners is in testing mode.",1, _
"Testing, testing, 1-2-3...", vbOKOnly + vbExclamation
End If

'Configuration Detection Section

' FileSystemObject creation error (112)
' CScript/WScript (147)
' Dim (161)
' GetFileVersion(WinVer.exe) (VBScript 5.1) (182)
' OS version (223)
' WMI (279)
' Dim (364)
' command line arguments (440)
' supplementary search MsgBox (532)
' startup MsgBox (557)
' CreateTextFile error (583)
' output file header (625)
' WXP SP2 (629)

On Error Resume Next
Dim Fso : Set Fso = CreateObject("Scripting.FileSystemObject")
intErrNum = Err.Number : Err.Clear
On Error Goto 0

If intErrNum <> 0 Then

strURL = "https://docs.microsoft.com/en-us/"

intMB = MsgBox (Chr(34) & "Silent Runners" & Chr(34) &_
" cannot access file services critical to" & vbCRLF &_
"proper script operation." & vbCRLF & vbCRLF &_
"If you are running Windows XP, make sure that the" &_
vbCRLF & Chr(34) & "Cryptographic Services" & Chr(34) &_
" service is started." & vbCRLF & vbCRLF &_
"You can also try reinstalling the latest version of the MS" &_
vbCRLF & "Windows Script Host." & vbCRLF & vbCRLF &_
"Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser to " &_
"the download site or" & vbCRLF & Space(10) & Chr(34) & "Cancel" &_
Chr(34) & " to quit.", vbOKCancel + vbCritical, _
"Can't access the FileSystemObject!")

'if dl wanted now, send browser to dl site
If intMB = 1 Then Wshso.Run strURL

WScript.Quit

End If

Dim oNetwk : Set oNetwk = WScript.CreateObject("WScript.Network")

Const HKLM = &H80000002, HKCU = &H80000001
Const REG_SZ=1, REG_EXPAND_SZ=2, REG_BINARY=3, REG_DWORD=4, REG_MULTI_SZ=7
Const REG_QWORD = 11
Const MS = " [MS]"
Const DQ = """", LBr = "{"
Const IWarn = "<<!>> ", HWarn = "<<H>> "

'determine whether output is via MsgBox/PopUp or Echo
Dim flagOut
If InStr(LCase(WScript.FullName),"wscript.exe") > 0 Then
flagOut = "W" 'WScript
ElseIf InStr(LCase(WScript.FullName),"cscript.exe") > 0 Then
flagOut = "C" 'CScript
Else 'echo and continue if it works
flagOut = "C" 'assume CScript-compatible
WScript.Echo "Neither " & Chr(34) & "WSCRIPT.EXE" & Chr(34) & " nor " &_
Chr(34) & "CSCRIPT.EXE" & Chr(34) & " was detected as " &_
"the script host." & vbCRLF & Chr(34) & "Silent Runners" & Chr(34) &_
" will assume that the script host is CSCRIPT-compatible and will" & vbCRLF &_
"use WScript.Echo for all messages."
End If 'script host

Const SysFolder = 1 : Const WinFolder = 0
Dim strOS : strOS = "Unknown"
Dim strOSLong : strOSLong = "Unknown"
Dim strOSXP : strOSXP = "Windows XP Home" 'XP Home or Pro
Public strFPSF : strFPSF = Fso.GetSpecialFolder(SysFolder).Path 'FullPathSystemFolder
Public strFPWF : strFPWF = Fso.GetSpecialFolder(WinFolder).Path 'FullPathWindowsFolder
Public strExeBareName 'bare file name w/o windows or system folder prefixes
Dim strSysVer 'Winver.exe version number
Dim intErrNum1, intErrNum2, intErrNum3, intErrNum4, intErrNum5, intErrNum6 'error number
Dim intLenValue 'value length
Dim strURL 'download URL
'assume Group Policies cannot be set in the O/S
Dim flagGP : flagGP = False
'HKCU/HKLM CLSID Lower Limit, default is HKLM for O/S <= NT4
Dim intCLL : intCLL = 1

'Winver.exe is in \Windows under W98, but in \System32 for other O/S's
'trap GetFileVersion error for VBScript version < 5.1
On Error Resume Next
If Fso.FileExists (strFPSF & "\Winver.exe") Then
strSysVer = Fso.GetFileVersion(strFPSF & "\Winver.exe")
Else
strSysVer = Fso.GetFileVersion(strFPWF & "\Winver.exe")
End If
intErrNum = Err.Number : Err.Clear
On Error Goto 0

'if GetFileVersion returns error due to old WSH version
If intErrNum <> 0 Then

'store dl URL
strURL = "http://tinyurl.com/7zh0"

'if using WScript
If flagOut = "W" Then

'explain the problem
intMB = MsgBox ("This script requires Windows Script Host (WSH) 5.1 " &_
"or higher to run." & vbCRLF & vbCRLF & "Press " & Chr(34) & "OK" &_
Chr(34) & " to direct your browser to the WSH download site or " &_
Chr(34) & "Cancel" & Chr(34) & " to quit." & vbCRLF & vbCRLF &_
"(WMI is also required. If it's missing, download instructions " &_
"will appear later.)", vbOKCancel + vbExclamation, _
"Unsupported Windows Script Host Version!")

'if dl wanted now, send browser to dl site
If intMB = 1 Then Wshso.Run strURL

'if using CScript
Else 'flagOut = "C"

'explain the problem
WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
"Windows Script Host 5.1 or higher to run." & vbCRLF & vbCRLF &_
"It can be downloaded at: " & strURL

End If 'WScript or CScript?

'quit the script
WScript.Quit

End If 'VBScript version error encountered?

'use WINVER.EXE file version to determine O/S
If Instr(Left(strSysVer,3),"4.1") > 0 Then
strOS = "W98" : strOSLong = "Windows 98"

ElseIf Instr(Left(strSysVer,5),"4.0.1") > 0 Then
strOS = "NT4" : strOSLong = "Windows NT 4.0"

ElseIf Instr(Left(strSysVer,8),"4.0.0.95") > 0 Then
strOS = "W98" : strOSLong = "Windows 95"

ElseIf Instr(Left(strSysVer,8),"4.0.0.11") > 0 Then
strOS = "W98" : strOSLong = "Windows 95 SR2 (OEM)"

ElseIf Instr(Left(strSysVer,3),"5.0") > 0 Then
strOS = "W2K" : strOSLong = "Windows 2000" : : intCLL = 0 : flagGP = True

ElseIf Instr(Left(strSysVer,3),"5.1") > 0 Then
'SP0 & SP1 = 5.1.2600.0, SP2 = 5.1.2600.2180
strOS = "WXP" : strOSLong = "Windows XP" : intCLL = 0

If Instr(strSysVer,".2180") > 0 Then strOSLong = "Windows XP SP2"

ElseIf Instr(Left(strSysVer,3),"4.9") > 0 Then
strOS = "WME" : strOSLong = "Windows Me (Millennium Edition)"

