“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Skype” = ““D:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “ctfmon.exe” = “D:\WINDOWS\system32\ctfmon.exe” [MS] “ati tray tools” = “D:\Program Files\Radeon Omega Drivers\v3.8.330\ATI Tray Tools\atitray.exe” [“Ray Adams”] “Spik” = “D:\Program Files\Spik\Spik.exe -autostart” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “DAEMON Tools” = ““D:\Program Files\DAEMON Tools\daemon.exe” -lang 1045” [“DT Soft Ltd.”] “AtiPTA” = “D:\WINDOWS\SYSTEM32\ATIPTAXX.EXE” [“ATI Technologies, Inc.”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “nod32kui” = ““D:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset “] “SunJavaUpdateSched” = ““D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “ISUSPM Startup” = ““D:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -startup” [“InstallShield Software Corporation”] “InfoData” = “rundll32.exe “D:\WINDOWS\system32\sgifseqv.dll”,realset” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {66020456-CB22-487F-AC2C-09F6417C55B3}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\WINDOWS\system32\gebccdb.dll” [null data] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] {94A8212C-E7CF-46DC-AC59-9E6A4300D064}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\WINDOWS\system32\gebyy.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “D:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B4B924A2-EBDA-11DA-95DA-00E08161165F}” = “Dodatki Spika” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “D:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “D:\WINDOWS\system32\upnpui.dll” [MS] “{AF663E5B-1791-412d-AAD5-8AD52F036B41}” = “ZJ_ShlExt extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “D:\Program Files\WinAVIVideoConverter\SimpleExt.dll” [“ZJMedia”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “D:\Program Files\Eset\nodshex.dll” [null data] “{CCA60260-A2C9-11D2-BA62-0020188191B2}” = “Resplendent Registrar Shell Extension” -> {HKLM…CLSID} = “Resplendent Registrar Shell Extension” \InProcServer32(Default) = “rrShellX.dll” [null data] “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” = “TuneUp Shredder Shell Extension” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “D:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” -> {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “D:\WINDOWS\system32\uxtuneup.dll” [“TuneUp Software GmbH”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{66020456-CB22-487F-AC2C-09F6417C55B3}” = “*_” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\WINDOWS\system32\gebccdb.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “D:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> gebccdb\DLLName = “gebccdb.dll” [null data] <> gebyy\DLLName = “D:\WINDOWS\system32\gebyy.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “D:\Program Files\Eset\nodshex.dll” [null data] Spik(Default) = “{B4B924A2-EBDA-11DA-95DA-00E08161165F}” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “D:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “D:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “D:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “D:\Program Files\Eset\nodshex.dll” [null data] Spik(Default) = “{B4B924A2-EBDA-11DA-95DA-00E08161165F}” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “D:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoCDBurning” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoRecentDocsHistory” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “HideClock” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoTrayItemsDisplay” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Start Menu and Taskbar| Hide the notification area} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoResolveTrack” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoPropertiesMyComputer” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoViewContextMenu” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoFileAssociate” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoFind” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoRun” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoClose” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “StartMenuLogoff” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSMHelp” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\ “SecurityTab” = (REG_DWORD) hex:0x00000000 {Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel| Disable the Security page} “ConnectionsTab” = (REG_DWORD) hex:0x00000000 {Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel| Disable the Connections page} “SecChangeSettings” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions\ “NoBrowserOptions” = (REG_DWORD) hex:0x00000000 {Computer Configuration|Administrative Templates|Windows Components|Internet Explorer|Browser Menus| Tools menu: Disable Internet Options… menu option} “NoBrowserSaveAs” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoFavorites” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoFileNew” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoFileOpen” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoTheaterMode” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “ShutdownWithoutLogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “NoDispCPL” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispBackgroundPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispSettingsPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispScrSavPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “D:\Documents and Settings\Jakub\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “D:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart” [“TuneUp Software GmbH”] “1-Klik Konserwacja” -> launches: “D:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart” [“TuneUp Software GmbH”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: D:\WINDOWS\system32\imon.dll [“Eset “], 01, 03 - 07 %SystemRoot%\system32\mswsock.dll [MS], 02, 08 - 09, 12 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “D:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “TuneUp” = “file://D|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “D:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] NOD32 Kernel Service, NOD32krn, ““D:\Program Files\Eset\nod32krn.exe”” [“Eset “] TuneUp Design Expansion, UxTuneUp, “D:\WINDOWS\System32\svchost.exe -k netsvcs” {“D:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”]} ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 53 seconds, including 9 seconds for message boxes) pv.exe – PrcView command line utility allows automating common task like figuring out if particular process is running or killing a running process on scheduler. Checking if a particular process is running is easy. For example the following command will show all instances of explorer that are running: pv explorer.exe Setting a process priority is another common task. To set explorer priority to normal just type: pv –pn explorer.exe pv supports the common ‘*’ and ‘?’ wildcards so that the following command will perfectly work by printing out all the processes starting with ‘e’ pv e* Don’t like a particular process and would like to kill it? The following command will do the job: pv –k thisprocess.exe And if you don’t like additional questions and would like to force killing: pv –kf thisprocess.exe Don’t like this particular instance of the process and know the window title? The following command will do the job (please note that ‘\’ need to be represented as a ‘\’ combination if you enter it from the command line): pv -k explorer.exe -w"c:\” pv.exe can be easealy executed from a batch file to check if process is running. When writing a command file please note that the ERRORLEVEL number specifies a true condition if the last program run returned an exit code equal to or _greater_ than the number specified. The following script illustrates how this could be done: @echo off pv.exe %1 >nul if ERRORLEVEL 1 goto Process_NotFound :Process_Found echo Process %1 is running goto END :Process_NotFound echo Process %1 is not running goto END :END If you just want to wait till specific process is running, the command below will make such check for the “notepad.exe” every second, pv will exit when the process is there. pv -r0 -d1000 notepad.exe now you can wait for the process completion by using: pv -x notepad.exe Please note that redirecting standard errors by using 2>file_name does not work under 9x Windows. Please use “2>file_name” instead. This notation will be processed by pv.exe. And finally a copy of the -? command (please note that -o and -y options are not supported on Windows 9x/Me): pv displays information about the running processes. pv v 5.2.1.2, Copyright © Igor Nys, 2000-2006. Usage: pv -[]… … -[] Modes: -s --summary show usage for the specified MODULE -h,-? --help display this help information Actions: -k --kill kill process -a --activate brings process main window in the foreground -c --close close (send WM_CLOSE) to the PROCESS -p[nihr] --priority set priority to “Normal”, “Idle”, “High”, “Real Time” [ba] “Below Normal” and “Above Normal” only on W2K or higher Output Options: -e, --extend show additional information if available -q[header],–quiet supress headers and produce a tab-separated list -b --bare show process ID only () -o --output control output using the format string (see below) Input Options: -f, --force never prompt -i, --id use process ID instead of the PROCESS name Filters: -l[mask] --long include processes with command line matching mask -w[mask] --window show processes with visible windows matching mask, -e includes in search also invisible windows -u[mask] --usage show processes using modules that matches mask -y[mask] --user show processes that run under specified user account -t[root] --tree display process tree starting starting from the root Extra Information Options: -g --getenv get startup environment for the PROCESS -m --module show modules used by specified PROCESS Execution Options: -d[time] --delay delay time in milliseconds before executing command -r[err] --repeat repeat command in a cycle, while (%ERRORLEVEL% > err) -n --number %ERRORLEVEL% = negated number of matched processes -x[a] --exit wait for the process completion (exit) ‘a’ flag waits for all processes, -d sets time-out -@[file_name] read arguments from specified file or from standard input after processing the command line Arguments can contain ‘*’ and ‘?’ wildcards. Use return code (%ERRORLEVEL%) in batch files: 0 - process found (negated number of processes if -n is specified) 1 - empty result set, 2 - programm error Format string can use the following placeholders to control the output %a affinity, %d creation time, %c[time] % cpu %f full path, %e elapsed cpu time, %i process id %l command line, %n image name, %m memory (K) %p priority, %r parent id, %s signature %t thread count, %u user name, %v version Specify an optional performance data collecting time in milliseconds after the %c switch, default is 500ms. Examples: pv myprocess.exe get process ID for myprocess.exe. pv -e get extended list of running processes. pv -k sleep* kill all processes starting with “sleep” pv -m -e explorer.exe get extended information about explorer’s modules pv -u oleaut*.dll list of all processes that use matching dll pv -ph w*.exe set priority to hight for all matching processes pv explorer.exe -l”*/S” looks for explorer process with /S switch pv -r0 -d2000 calc.exe “2>nul” checks every 2 seconds if calc.exe is running pv --user:SYSTEM shows processes running under system account pv -o”%i\t%e\t%c2000%%\t%m(K)\t%n” pv.exe sqlservr.exe shows memory and CPU information collected for 2 sec. This software is free and freely distributable on a non-commercial basis in the format ORIGINALLY RELEASED (zip file containing pv or PrcView distribution) with the original Copyright clause. The author expressly disclaims any warranty for this software. This software and any related documentation is provided “as is” without warranty of any kind. Distribution of the program or any work based on the program by a commercial organization to any third party is permitted only with the written permission of the author If you encounter a problem while running PrcView, please visit http://www.prcview.com to obtain the latest version. If you still have problems, please send a short description to: support@prcview.com or contact me directly at igornys@writeme.com ------------------------------------------------- LIABILITY DISCLAIMER – READ BEFORE using pv.exe THE SOFTWARE IS PROVIDED “AS-IS” AND WITHOUT WARRANTY OF ANY KIND, EXPRESSED, IMPLIED OR OTHERWISE, INCLUDING AND WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL THE AUTHOR OR HIS COMPANY BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR ANY OTHER LOSS) , WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR INABILITY TO USE THIS SOFTWARE.