“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “DellSupport” = ““C:\Program Files\Dell Support\DSAgnt.exe” /startup” [“Gteko Ltd.”] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Komunikator” = “C:\Program Files\Tlen.pl\tlen.exe” [null data] “LDM” = “C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe” [“Logitech Inc.”] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “LogitechSoftwareUpdate” = ““C:\Program Files\Logitech\Video\ManifestEngine.exe” boot” [“Logitech Inc.”] “InternetCalls” = ““C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe” -nosplash -minimized” [file not found] “PcSync” = “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog” [“Time Information Services Ltd.”] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “SURF OOZE” = “C:\DOCUME~1\karolek\APPLIC~1\ITCHLI~1\city time.exe” [null data] HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “FlashPlayerUpdate” = “C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe” [“Adobe Systems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SigmatelSysTrayApp” = “stsystra.exe” [“SigmaTel, Inc.”] “ATIPTA” = ““C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”” [“ATI Technologies, Inc.”] “DMXLauncher” = “C:\Program Files\Dell\Media Experience\DMXLauncher.exe” [null data] “ISUSPM Startup” = ““C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup” [“InstallShield Software Corporation”] “ISUSScheduler” = ““C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start” [“InstallShield Software Corporation”] “(Default)” = “(empty string)” [file not found] “RealTray” = “C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER” [“RealNetworks, Inc.”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “DLA” = “C:\WINDOWS\System32\DLA\DLACTRLW.EXE” [“Sonic Solutions”] “BuildBU” = “c:\dell\bldbubg.exe” [file not found] “BJCFD” = “C:\Program Files\BroadJump\Client Foundation\CFD.exe” [“BroadJump, Inc.”] “LVCOMSX” = “C:\WINDOWS\system32\LVCOMSX.EXE” [“Logitech Inc.”] “LogitechVideoRepair” = "C:\Program Files\Logitech\Video\ISStart.exe " [“Logitech Inc.”] “LogitechVideoTray” = “C:\Program Files\Logitech\Video\LogiTray.exe” [“Logitech Inc.”] “NeroCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “MCUpdateExe” = “c:\PROGRA~1\mcafee.com\agent\mcupdate.exe” [“McAfee, Inc”] “MCAgentExe” = “c:\PROGRA~1\mcafee.com\agent\mcagent.exe” [“McAfee, Inc”] “MSKAGENTEXE” = “C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe” [“McAfee Inc.”] “MPSExe” = “c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding” [“McAfee, Inc.”] “MPFEXE” = “C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe” [“McAfee Security”] “VSOCheckTask” = ““C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe” /checktask” [“McAfee, Inc.”] “VirusScan Online” = “C:\Program Files\McAfee.com\VSO\mcvsshld.exe” [“McAfee, Inc.”] “OASClnt” = “C:\Program Files\McAfee.com\VSO\oasclnt.exe” [“McAfee, Inc.”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “PCSuiteTrayApplication” = “C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup” [“Nokia”] “CleanUp” = “C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup” [“McAfee, Inc”] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “mcsubmgr.dll” = “rundll32.exe advpack.dll,RegisterOCX c:\PROGRA~1\mcafee.com\agent\submgr\6_0_0_~2\mcsubmgr.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {0EEDB912-C5FA-486F-8334-57288578C627}(Default) = (no title provided) -> {HKLM…CLSID} = “Shareaza Web Download Hook” \InProcServer32(Default) = “C:\Program Files\Shareaza\Plugins\RazaWebHook.dll” [“Shareaza Pty. Ltd.”] {227B8AA8-DAF2-4892-BD1D-73F568BCB24E}(Default) = (no title provided) -> {HKLM…CLSID} = “McBrwHelper Class” \InProcServer32(Default) = “c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll” [“McAfee, Inc.”] {22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)” -> {HKLM…CLSID} = “Skype add-on (mastermind)” \InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”] {3EC8255F-E043-4cae-8B3B-B191550C2A22}(Default) = “McAfee PopupKiller” -> {HKLM…CLSID} = “McAfee Privacy Service Popup Blocker” \InProcServer32(Default) = “c:\program