ElseIf Instr(Left(strSysVer,3),"5.2") > 0 Then
strOS = "WXP" : strOSLong = "Windows Server 2003 (interpreted as Windows XP)"
flagGP = True : intCLL = 0

ElseIf Instr(Left(strSysVer,3),"6.0") > 0 Then
strOS = "WVA" : strOSLong = "Windows Vista RC1"
flagGP = True : intCLL = 0

Else 'unknown strSysVer

If flagOut = "W" Then

intMB = MsgBox ("The " & Chr(34) & "Silent Runners" & Chr(34) &_
" script cannot determine the operating system." & vbCRLF & vbCRLF &_
"Click " & Chr(34) & "OK" & Chr(34) & " to send an e-mail to the " &_
"author, providing the following information:" & vbCRLF & vbCRLF &_
"WINVER.EXE file version = " & strSysVer & vbCRLF & vbCRLF &_
"or click " & Chr(34) & "Cancel" & Chr(34) & " to quit.", _
49,"O/S Unknown!")

If intMB = 1 Then Wshso.Run "mailto:Andrew%20Aronoff%20" &_
"<%6F%73.%76%65%72.%65%72%72%6F%72@%73%69%6C%65%6E%74%72%75%6E%6E%65%72%73.%6F%72%67>?" &_
"subject=Silent%20Runners%20OS%20Version%20Error&body=WINVER.EXE" &_
"%20file%20version%20=%20" & strSysVer

Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " cannot " &_
"determine the operating system." & vbCRLF & vbCRLF & "This script will exit."

End If 'flagOut?

WScript.Quit

End If 'OS id'd from strSysVer?

'use WMI to connect to the registry
On Error Resume Next
Dim oReg : Set oReg = GetObject("winmgmts:\root\default:StdRegProv")
intErrNum = Err.Number : Err.Clear
On Error Goto 0

'detect WMI connection error
If intErrNum <> 0 Then

strURL = ""

'for W98/NT4, assume WMI not installed and direct to d/l URL
If strOS = "W98" Or strOS = "NT4" Then

If strOS = "W98" Then strURL = "http://tinyurl.com/jbxe"
If strOS = "NT4" Then strURL = "http://tinyurl.com/7wd7"

'invite user to download WMI & quit
If flagOut = "W" Then

intMB = MsgBox ("This script requires " & Chr(34) & "WMI" &_
Chr(34) & ", Windows Management Instrumentation, to run." &_
vbCRLF & vbCRLF & "It can be downloaded at: " & strURL &_
vbCRLF & vbCRLF & "Press " & Chr(34) & "OK" & Chr(34) &_
" to direct your browser to the download site or " &_
Chr(34) & "Cancel" & Chr(34) & " to quit.",_
vbOKCancel + vbCritical,"WMI Not Installed!")

If intMB = 1 Then Wshso.Run strURL

'at command line, explain & quit
Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
Chr(34) & "WMI" & Chr(34) & ", Windows Management Instrumentation, " &_
"to run." & vbCRLF & vbCRLF & "It can be downloaded at: " & strURL

End If

'for W2K/WXP/WVa, explain how to start the WMI service
ElseIf strOS = "W2K" Or strOS = "WXP" or strOS = "WVA" Then

If strOS = "W2K" Then strLine = "Settings | Control Panel | "
If strOS = "WXP" Then strLine = "Control Panel | "
If strOS = "WVA" Then strLine = "Control Panel | Classic View | "

'explain how to turn on WMI service
If flagOut = "W" Then

MsgBox "This script requires Windows Management Instrumentation" &_
" to run." & vbCRLF & vbCRLF & "Click on Start | " & strLine &_
"Administrative Tools | Services," & vbCRLF &_
"and start the " & Chr(34) & "Windows Management Instrumentation" &_
Chr(34) & " service.",vbOKOnly + vbCritical,"WMI Service not running!"

'at command line, explain & quit
Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
"Windows Management Instrumentation to run." & vbCRLF & vbCRLF &_
"Click on Start | " & strLine & "Administrative " &_
"Tools | Services" & vbCRLF & "and start the " & Chr(34) &_
"Windows Management Instrumentation" & Chr(34) & " service."

End If 'flagOut?

Else 'WMe

'say there's a WMI problem
If flagOut = "W" Then

MsgBox "This script requires WMI (Windows Management Instrumentation)" &_
" to run," & vbCRLF & "but WMI is not running correctly.", _
vbOKOnly + vbCritical,"WMI problem!"

'at command line, explain & quit
Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
"WMI (Windows Management Instrumentation) to run," & vbCRLF &_
"but WMI is not running correctly."

End If 'flagOut?

End If 'which O/S?

WScript.Quit

End If 'WMI execution error

'array of Run keys, counter x 5, hive member, startup folder file,
'startup file shortcut, IERESET.INF file
Dim arRunKeys, i, ii, j, k, l, oHiveElmt, oSUFi, oSUSC
'dictionary, keys, items, hard disk collection
Dim arSK, arSKk, arSKi, colDisks

'arrays: Run key names, keys, sub-keys, value type, SecurityProviders,
' Protocol filters, values
Dim arNames(), arKeys(), arSubKeys(), arType, arSP, arFilter(), arValues
'Sub-Directory DeskTop.Ini array, Sub-Directory Error array, Error array
'Recognized GP names, allowed GP names
Public arSDDTI(), arSDErr(), arErr(), arRecNames(), arAllowedNames()

'DeskTop.Ini counter, Error counter x 2, Classes data Hive counter
Public ctrArDTI, ctrArErr, ctrErr, ctrCH
Public ctrFo : ctrFo = 0 'folder counter

'name member, key array member x 4, O/S, drive root directory, work file
Dim oName, oKey, oKey2, strMemKey, strMemSubKey, oOS, oRoot, oFileWk
'values x 7
Dim strValue, strValue1, strValue2, strValue3, strValue4, strValue5, strValue6
Dim strVal, intValue, strCmd
'name, single character, startup folder name, startup folder, array member, temp var
Dim strName, strChr, arSUFN, oSUF, strArMember, strTmp, strTmp2
'output string x 3
Public strOut, strOut1, strOut2

'output file msg x 2, warning string, title line
Dim strLine, strLine1, strLine2, strWarn, strTitleLine
'infection/hijack warning detection flags -- add footer note if True
Public flagIWarn : flagIWarn = False
Public flagHWarn : flagHWarn = False
Dim strKey, strKey1, strKey2, strKey3, strSubKey 'register key x 4, sub-key
'output file name string (incl. path), file name (wo path),
'PIF path string, single binary character
Dim strFN, strFNNP, strPIFTgt, bin1C
Public datLaunch : datLaunch = Now 'script launch time
Public intCnt 'counter
'ref time, time taken by 2 pop-up boxes
Public datRef : datRef = 0
Public datPUB1 : datPUB1 = 0 : Public datPUB2 : datPUB2 = 0

