“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{A473DE38-0710-1045-0512-060524060030}” = ““C:\Program Files\Common Files{A473DE38-0710-1045-0512-060524060030}\Update.exe” mc-110-12-0000797” [null data] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Konnekt” = ““E:\Programy\Konnekt\konnekt.exe” /autostart” [“Stamina”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “thebat_startup” = “E:\Programy\the bat\thebat.exe” [“Ritlabs S.R.L.”] “DWQueuedReporting” = ““C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t” [file not found] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “2” = ““C:\WINDOWS\system32\2.exe”” [file not found] “wblswxu” = ““C:\WINDOWS\system32\wblswxu.exe”” [null data] “1” = ““C:\WINDOWS\system32\1.exe”” [file not found] “wusnpek” = ““C:\WINDOWS\system32\wusnpek.exe”” [file not found] “wkytgxr” = ““C:\WINDOWS\system32\wkytgxr.exe”” [null data] “WinMedia” = ""C:\pvkv6246656.exe " " [null data] “WinUpgrade” = ""C:\pvkv6277171.exe " " [file not found] “WinUpdate” = ""C:\pvkv6293500.exe " " [file not found] “system spool” = “C:\WINDOWS\system32\syspools.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMAXPnP” = “C:\Program Files\Analog Devices\Core\smax4pnp.exe” [“Analog Devices, Inc.”] “SoundMAX” = ““C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray” [“Analog Devices, Inc.”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RunDLL32.exe NvMCTray.dll,NvTaskbarInit” [MS] “avast!” = “E:\Programy\Avast\ashDisp.exe” [null data] “PestPatrol Control Center” = “C:\PROGRA~1\PESTPA~1\PPControl.exe” [“Computer Associates International”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “PPMemCheck” = “C:\PROGRA~1\PESTPA~1\PPMemCheck.exe” [null data] “CookiePatrol” = “C:\PROGRA~1\PESTPA~1\CookiePatrol.exe” [“Computer Associates International”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “IpWins” = “C:\Program Files\ipwins\ipwins.exe” [file not found] “7v3j” = “C:\WINDOWS\system32\z1362.exe gdtgh” [null data] “Microsoft WPCEmail” = "C:\WINDOWS\inet20000\svchost.exe " [file not found] “SvcManager” = “restorea2.exe” [null data] “system spool” = “C:\WINDOWS\system32\syspools.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “Spybot - Search & Destroy” = ““E:\Programy\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe” /autocheck” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “E:\Programy\Adobe\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\Programy\SPYBOT~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Programy\WinRAR\rarext.dll” [null data] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “E:\Programy\Avast\ashShell.dll” [“ALWIL Software”] “{8e9d6600-f84a-11ce-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare Objects” \InProcServer32(Default) = “nwprovau.dll” [MS] “{e3f2bac0-099f-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare UNC Folder Menu” \InProcServer32(Default) = “nwprovau.dll” [MS] “{52c68510-09a0-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare Hood Verbs” \InProcServer32(Default) = “nwprovau.dll” [MS] “{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile” -> {HKLM…CLSID} = “Mobile” \InProcServer32(Default) = “C:\Program Files\Siemens Data Suite\DES\DESShellExt.dll” [“Siemens AG”] “{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile ContextMenuHandler” -> {HKLM…CLSID} = “Mobile ContextMenuHandler” \InProcServer32(Default) = “C:\Program Files\Siemens Data Suite\DES\DESShellExt.dll” [“Siemens AG”] “{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile PropertySheetHandler” -> {HKLM…CLSID} = “Mobile PropertySheetHandler” \InProcServer32(Default) = “C:\Program Files\Siemens Data Suite\DES\DESShellExt.dll” [“Siemens AG”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “E:\Programy\ALCOHO~1\ALCOHO~1\AxShlex.dll” [“Alcohol Soft Development Team”] “{B8323370-FF27-11D2-97B6-204C4F4F5020}” = “SmartFTP Shell Extension DLL” -> {HKLM…CLSID} = “SmartFTP Shell Extension DLL” \InProcServer32(Default) = “E:\Programy\SmartFTP\smarthook.dll” [“SmartFTP”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “E:\Programy\Adobe\Reader\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “E:\Programy\Avast\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “E:\Programy\Avast\ashShell.dll” [“ALWIL Software”] NetWareUNCMenu(Default) = “{e3f2bac0-099f-11cf-8daa-00aa004a5691}” -> {HKLM…CLSID} = “NetWare UNC Folder Menu” \InProcServer32(Default) = “nwprovau.dll” [MS] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Programy\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Authilius\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Authilius” & “All Users” startup folders: ----------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Gamma Loader” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_09” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_09” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- Agent SAP, NwSapAgent, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ipxsap.dll” [MS]} avast! Antivirus, avast! Antivirus, ““E:\Programy\Avast\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““E:\Programy\Avast\aswUpdSv.exe”” [null data] avast! Web Scanner, avast! Web Scanner, ““E:\Programy\Avast\ashWebSv.exe” /service” [“ALWIL Software”] HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\System32\wbem\wmiapsrv.exe” [MS] kbdbr.exe, kbdbr.exe, “C:\WINDOWS\system32\kbdbr.exe” [null data] Kerio Personal Firewall 4, KPF4, ““E:\Programy\Kerio\Personal Firewall 4\kpf4ss.exe”” [“Kerio Technologies”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] Microsoft authenticate service, MsaSvc, “C:\WINDOWS\system32\msasvc.exe” [null data] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] StarWind iSCSI Service, StarWindService, “E:\Programy\Alcohol52%\Alcohol 52\StarWind\StarWindService.exe” [“Rocket Division Software”] TabletService, TabletService, “C:\WINDOWS\system32\Tablet.exe” [“Wacom Technology, Corp.”] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]} Usługa klienta dla systemu NetWare, NWCWorkstation, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\nwwks.dll” [MS]} Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\MsPMSNSv.dll” [MS]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor i250\Driver = “CNMLM50.DLL” [“CANON INC.”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 27 seconds, including 3 seconds for message boxes)