files\mcafee.com\mps\popupkiller.dll” [“McAfee, Inc.”] {41D68ED8-4CFF-4115-88A6-6EBB8AF19000}(Default) = (no title provided) -> {HKLM…CLSID} = “McAfee AntiPhishing Filter” \InProcServer32(Default) = “c:\program files\mcafee\spamkiller\mcapfbho.dll” [“McAfee, Inc.”] {5CA3D70E-1895-11CF-8E15-001234567890}(Default) = “*_” (unwritable string) -> {HKLM…CLSID} = “DriveLetterAccess” \InProcServer32(Default) = “C:\WINDOWS\System32\DLA\DLASHX_W.DLL” [“Sonic Solutions”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension” -> {HKLM…CLSID} = “Display Panning CPL Extension” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{5CA3D70E-1895-11CF-8E15-001234567890}” = “DriveLetterAccess” -> {HKLM…CLSID} = “DriveLetterAccess” \InProcServer32(Default) = “C:\WINDOWS\System32\DLA\DLASHX_W.DLL” [“Sonic Solutions”] “{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}” = “My Logitech Pictures” -> {HKLM…CLSID} = “My Logitech Pictures” \InProcServer32(Default) = “C:\Program Files\Logitech\Video\Namespc2.dll” [“Logitech Inc.”] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> ias257\DLLName = “ias257.dll” [file not found] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoCDBurning” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\karolek\Local Settings\Application Data\Microsoft\Wallpaper1.bmp” Startup items in “karolek” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup “Digital Line Detect” -> shortcut to: “C:\Program Files\Digital Line Detect\DLG.exe” [“BVRP Software”] “Logitech Desktop Messenger” -> shortcut to: “C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe -startup” [“Logitech Inc.”] Enabled Scheduled Tasks: ------------------------ “A873960D91840CCD” -> launches: “c:\docume~1\karolek\applic~1\itchli~1\LongSoftBall.exe” [null data] “McAfee.com Scan for Viruses - My Computer (KAROLINA-karolek)” -> launches: “c:\program files\mcafee.com\vso\mcmnhdlr.exe /runtask:0” [“McAfee, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\mclsp.dll [“McAfee, Inc.”], 01 - 23, 47 %SystemRoot%\system32\mswsock.dll [MS], 24 - 26, 29 - 46 %SystemRoot%\system32\rsvpsp.dll [MS], 27 - 28 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{BA52B914-B692-46C4-B683-905236F6F655}” = “McAfee VirusScan” -> {HKLM…CLSID} = “McAfee VirusScan” \InProcServer32(Default) = “c:\progra~1\mcafee.com\vso\mcvsshl.dll” [“McAfee, Inc.”] “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}(Default) = (no title provided) -> {HKLM…CLSID} = “Real.com” \InProcServer32(Default) = “C:\WINDOWS\system32\Shdocvw.dll” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {39FD89BF-D3F1-45B6-BB56-3582CCF489E1}\ “MenuText” = “McAfee AntiPhishing Filter” “CLSIDExtension” = “{7DD73374-7187-4103-8F29-622AA25E7C40}” -> {HKLM…CLSID} = “MyCfgDlgCmdTarget Class” \InProcServer32(Default) = “c:\program files\mcafee\spamkiller\mcapfbho.dll” [“McAfee, Inc.”] {77BF5300-1474-4EC7-9980-D32B190E9B07}\ “ButtonText” = “Skype” “CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}” -> {HKLM…CLSID} = “Skype add-on (button)” \InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”] {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ “ButtonText” = “Real.com” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] McAfee Personal Firewall Service, MpfService, “C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe” [“McAfee Corporation”] McAfee SpamKiller Server, MskService, “C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe” [“McAfee Inc.”] McAfee Task Scheduler, McTskshd.exe, “c:\PROGRA~1\mcafee.com\agent\mctskshd.exe” [“McAfee, Inc”] McAfee WSC Integration, McDetect.exe, “c:\program files\mcafee.com\agent\mcdetect.exe” [“McAfee, Inc”] McAfee.com McShield, McShield, “c:\PROGRA~1\mcafee.com\vso\mcshield.exe” [“McAfee Inc.”] ServiceLayer, ServiceLayer, ““C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe”” [“Nokia.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ DELS1 Langmon\Driver = “DELS1LMK.DLL” [empty string] Microsoft Shared Fax Monitor\Driver = “FXSMON.DLL” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 38 seconds, including 4 seconds for message boxes)