'TRUE if show all output (default values not filtered)
Public flagShowAll : flagShowAll = False
Dim strRptOutput : strRptOutput = "Output limited to non-default values, " &_
"except where indicated by " & Chr(34) & "{++}" & Chr(34) 'output file string
Public strTitle : strTitle = ""
Public strSubTitle : strSubTitle = ""
Public strSubSubTitle : strSubSubTitle = ""
Public flagNVP : flagNVP = False 'existence of name/value pairs in a key
Public flagInfect : flagInfect = False 'flag infected condition
Dim flagMatch 'flag matching keys
Dim flagAllow 'flag key on approved list
Dim flagFound 'flag key that exists in Registry
Dim flagDirArg : flagDirArg = False 'presence of output directory argument
Dim flagIsCLSID : flagIsCLSID = False 'true if argument in CLSID format
Dim flagTitle 'True if title has already been written
Dim flagAllArg : flagAllArg = False 'presence of all output argument
Dim flagArray 'flag array containing elements
Public flagSupp : flagSupp = False 'do *not* check for DESKTOP.INI in all
'directories of local fixed disks
Dim intLBSP 'Last BackSlash Position in path string
Dim intSS 'lowest sort subscript
Dim intType 'value type
Dim strDLL, strCN 'DLL name, company name
'string to signal all output by default
Public strAllOutDefault : strAllOutDefault = ""

Dim ScrPath : ScrPath = Fso.GetParentFolderName(WScript.ScriptFullName)
If Right(ScrPath,1) <> "\" Then ScrPath = ScrPath & "\"
'initialize Path of Output File Folder to script path
Dim strPathOFFo : strPathOFFo = ScrPath

'hive array
Public arHives(1,1)
arHives(0,0) = "HKCU" : arHives(1,0) = "HKLM"
arHives(0,1) = &H80000001 : arHives(1,1) = &H80000002

'set up argument usage message string

Dim strLSp, strCSp 'Leading Spaces, Centering Spaces
strLSp = Space(4) : strCSp = Space(33) 'WScript spacing
If flagOut = "C" Then 'CScript spacing
strLsp = Space(3) : strCSp = Space(28)
End If

Dim strMsg : strMsg = "Only two arguments are permitted:" &_
vbCRLF & vbCRLF &_
"1. the name of an existing directory for the output report" &_
vbCRLF & strLSp & "(embed in quotes if it contains spaces)" &_
vbCRLF & vbCRLF & strCSp & "AND:" & vbCRLF & vbCRLF &_
"2. " & Chr(34) & "-supp" & Chr(34) & " to search " &_
"all directories for DESKTOP.INI DLL" & vbCRLF &_
strLSp & "launch points" &_
vbCRLF & vbCRLF & strCSp & "-OR-" & vbCRLF & vbCRLF &_
"3. " & Chr(34) & "-all" & Chr(34) & " to output all non-empty " &_
"values and all launch" & vbCRLF & strLSp & "points checked"

'check if output directory or "-all" or "-supp" was supplied as argument
If WshoArgs.length > 0 And WshoArgs.length <= 2 Then

For i = 0 To WshoArgs.length-1

'if directory arg not already passed and arg directory exists
If Not flagDirArg And Fso.FolderExists(WshoArgs(i)) Then

'get the path & toggle the directory arg flag
Dim oOFFo : Set oOFFo = Fso.GetFolder(WshoArgs(i))
strPathOFFo = oOFFo.Path : flagDirArg = True
If Right(strPathOFFo,1) <> "\" Then strPathOFFo = strPathOFFo & "\"
Set oOFFo=Nothing

'if -all arg not already passed and is this arg
ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-all" Then

'toggle ShowAll flag, toggle the all arg flag, fill report string
flagShowAll = True : flagAllArg = True
strRptOutput = "Output of all locations checked and all values found."

'if -all arg not already passed and is this arg
ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-supp" Then
flagSupp = True : flagAllArg = True
strRptOutput = "Search enabled of all directories on local fixed " &_
"drives for DESKTOP.INI" & vbCRLF & " DLL launch points" &_
vbCRLF & strRptOutput

'argument can't be interpreted, so explain & quit
Else

If flagOut = "W" Then 'pop up a message window

Wshso.Popup "The argument:" & vbCRLF &_
Chr(34) & UCase(WshoArgs(i)) & Chr(34) & vbCRLF &_
"... can't be interpreted." & vbCRLF & vbCRLF &_
strMsg,10,"Bad Script Argument", vbOKOnly + vbExclamation

Else 'flagOut = "C" 'write the message to the console

WScript.Echo vbCRLF & "The argument: " &_
Chr(34) & UCase(WshoArgs(i)) & Chr(34) &_
" can't be interpreted." & vbCRLF & vbCRLF &_
strMsg & vbCRLF

End If 'WScript host?

WScript.Quit

End If 'argument can be interpreted?

Next 'argument

'too many args passed
ElseIf WshoArgs.length > 2 Then

'explain & quit
If flagOut = "W" Then 'pop up a message window

Wshso.Popup "Too many arguments (" & WshoArgs.length & ") were passed." &_
vbCRLF & vbCRLF & strMsg,10,"Too Many Arguments",_
vbOKOnly + vbCritical

Else 'flagOut = "C" 'write the message to the console

WScript.Echo "Too many arguments (" & WshoArgs.length & ") were passed." &_
vbCRLF & vbCRLF & strMsg & vbCRLF

End If 'WScript host?

WScript.Quit

End If 'directory arguments passed?

Set WshoArgs=Nothing

datRef = Now

'if no cmd line argument for flagSupp and not testing, show popup
If Not flagTest And Not flagShowAll And Not flagSupp And flagOut = "W" Then

intMB = Wshso.Popup ("Do you want to skip the supplementary search?" &_
vbCRLF & "(It typically takes several minutes.)" & vbCRLF & vbCRLF &_
"Press " & Chr(34) & "Yes" & Chr(34) & Space(5) &_
" to skip the supplementary search (default)" & vbCRLF & vbCRLF &_
Space(10) & Chr(34) & "No" & Chr(34) & Space(6) &_
" to perform it, or" & vbCRLF & vbCRLF &_
Space(10) & Chr(34) & "Cancel" & Chr(34) &_
" to get more information at the web site" & vbCRLF &_
Space(25) & "and exit the script.",_
15,"Skip supplementary search?",_
vbYesNoCancel + vbQuestion + vbDefaultButton1 + vbSystemModal)

If intMB = vbNo Then

flagSupp = True

intMB1 = MsgBox ("Are you SURE you want to run the supplementary " &_
"search?" & vbCRLF & vbCRLF & "It's _rarely_ necessary " &_
"and it takes a *long* time." & vbCRLF & vbCRLF & "Press " & DQ &_
"Yes" & DQ & " to confirm running the supplementary search, " &_
"or" & vbCRLF & Space(10) & DQ & "No" & DQ & " to run without it.", _
vbYesNo + vbQuestion + vbDefaultButton2 + vbSystemModal,"Are you sure?")

