Silent Runners R48 adds a woefully documented launch point:

HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders

... that is the target of a current infection.

I have confirmed that the comma-separated DLLs listed in this value
are launched during startup.

This value appears in _all_ Windows versions.

I am unaware of *any* anti-spyware program or launch point analyzer
that detects malware launching from this location. I am unaware of
*any* documentation of this registry location as a launch point.

It is recommended that you download Silent Runners R48 and delete
earlier versions.

It's compatible with Internet Explorer 7 RC1, but not yet with Windows Vista.

The updated script (R47) can be found here: http://www.silentrunners.org/Silent%20Runners.vbs

A zipped version can be found here: http://www.silentrunners.org/Silent%20Runners.zip

Thanks again to those users who have provided feedback for improve- ments. If you ever have any problem with the script, please let me know. (Please note the expanded FAQ: http://www.silentrunners.org/sr_faq.html)