[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] “Source”=“About:Home” “SubscribedURL”=“About:Home” “FriendlyName”=“My Current Home Page” !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll AppInit_DLLs !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] “AppInit_DLLs”=“pushow19.dll” Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" pe386-msguard-lzx32 ; Scanning wininet.dll infection Silent Runners.vbs", revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Komunikator” = ““C:\Program Files\Tlen.pl\tlen.exe” --confdir=home” [file not found] “PC Registry Cleaner” = “C:\Program Files\PC Registry Cleaner\PC Registry Cleaner.exe” [file not found] “swg” = “C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe” [“Google Inc.”] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\PROGRAM FILES\MESSENGER\msmsgs.exe” /background” [MS] “AOL Fast Start” = ““C:\Program Files\America Online 9.0b\AOL.EXE” -b” [“America Online, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “AOLDialer” = “C:\Program Files\Common Files\AOL\ACS\AOLDial.exe” [“AOL LLC”] “HostManager” = “C:\Program Files\Common Files\AOL\1151295529\ee\AOLSoftware.exe” [“America Online, Inc.”] “_AntiSpyware” = “C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe” [“Network Associates, Inc.”] “MPFExe” = “C:\Program Files\mcafee.com\personal firewall\MPfTray.exe” [“McAfee Security”] “URLLSTCK.exe” = “C:\Program Files\Norton Internet Security\UrlLstCk.exe” [file not found] “SSC_UserPrompt” = “C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe” [file not found] “sscRun” = “C:\Program Files\Common Files\AOL\1151295529\ee\SSCRun.exe” [“AOL LLC”] “Recguard” = “%WINDIR%\SMINST\RECGUARD.EXE” [empty string] “OASClnt” = “C:\Program Files\mcafee.com\antivirus\oasclnt.exe” [“McAfee, Inc.”] “EmailScan” = “C:\Program Files\mcafee.com\antivirus\mcvsescn.exe” [“McAfee, Inc.”] “AOL Spyware Protection” = “C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe” [file not found] “SpywareBot” = “C:\Program Files\SpywareBot\SpywareBot.exe -boot” [file not found] “PhilipsDM” = ““C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe”” [“Koninklijke Philips Electronics N.V.”] “PCODelayModule” = ““C:\PROGRA~1\AOL\PCOPTI~1\Delay.exe”” [file not found] “BearShare” = ““C:\Program Files\BearShare\BearShare.exe” /pause” [file not found] “MCUpdateExe” = “c:\PROGRA~1\mcafee.com\agent\mcupdate.exe” [“McAfee, Inc”] “MCAgentExe” = “C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe” [“McAfee, Inc”] “IntelliPoint” = ““C:\Program Files\Microsoft IntelliPoint\point32.exe”” [MS] “iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Computer, Inc.”] “HotKeysCmds” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “AOLSPScheduler” = “C:\Program Files\Common Files\AOL\1151295529\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe” [“AOL LLC”] “SiteAdvisor” = “C:\Program Files\SiteAdvisor\4979\SiteAdv.exe” [“McAfee, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {089FD14D-132B-48FC-8861-0048AE113215}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\SiteAdvisor\4979\SiteAdv.dll” [“McAfee, Inc.”] {1ADCCDC4-80E6-F846-B938-9B998551654D}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\kwxlouhc.dll” [null data] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Spybot - Search Destroy\SDHelper.dll” [“Safer Networking Limited”] {7C554162-8CB7-45A4-B8F4-8EA1C75885F9}(Default) = “AOL Toolbar Launcher” - {HKLM…CLSID} = “AOL Toolbar Launcher” \InProcServer32(Default) = “C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll” [“AOL LLC”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) - {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension” - {HKLM…CLSID} = “Display Panning CPL Extension” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” - {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” - {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” - {HKLM…CLSID} = “Outlook File Icon Extension” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{F2A0229A-C4CA-4789-B606-973D24DCDD1C}” = “McAfee AntiSpyware Shell Extension” - {HKLM…CLSID} = “McAfee AntiSpyware Shell Extension” \InProcServer32(Default) = “C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll” [“Network Associates, Inc.”] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” - {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” - {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] “{20082881-FC36-4E47-9A7A-644C95FF749F}” = “IntelliPoint Wireless Control Panel Property Page” - {HKLM…CLSID} = “Wireless Property Page” \InProcServer32(Default) = ““C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll”” [MS] “{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}” = “IntelliPoint Wheel Control Panel Property Page” - {HKLM…CLSID} = “Wheel Property Page” \InProcServer32(Default) = ““C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll”” [MS] “{653DCCC2-13DB-45B2-A389-427885776CFE}” = “IntelliPoint Activities Control Panel Property Page” - {HKLM…CLSID} = “Activities Property Page” \InProcServer32(Default) = ““C:\Program Files\Microsoft IntelliPoint\ipcplact.dll”” [MS] “{124597D8-850A-41AE-849C-017A4FA99CA2}” = “IntelliPoint Buttons Control Panel Property Page” - {HKLM…CLSID} = “Buttons Property Page” \InProcServer32(Default) = ““C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll”” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ “{F2A0229A-C4CA-4789-B606-973D24DCDD1C}” = “McAfee AntiSpyware Shell Extension” - {HKLM…CLSID} = “McAfee AntiSpyware Shell Extension” \InProcServer32(Default) = “C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll” [“Network Associates, Inc.