If intMB1 = vbNo Then flagSupp = False

ElseIf intMB = vbCancel Then
Wshso.Run "https://www.silentrunners.org/thescript.html#supp"
WScript.Quit
End If

End If

datPUB1 = DateDiff("s",datRef,Now) : datRef = Now

'inform user that script has started
If Not flagTest Then
If flagOut = "W" Then
Wshso.PopUp Chr(34) & "Silent Runners" & Chr(34) & " has started." &_
vbCRLF & vbCRLF & "A message box like this one will appear " &_
"when it's done." & vbCRLF & vbCRLF & "Please be patient...",3,_
"Silent Runners R" & strRevNo & " startup", _
vbOKOnly + vbInformation + vbSystemModal
Else
WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " has started." &_
" Please be patient..."
End If 'flagOut?
End If 'flagTest?

datPUB2 = DateDiff("s",datRef,Now)

'create output file name with computer name & today's date
'Startup Programs (pc_name_here) yyyy-mm-dd.txt

strFNNP = "Startup Programs (" & oNetwk.ComputerName & ") " &_
FmtDate(datLaunch) & " " & FmtHMS(datLaunch) & ".txt"
strFN = strPathOFFo & strflagTest & strFNNP
On Error Resume Next
If Fso.FileExists(strFN) Then Fso.DeleteFile(strFN)
Err.Clear
Public oFN : Set oFN = Fso.CreateTextFile(strFN,True)
intErrNum = Err.Number : Err.Clear
On Error Goto 0

'if can't create report file
If intErrNum > 0 Then

strURL = "https://www.silentrunners.org/Silent%20Runners%20RED.vbs"

'invite user to run RED version & quit
If flagOut = "W" Then

intMB = MsgBox ("The script cannot create its report file. " &_
"This is a known, intermittent" & vbCRLF & "problem under " &_
strOSLong & "." & vbCRLF & vbCRLF &_
"An alternative script version is available for download. " &_
"After it runs, " & vbCRLF & "the script you're using now will " &_
"run correctly." & vbCRLF & vbCRLF &_
"Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser " &_
"to the alternate script location, or" & vbCRLF & Space(10) &_
Chr(34) & "Cancel" & Chr(34) & " to quit.",49,"CreateTextFile Error!")

'if alternative script wanted now, send browser to dl site
If intMB = 1 Then Wshso.Run strURL

'explain & quit
Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " cannot " &_
"create the report file." & vbCRLF & vbCRLF &_
"An alternative script is available. Run it, then rerun this version." &_
vbCRLF & "The alternative script can be downloaded at: " & vbCRLF &_
vbCRLF & strURL

End If

WScript.Quit

End If 'report file creation error?

'add report header
Set oNetwk=Nothing

oFN.WriteLine Chr(34) & "Silent Runners.vbs" & Chr(34) &_
", revision " & strRevNo & ", https://www.silentrunners.org/" &_
vbCRLF & "Operating System: " & strOSLong & vbCRLF & strRptOutput

'test for WMI corruption and use WMI to differentiate between
'WXP Home & WXP Pro

'get the O/S collection
Dim colOS : Set colOS = GetObject("winmgmts:\root\cimv2").ExecQuery _
("Select * from Win32_OperatingSystem")

On Error Resume Next

Err.Clear

For Each oOS in colOS

If strOS = "WXP" Then

'modify strOSXP if O/S = Pro
If InStr(1,LCase(oOS.Name),"professional",1) > 0 Then
strOSXP = "Windows XP Professional"
flagGP = True
End If
'modify strOSXP if SP2
If Right(strOSLong,3) = "SP2" Then strOSXP = strOSXP & " SP2"

End If 'WXP?

Next 'oOS

If Err.Number <> 0 Then

strURL = "http://go.microsoft.com/fwlink/?LinkId=62562"

oFN.WriteLine vbCRLF & "FATAL ERROR!" & vbCRLF & String(12,"-") &_
vbCRLF & vbCRLF & DQ & "Silent Runners" & DQ &_
" cannot use WMI to identify the operating system." &_
vbCRLF & "This is caused by corruption of the WMI installation." &_
vbCRLF & vbCRLF &_
"WMI is complex and it is recommended that you use a Microsoft" &_
vbCRLF & "tool, " & DQ & "WMIDiag.vbs," & DQ & " to diagnose WMI " &_
"on your system." & vbCRLF & vbCRLF & "It can be downloaded here:" &_
vbCRLF & vbCRLF & strURL

intMB = MsgBox (DQ & "Silent Runners" & DQ & " cannot use WMI to " &_
"identify the operating system." & vbCRLF & "This is caused by " &_
"corruption of the WMI installation." &_
vbCRLF & vbCRLF &_
"WMI is complex and it is recommended that you use a Microsoft" &_
vbCRLF & "tool, " & DQ & "WMIDiag.vbs," & DQ & " to diagnose WMI " &_
"on your system." &_
vbCRLF & vbCRLF &_
"Press " & DQ & "OK" & DQ & " to direct your browser to the " &_
"WMIDiag download site or" &_
vbCRLF & Space(10) & DQ & "Cancel" & DQ & " to quit.",_
vbOKCancel + vbCritical + + vbSystemModal + vbDefaultButton2,_
"Can't iterate Win32_OperatingSystem!")

'if dl wanted now, send browser to dl site
If intMB = 1 Then Wshso.Run strURL

WScript.Quit

End If 'Err.Number<>0?

On Error Goto 0

Set colOS=Nothing




'#1. HKCU/HKLM... Run/RunOnce/RunOnce\Setup/RunOnceEx
' HKLM... RunServices/RunServicesOnce
' HKCU/HKLM... Policies\Explorer\Run

intSection = intSection + 1

'execute section if not in testing mode or (in testing mode And this section selected for testing)
If Not flagTest Or (flagTest And SecTest) Then

'write registry header lines to file
strTitle = "Startup items buried in registry:"
TitleLineWrite

'put keys in array (Key Index 0 - 6)
arRunKeys = Array ("Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", _
"Software\Microsoft\Windows\CurrentVersion\Run", _
"Software\Microsoft\Windows\CurrentVersion\RunOnce", _
"Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup", _
"Software\Microsoft\Windows\CurrentVersion\RunOnceEx", _
"Software\Microsoft\Windows\CurrentVersion\RunServices", _
"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce")

'Key Execution Flag/Subkey Recursion Flag array
'
'first number in the ordered pair in the array immediately below
' pertains to execution of the key:
'0: not executed (ignore)
'1: may be executed so display with EXECUTION UNLIKELY warning
'2: executable
'
'second number in the ordered pair pertains to subkey recursion
'0: subkeys not used
'1: subkey recursion necessary

'0 Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
'1 Software\Microsoft\Windows\CurrentVersion\Run
'2 Software\Microsoft\Windows\CurrentVersion\RunOnce
'3 Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup
'4 Software\Microsoft\Windows\CurrentVersion\RunOnceEx
'5 Software\Microsoft\Windows\CurrentVersion\RunServices
'6 Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

'Hive HKCU - 0 HKLM - 1
'
'Key 0 1 2 3 4 5 6 0 1 2 3 4 5 6
'Index

'O/S:
'W95 0,0 2,0 2,0 0,0 2,1 0,0 0,0 0,0 2,0 2,0 0,0 2,1 2,0 2,0
'W98 0,0 2,0 2,0 0,0 2,1 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0
'WMe 2,1 2,1 2,0 2,0 2,1 0,0 0,0 2,1 2,1 2,0 2,0 2,1 2,0 2,0
'NT4 0,0 2,0 2,0 0,0 2,1 0,0 0,0 0,0 2,0 2,0 0,0 2,1 0,0 0,0
'W2K 2,1 2,1 2,1 0,0 2,1 0,0 0,0 2,1 2,1 2,1 0,0 2,1 0,0 0,0
'WXP 2,0 2,0 2,0 0,0 2,1 0,0 0,0 2,0 2,0 2,0 0,0 2,1 0,0 0,0
'WS2K3 ??? <-------------------- ??? --------------------> ???
'WVa 2,0 2,0 2,0 0,0 2,1 0,0 0,0 2,0 2,0 2,0 0,0 2,1 0,0 0,0

'arRegFlag(i,j,k): put flags in array by O/S:
'hive = i (0 or 1), key_# = j (0-6),
' flags (key execution/subkey recursion) = k (0 or 1)
' k = 0 holds key execution value = 0/1/2
' 1 holds subkey recursion value = 0/1
Dim arRegFlag()
ReDim arRegFlag(1,6,1)

'initialize entire array to zero
For i = 0 To 1 : For j = 0 To 6 : For k = 0 To 1
arRegFlag(i,j,k) = 0
Next : Next : Next

'add data to array for O/S that's running

'W98
If strOS = "W98" Then
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn
arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
'don't set HKLM,RunOnce\Setup for W95
If strOSLong = "Windows 98" Then _
arRegFlag(1,3,0) = 2 'HKLM,RunOnce\Setup = no-warn
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
arRegFlag(1,5,0) = 2 'HKLM,RunServices = no-warn
arRegFlag(1,6,0) = 2 'HKLM,RunServicesOnce = no-warn
End If

If strOS = "WME" Then
arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn
arRegFlag(0,0,1) = 1 'HKCU,Explorer\Run = sub-keys
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,1,1) = 1 'HKCU,Run = sub-keys
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(0,3,0) = 2 'HKCU,RunOnce\Setup = no-warn
arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn
arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys
arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn
arRegFlag(1,0,1) = 1 'HKLM,Explorer\Run = sub-keys
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,1,1) = 1 'HKLM,Run = sub-keys
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
arRegFlag(1,3,0) = 2 'HKLM,RunOnce\Setup = no-warn
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
arRegFlag(1,5,0) = 2 'HKLM,RunServices = no-warn
arRegFlag(1,6,0) = 2 'HKLM,RunServicesOnce = no-warn
End If

'NT4
If strOS = "NT4" Then
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn
arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
End If

'W2K
If strOs = "W2K" Then
arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn
arRegFlag(0,0,1) = 1 'HKCU,Explorer\Run = sub-keys
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,1,1) = 1 'HKCU,Run = sub-keys
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(0,2,1) = 1 'HKCU,RunOnce = sub-keys (incl. Setup)
arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn
arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys
arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn
arRegFlag(1,0,1) = 1 'HKLM,Explorer\Run = sub-keys
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,1,1) = 1 'HKLM,Run = sub-keys
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
arRegFlag(1,2,1) = 1 'HKLM,RunOnce = sub-keys (incl. Setup)
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
End If

'WXP/WVa
If strOs = "WXP" Or strOS = "WVA" Then
arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(0,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(0,4,1) = 1 'HKLM,RunOnceEx = sub-keys
arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
End If

'for each hive
For i = 0 To 1

'for each key
For j = 0 To 6

'if not ShowAll, show all output for Run keys
If j = 1 And Not flagShowAll Then strAllOutDefault = " {++}"

'if key is not ignored
If arRegFlag(i,j,0) > 0 Then

flagNVP = False

'intialize string with warning if necessary
strWarn = ""
If arRegFlag(i,j,0) = 1 Then strWarn = "EXECUTION UNLIKELY: "

'INFO
'with no name/value pairs (sub-keys are identical)
' IsArray TypeName UBound
'W98 True "Variant()" -1
'WMe True "Variant()" -1
'NT4 True "Variant()" -1
'W2K False "Null" error (--)
'WXP False "Null" error (--)
'WS2K3 True "Variant()" error (--)
'WVa False "Null" error (--)

EnumNVP arHives(i,1), arRunKeys(j), arNames, arType

If flagNVP Then 'name/value pairs exist

'write the full key name
oFN.WriteLine vbCRLF & arHives(i,0) & "\" & arRunKeys(j) & "\" & strAllOutDefault

'for each data type in the names array
For k = LBound(arNames) To UBound(arNames)

'use the type to find the value
strValue = RtnValue (arHives(i,1), arRunKeys(j), arNames(k), arType(k))
'write the name & value
WriteValueData arNames(k), strValue, arType(k), strWarn

Next 'member of names array

Else 'no name/value pairs

If flagShowAll Then _
oFN.WriteLine vbCRLF & arHives(i,0) & "\" & arRunKeys(j) & "\"

End If 'flagNVP?

'recurse subkeys if necessary
If arRegFlag(i,j,1) = 1 Then

'put all subkeys into array
oReg.EnumKey arHives(i,1),arRunKeys(j),arKeys

'excludes W2K/WXP/WVa with no sub-keys
If IsArray(arKeys) Then

'excludes W98/WMe/NT4/WS2K3 with no sub-keys
For Each strMemKey in arKeys

flagNVP = False
strSubKey = arRunKeys(j) & "\" & strMemKey

EnumNVP arHives(i,1), arRunKeys(j) & "\" & strMemKey,arNames,arType

If flagNVP Then 'if name/value pairs exist

'write the full key name
oFN.WriteLine vbCRLF & arHives(i,0) & "\" & strSubKey &_
"\" & strAllOutDefault

'for each data type in the names array
For k = LBound(arNames) To UBound(arNames)

'use the type to find the value
strValue = RtnValue (arHives(i,1), strSubKey, arNames(k), arType(k))
'write the name & value
WriteValueData arNames(k), strValue, arType(k), strWarn

Next 'member of names array

Else 'no name/value pairs

If flagShowAll Then _
oFN.WriteLine vbCRLF & arHives(i,0) & "\" & strSubKey & "\"

End If 'flagNVP?