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ “AppInit_DLLs” = “pushow19.dll” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ igfxcui\DLLName = “igfxsrvc.dll” [“Intel Corporation”] HKLM\Software\Classes\PROTOCOLS\Filter\ text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “RegWinBackUp” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoLowDiskSpaceChecks” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoDrives” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\sstext3d.scr” [MS] Startup items in “Owner” “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\Owner\Start Menu\Programs\Startup “AOL OpenRide” - shortcut to: “C:\Program Files\Common Files\AOL\Launch\aollaunch.exe /d suiteid=frontier_1.23.16.1 /d locale=en-US ee://aol/frontierApp /preload” [“America Online, Inc.”] Enabled Scheduled Tasks: ------------------------ “AppleSoftwareUpdate” - launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task” [“Apple Computer, Inc.”] “McAfee AntiSpyware” - launches: “C:\PROGRA~1\McAfee\MCAFEE~1\McSpy.exe /cmd:Scan” [“Network Associates, Inc.”] “Symantec NetDetect” - launches: “C:\Program Files\Symantec\LiveUpdate\NDetect.exe” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” - {HKLM…CLSID} = “Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” - {HKLM…CLSID} = “Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] “{DE9C389F-3316-41A7-809B-AA305ED9D922}” - {HKLM…CLSID} = “AOL Toolbar” \InProcServer32(Default) = “C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll” [“AOL LLC”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{F5F0274E-2739-0B7F-6B6C-BA25E4A0746C}” = (no title provided) - {HKLM…CLSID} = “Search” \InProcServer32(Default) = “C:\WINDOWS\kwxlouhc.dll” [null data] “{0BF43445-2F28-4351-9252-17FE6E806AA0}” = “McAfee SiteAdvisor” - {HKLM…CLSID} = “McAfee SiteAdvisor” \InProcServer32(Default) = “C:\Program Files\SiteAdvisor\4979\SiteAdv.dll” [“McAfee, Inc.”] “{B6A5B638-6025-4C2C-A899-867B416453D2}” = “SearchHelper” - {HKLM…CLSID} = “SearchHelper” \InProcServer32(Default) = “C:\Program Files\SearchHelper\SearchHelper.dll” [null data] “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) - {HKLM…CLSID} = “Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] “{DE9C389F-3316-41A7-809B-AA305ED9D922}” = “AOL Toolbar” - {HKLM…CLSID} = “AOL Toolbar” \InProcServer32(Default) = “C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll” [“AOL LLC”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}(Default) = (no title provided) - {HKLM…CLSID} = “Real.com” \InProcServer32(Default) = “C:\WINDOWS\system32\Shdocvw.dll” [MS] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “Research” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}” - {HKLM…CLSID} = “Java Plug-in 1.5.0_02” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll” [“Sun Microsystems, Inc.”] {3369AF0D-62E9-4BDA-8103-B4C75499B578}\ “ButtonText” = “AOL Toolbar” “CLSIDExtension” = “{DE9C389F-3316-41A7-809B-AA305ED9D922}” - {HKLM…CLSID} = “AOL Toolbar” \InProcServer32(Default) = “C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll” [“AOL LLC”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Research” {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ “ButtonText” = “Real.com” {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ “{EA756889-2338-43DB-8F07-D1CA6FB9C90D}” = “AOL Search” - {HKLM…CLSID} = “AOLTBSearch Class” \InProcServer32(Default) = “C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll” [“AOL LLC”] “{EB662989-B91E-8B27-D8CE-9FDB3077D71B}” = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\kwxlouhc.dll” [null data] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AOL Antivirus Update Service, aolavupd, ““C:\Program Files\Common Files\AOL\1151295529\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe”” [“AOL LLC”] AOL Connectivity Service, AOL ACS, ““C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe”” [“AOL LLC”] AOL TopSpeed Monitor, AOL TopSpeedMonitor, “C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe” [“America Online, Inc”] CA Pest Patrol Realtime Protection Service, ITMRTSVC, ““C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe”” [“CA, Inc.”] iPod Service, iPod Service, ““C:\Program Files\iPod\bin\iPodService.exe”” [“Apple Computer, Inc.”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] McAfee AntiSpyware Real-Time Scanner, McAfeeAntiSpyware, “C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe” [“Network Associates, Inc.”] McAfee McShield, McShield, “C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe” [“McAfee Inc.”] McAfee Personal Firewall Service, MpfService, ““C:\Program Files\mcafee.com\personal firewall\MPFService.exe”” [“McAfee Corporation”] McAfee Task Scheduler, McTskshd.exe, “c:\PROGRA~1\mcafee.com\agent\mctskshd.exe” [“McAfee, Inc”] McAfee WSC Integration, McDetect.exe, “c:\program files\mcafee.com\agent\mcdetect.exe” [“McAfee, Inc”] PrismXL, PrismXL, “C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS” [“New Boundary Technologies, Inc.”] SiteAdvisor Service, SiteAdvisor Service, “C:\Program Files\SiteAdvisor\4979\SAService.exe” [“McAfee, Inc.”] WAN Miniport (ATW) Service, WANMiniportService, ““C:\WINDOWS\wanmpsvc.exe”” [“America Online, Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- : Suspicious data at a malware launch point. : Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 101 seconds. ---------- (total run time: 165 seconds)