Next 'sub-key

End If 'sub-keys exist? W2K/WXP/WS2K3/WVa

End If 'enum sub-keys?

End If 'arRegFlag(i,j,0) > 0

Next 'Run key

Next 'Hive

strAllOutDefault = "" : flagNVP = False

'recover array memory
ReDim arRunKeys(0)
ReDim arKeys(0)
ReDim arRegFlag(0)

End If 'flagTest And SecTest?




'#2. HKLM... Active Setup\Installed Components\
' HKCU... Active Setup\Installed Components\

intSection = intSection + 1

'execute section if not in testing mode or (in testing mode And this section selected for testing)
If Not flagTest Or (flagTest And SecTest) Then

'flags True if only numeric & comma chrs in Version values
Dim flagHKLMVer, flagHKCUVer
'StubPath Value string, HKLM Version value, HKCU Version value, HKLM program name
Dim strSPV, strHKLMVer, strHKCUVer, strPgmName
Dim arHKLMKeys, arHKCUKeys, strHKLMKey, strHKCUKey

strKey = "Software\Microsoft\Active Setup\Installed Components"

strSubTitle = "HKLM" & "\" & strKey & "\"

'find all the subkeys
oReg.EnumKey HKLM, strKey, arHKLMKeys 'HKLM
oReg.EnumKey HKCU, strKey, arHKCUKeys 'HKCU

'enumerate HKLM keys if present
If IsArray(arHKLMKeys) Then

'for each HKLM key
For Each strHKLMKey In arHKLMKeys

'INFO
'Default Value not set:
'W98/WMe: returns 0, strValue = ""
'NT4/W2K/WXP/WVa: returns non-zero, strValue = Null

'Non-Default name inexistent:
'W98/WMe/NT4/W2K/WXP/WVa: returns non-zero, strValue = Null

'Non-Default Value not set:
'W2K: returns 0, strValue = unwritable string
'W98/WMe/NT4/WXP/WVa: returns 0, strValue = ""

'get the StubPath value
intErrNum = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey,"StubPath",strSPV)

'if the StubPath name exists And value set (exc for W2K!)
If intErrNum = 0 And strSPV <> "" Then

flagMatch = False

'if HKCU keys present
If IsArray(arHKCUKeys) Then

'for each HKCU key
For Each strHKCUKey in arHKCUKeys

'if identical HKLM key exists
If LCase(strHKLMKey) = LCase(strHKCUKey) Then

'assume Version fmts are OK
flagHKLMVer = True : flagHKCUVer = True

'get HKLM & HKCU Version values
intErrNum1 = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey, _
"Version",strHKLMVer) 'HKLM Version #
intErrNum2 = oReg.GetStringValue (HKCU,strKey & "\" & strHKCUKey, _
"Version",strHKCUVer) 'HKCU Version #

'if HKLM Version name exists And value set (exc for W2K!)
If intErrNum1 = 0 And strHKLMVer <> "" Then

'the next two loops check for allowed chars (numeric & comma)
' in returned Version values

For i = 1 To Len(strHKLMVer)
strChr = Mid(strHKLMVer,i,1)
If Not IsNumeric(strChr) And strChr <> "," Then flagHKLMVer = False
Next

'if HKCU Version name exists And value set (exc for W2K!)
If intErrNum2 = 0 And strHKCUVer <> "" Then

'check that value consists only of numeric & comma chrs
For i = 1 To Len(strHKCUVer)
strChr = Mid(strHKCUVer,i,1)
If Not IsNumeric(strChr) And strChr <> "," Then flagHKCUVer = False
Next

End If 'HKCU Version null or MT?

'if HKLM Ver # has illegal fmt (i.e., is not assigned) or doesn't exist (is Null)
' or is empty, match = True
'if HKCU/HKLM Ver # fmts OK And HKCU Ver # >= HKLM Ver #, match = True
'if HKLM Ver # = "0,0" and HKCU Ver # = "", key will output
' but StubPath will not launch
If Not flagHKLMVer Then flagMatch = True
If flagHKLMVer And flagHKCUVer And strHKCUVer >= strHKLMVer Then flagMatch = True

Else 'HKLM Version name doesn't exist Or value not set (exc for W2K!)

flagMatch = True

End If 'HKLM Version name exists And value set (exc for W2K!)?

End If 'HKCU key=HKLM key?

Next 'HKCU Installed Components key

End If 'HKCU Installed Components subkeys exist?

'if the StubPath will launch
If Not flagMatch Then

flagAllow = False 'assume StubPath DLL not on approved list
strCN = CoName(IDExe(strSPV))

'test for approved StubPath DLL
If LCase(strHKLMKey) = ">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}" And _
(InStr(LCase(strSPV),"wmpocm.exe") > 0 Or _
InStr(LCase(strSPV),"unregmp2.exe") > 0) And _
strCN = MS And Not flagShowAll Then flagAllow = True

'StubPath DLL not approved
If Not flagAllow Then

'get the default value (program name)
intErrNum3 = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey,"",strPgmName)
'enclose pgm name in quotes if name exists and default value isn't empty
If intErrNum3 = 0 And strPgmName <> "" Then
strPgmName = Chr(34) & strPgmName & Chr(34)
Else
strPgmName = "(no title provided)"
End If

TitleLineWrite

'output the CLSID & pgm name
oFN.WriteLine strHKLMKey & "\(Default) = " & StringFilter(strPgmName,False)

On Error Resume Next
'output the StubPath value
oFN.WriteLine Space(Len(strHKLMKey)+1) & "\StubPath = " &_
Chr(34) & strSPV & Chr(34) & strCN
'error check for W2K if StubPath value not set
If Err.Number <> 0 Then oFN.WriteLine Space(Len(strHKLMKey)+1) & "\StubPath = " &_
"(value not set)"
Err.Clear
On Error GoTo 0

End If 'flagAllow false?

End If 'flagMatch false?

End If 'StubPath value exists?

Next 'HKLM Installed Components subkey

End If 'HKLM Installed Components subkeys exist?

If flagShowAll Then TitleLineWrite

'recover array memory
ReDim arHKLMKeys(0)
ReDim arHKCUKeys(0)

strTitle = "" : strSubTitle = "" : strSubSubTitle = ""

End If 'SecTest?




'#3. HKLM... Explorer\Browser Helper Objects

intSection = intSection + 1

'execute section if not in testing mode or (in testing mode And this section selected for testing)
If Not flagTest Or (flagTest And SecTest) Then

strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
strSubTitle = "HKLM" & "\" & strKey & "\"

'find all the subkeys
oReg.EnumKey HKLM, strKey, arSubKeys

'enumerate data if present
If IsArray(arSubKeys) Then

'for each key
For Each strSubKey In arSubKeys

flagTitle = False

CLSIDLocTitle HKLM, strKey & "\" & strSubKey, "", strLocTitle

For ctrCH = intCLL To 1

ResolveCLSID strSubKey, arHives(ctrCH,1), strCLSIDTitle, strIPSDLL

If strIPSDLL <> "" Then

'output the title line if not already done
TitleLineWrite

If Not flagTitle Then

'error check for W2K if value not set
On Error Resume Next
oFN.WriteLine strSubKey & "\(Default) = " & strLocTitle
intErrNum = Err.Number : Err.Clear
If intErrNum <> 0 Then oFN.WriteLine strSubKey &_
"\(Default) = (no title provided)"
flagTitle = True
On Error GoTo 0

End If

'output CLSID title, InProcServer32 DLL & CoName
oFN.WriteLine " -> {" & arHives(ctrCH,0) & "...CLSID} = " &_
strCLSIDTitle & vbCRLF & Space(19) & "\InProcServer32\(Default) = " &_
StringFilter(strIPSDLL,True) & CoName(IDExe(strIPSDLL))

End If 'strIPSDLL exists?

Next 'CLSID hive

Next 'BHO subkey

End If 'BHO subkeys exist?

'if ShowAll, output the key name if not already done
If flagShowAll Then TitleLineWrite
strTitle = "" : strSubTitle = "" : strSubSubTitle = ""

'recover array memory
ReDim arSubKeys(0)

End If 'SecTest?




'#4. HKLM... Shell Extensions\Approved\

intSection = intSection + 1

'execute section if not in testing mode or (in testing mode And this section selected for testing)
If Not flagTest Or (flagTest And SecTest) Then

'CLSID value, InProcessServer32 DLL name & output file version,
'CLSID Key Title display flag
Dim strCLSID, strIPSDLL, strIPSDLLOut, strCLSIDTitle, strLocTitle

'Shell Extension Approved array
Dim arSEA()
ReDim arSEA(388,1)
'WXP
arSEA(0,0) = "{00022613-0000-0000-C000-000000000046}" : arSEA(0,1) = "mmsys.cpl"
arSEA(1,0) = "{176d6597-26d3-11d1-b350-080036a75b03}" : arSEA(1,1) = "icmui.dll"
arSEA(2,0) = "{1F2E5C40-9550-11CE-99D2-00AA006E086C}" : arSEA(2,1) = "rshx32.dll"
arSEA(3,0) = "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" : arSEA(3,1) = "docprop.dll"
arSEA(4,0) = "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" : arSEA(4,1) = "ntshrui.dll"
arSEA(5,0) = "{41E300E0-78B6-11ce-849B-444553540000}" : arSEA(5,1) = "themeui.dll"
arSEA(6,0) = "{42071712-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(6,1) = "deskadp.dll"
arSEA(7,0) = "{42071713-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(7,1) = "deskmon.dll"
arSEA(8,0) = "{42071714-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(8,1) = "deskpan.dll"
arSEA(9,0) = "{4E40F770-369C-11d0-8922-00A024AB2DBB}" : arSEA(9,1) = "dssec.dll"
arSEA(10,0) = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" : arSEA(10,1) = "SlayerXP.dll"
arSEA(11,0) = "{56117100-C0CD-101B-81E2-00AA004AE837}" : arSEA(11,1) = "shscrap.dll"
arSEA(12,0) = "{59099400-57FF-11CE-BD94-0020AF85B590}" : arSEA(12,1) = "diskcopy.dll"
arSEA(13,0) = "{59be4990-f85c-11ce-aff7-00aa003ca9f6}" : arSEA(13,1) = "ntlanui2.dll"
arSEA(14,0) = "{5DB2625A-54DF-11D0-B6C4-0800091AA605}" : arSEA(14,1) = "icmui.dll"
arSEA(15,0) = "{675F097E-4C4D-11D0-B6C1-0800091AA605}" : arSEA(15,1) = "icmui.dll"
arSEA(16,0) = "{764BF0E1-F219-11ce-972D-00AA00A14F56}" : arSEA(16,1) = ""
arSEA(17,0) = "{77597368-7b15-11d0-a0c2-080036af3f03}" : arSEA(17,1) = "printui.dll"
arSEA(18,0) = "{7988B573-EC89-11cf-9C00-00AA00A14F56}" : arSEA(18,1) = "dskquoui.dll"
arSEA(19,0) = "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}" : arSEA(19,1) = ""
arSEA(20,0) = "{85BBD920-42A0-1069-A2E4-08002B30309D}" : arSEA(20,1) = "syncui.dll"
arSEA(21,0) = "{88895560-9AA2-1069-930E-00AA0030EBC8}" : arSEA(21,1) = "hticons.dll"
arSEA(22,0) = "{BD84B380-8CA2-1069-AB1D-08000948F534}" : arSEA(22,1) = "fontext.dll"
arSEA(23,0) = "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" : arSEA(23,1) = "icmui.dll"
arSEA(24,0) = "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" : arSEA(24,1) = "rshx32.dll"
arSEA(25,0) = "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" : arSEA(25,1) = "ntshrui.dll"
arSEA(26,0) = "{f92e8c40-3d33-11d2-b1aa-080036a75b03}" : arSEA(26,1) = "deskperf.dll"
arSEA(27,0) = "{7444C717-39BF-11D1-8CD9-00C04FC29D45}" : arSEA(27,1) = "cryptext.dll"
arSEA(28,0) = "{7444C719-39BF-11D1-8CD9-00C04FC29D45}" : arSEA(28,1) = "cryptext.dll"
arSEA(29,0) = "{7007ACC7-3202-11D1-AAD2-00805FC1270E}" : arSEA(29,1) = "NETSHELL.dll"
arSEA(30,0) = "{992CFFA0-F557-101A-88EC-00DD010CCC48}" : arSEA(30,1) = "NETSHELL.dll"
arSEA(31,0) = "{E211B736-43FD-11D1-9EFB-0000F8757FCD}" : arSEA(31,1) = "wiashext.dll"
arSEA(32,0) = "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}" : arSEA(32,1) = "wiashext.dll"
arSEA(33,0) = "{905667aa-acd6-11d2-8080-00805f6596d2}" : arSEA(33,1) = "wiashext.dll"
arSEA(34,0) = "{3F953603-1008-4f6e-A73A-04AAC7A992F1}" : arSEA(34,1) = "wiashext.dll"
arSEA(35,0) = "{83bbcbf3-b28a-4919-a5aa-73027445d672}" : arSEA(35,1) = "wiashext.dll"
arSEA(36,0) = "{F0152790-D56E-4445-850E-4F3117DB740C}" : arSEA(36,1) = "remotepg.dll"
arSEA(37,0) = "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" : arSEA(37,1) = "wuaucpl.cpl"
arSEA(38,0) = "{60254CA5-953B-11CF-8C96-00AA00B8708C}" : arSEA(38,1) = "wshext.dll"
arSEA(39,0) = "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" : arSEA(39,1) = "oledb32.dll"
arSEA(40,0) = "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" : arSEA(40,1) = "mstask.dll"
arSEA(41,0) = "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" : arSEA(41,1) = "mstask.dll"
arSEA(42,0) = "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" : arSEA(42,1) = "mstask.dll"
arSEA(43,0) = "{0DF44EAA-FF21-4412-828E-260A8728E7F1}" : arSEA(43,1) = ""
arSEA(44,0) = "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(44,1) = "shdocvw.dll"
arSEA(45,0) = "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(45,1) = "shdocvw.dll"
arSEA(46,0) = "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(46,1) = "shdocvw.dll"
arSEA(47,0) = "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(47,1) = "shdocvw.dll"
arSEA(48,0) = "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(48,1) = "shdocvw.dll"
arSEA(49,0) = "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(49,1) = "shdocvw.dll"
arSEA(50,0) = "{D20EA4E1-3957-11d2-A40B-0C5020524152}" : arSEA(50,1) = "shdocvw.dll"
arSEA(51,0) = "{D20EA4E1-3957-11d2-A40B-0C5020524153}" : arSEA(51,1) = "shdocvw.dll"
arSEA(52,0) = "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" : arSEA(52,1) = "shmedia.dll"
arSEA(53,0) = "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" : arSEA(53,1) = "shmedia.dll"
arSEA(54,0) = "{E4B29F9D-D390-480b-92FD-7DDB47101D71}" : arSEA(54,1) = "shmedia.dll"
arSEA(55,0) = "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}" : arSEA(55,1) = "shmedia.dll"
arSEA(56,0) = "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}" : arSEA(56,1) = "shmedia.dll"
arSEA(57,0) = "{c5a40261-cd64-4ccf-84cb-c394da41d590}" : arSEA(57,1) = "shmedia.dll"
arSEA(58,0) = "{5E6AB780-7743-11CF-A12B-00AA004AE837}" : arSEA(58,1) = "browseui.dll"
arSEA(59,0) = "{22BF0C20-6DA7-11D0-B373-00A0C9034938}" : arSEA(59,1) = "browseui.dll"
arSEA(60,0) = "{91EA3F8B-C99B-11d0-9815-00C04FD91972}" : arSEA(60,1) = "browseui.dll"
arSEA(61,0) = "{6413BA2C-B461-11d1-A18A-080036B11A03}" : arSEA(61,1) = "browseui.dll"
arSEA(62,0) = "{F61FFEC1-754F-11d0-80CA-00AA005B4383}" : arSEA(62,1) = "browseui.dll"
arSEA(63,0) = "{7BA4C742-9E81-11CF-99D3-00AA004AE837}" : arSEA(63,1) = "browseui.dll"
arSEA(64,0) = "{30D02401-6A81-11d0-8274-00C04FD5AE38}" : arSEA(64,1) = "browseui.dll"
arSEA(65,0) = "{32683183-48a0-441b-a342-7c2a440a9478}" : arSEA(65,1) = "browseui.dll"
arSEA(66,0) = "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" : arSEA(66,1) = "browseui.dll"
arSEA(67,0) = "{07798131-AF23-11d1-9111-00A0C98BA67D}" : arSEA(67,1) = "browseui.dll"
arSEA(68,0) = "{AF4F6510-F982-11d0-8595-00AA004CD6D8}" : arSEA(68,1) = "browseui.dll"
arSEA(69,0) = "{01E04581-4EEE-11d0-BFE9-00AA005B4383}" : arSEA(69,1) = "browseui.dll"
arSEA(70,0) = "{A08C11D2-A228-11d0-825B-00AA005B4383}" : arSEA(70,1) = "browseui.dll"
arSEA(71,0) = "{00BB2763-6A77-11D0-A535-00C04FD7D062}" : arSEA(71,1) = "browseui.dll"
arSEA(72,0) = "{7376D660-C583-11d0-A3A5-00C04FD706EC}" : arSEA(72,1) = "browseui.dll"
arSEA(73,0) = "{6756A641-DE71-11d0-831B-00AA005B4383}" : arSEA(73,1) = "browseui.dll"
arSEA(74,0) = "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" : arSEA(74,1) = "browseui.dll"
arSEA(75,0) = "{7e653215-fa25-46bd-a339-34a2790f3cb7}" : arSEA(75,1) = "browseui.dll"
arSEA(76,0) = "{acf35015-526e-4230-9596-becbe19f0ac9}" : arSEA(76,1) = "browseui.dll"
arSEA(77,0) = "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}" : arSEA(77,1) = "browseui.dll"
arSEA(78,0) = "{00BB2764-6A77-11D0-A535-00C04FD7D062}" : arSEA(78,1) = "browseui.dll"
arSEA(79,0) = "{03C036F1-A186-11D0-824A-00AA005B4383}" : arSEA(79,1) = "browseui.dll"
arSEA(80,0) = "{00BB2765-6A77-11D0-A535-00C04FD7D062}" : arSEA(80,1) = "browseui.dll"
arSEA(81,0) = "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" : arSEA(81,1) = "browseui.dll"
arSEA(82,0) = "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" : arSEA(82,1) = "browseui.dll"
arSEA(83,0) = "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" : arSEA(83,1) = "browseui.dll"
arSEA(84,0) = "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" : arSEA(84,1) = "browseui.dll"
arSEA(85,0) = "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" : arSEA(85,1) = "browseui.dll"
arSEA(86,0) = "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" : arSEA(86,1) = "browseui.dll"
arSEA(87,0) = "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" : arSEA(87,1) = "shdocvw.dll"
arSEA(88,0) = "{0A89A860-D7B1-11CE-8350-444553540000}" : arSEA(88,1) = "shdocvw.dll"
arSEA(89,0) = "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" : arSEA(89,1) = "shdocvw.dll"
arSEA(90,0) = "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" : arSEA(90,1) = "shdocvw.dll"
arSEA(91,0) = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" : arSEA(91,1) = "shdocvw.dll"
arSEA(92,0) = "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" : arSEA(92,1) = "shdocvw.dll"
arSEA(93,0) = "{FF393560-C2A7-11CF-BFF4-444553540000}" : arSEA(93,1) = "shdocvw.dll"
arSEA(94,0) = "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" : arSEA(94,1) = "shdocvw.dll"
arSEA(95,0) = "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" : arSEA(95,1) = "shdocvw.dll"
arSEA(96,0) = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" : arSEA(96,1) = "shdocvw.dll"
arSEA(97,0) = "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" : arSEA(97,1) = "shdocvw.dll"
arSEA(98,0) = "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" : arSEA(98,1) = "shdocvw.dll"
arSEA(99,0) = "{131A6951-7F78-11D0-A979-00C04FD705A2}" : arSEA(99,1) = "shdocvw.dll"
arSEA(100,0) = "{9461b922-3c5a-11d2-bf8b-00c04fb93661}" : arSEA(100,1) = "shdocvw.dll"
arSEA(101,0) = "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" : arSEA(101,1) = "shdocvw.dll"
arSEA(