“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “updateMgr” = “C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “HControl” = “C:\WINDOWS\ATK0100\HControl.exe” [empty string] “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay” [null data] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “Wireless Console 2” = “C:\Program Files\Wireless Console 2\wcourier.exe” [null data] “IntelZeroConfig” = ““C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”” [“Intel Corporation”] “IntelWireless” = ““C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless” [“Intel Corporation”] “EOUApp” = ““C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe”” [“Intel Corporation”] “Power_Gear” = “C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1” [“ASUSTeK Computer Inc.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “Outpost Firewall” = “C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice” [“Agnitum”] “F-Secure Manager” = ““C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE” /splash” [“F-Secure Corporation”] “F-Secure TNB” = ““C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe” /CHECKALL /WAITFORSW” [“F-Secure Corporation”] “F-Secure Startup Wizard” = ““C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE” /reboot” [“F-Secure Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {4A368E80-174F-4872-96B5-0B27DDD11DB2}(Default) = (no title provided) -> {HKLM…CLSID} = “SpywareGuardDLBLOCK.CBrowserHelper” \InProcServer32(Default) = “C:\Program Files\SpywareGuard\dlprotect.dll” [null data] {52D06F97-5511-43FA-8FDA-C481864FD26E}(Default) = (no title provided) -> {HKLM…CLSID} = “Alcohol Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll” [null data] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{3028902F-6374-48b2-8DC6-9725E775B926}” = “IE Microsoft AutoComplete” -> {HKLM…CLSID} = “IE Microsoft AutoComplete” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{81559C35-8464-49F7-BB0E-07A383BEF910}” = (no title provided) -> {HKLM…CLSID} = “SpywareGuard.Handler” \InProcServer32(Default) = “C:\Program Files\SpywareGuard\spywareguard.dll” [null data] “{D3796116-94D3-4009-96D7-51578411CC7D}” = “Outpost Shell Extension” -> {HKLM…CLSID} = “oshdlr.ShellHandler” \InProcServer32(Default) = “C:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll” [“Agnitum Ltd.”] “{B46C1E0F-F61D-4B19-BC55-B68D8BB3CAFE}” = “GSplit Context Menu Shell Extension” -> {HKLM…CLSID} = “GSplit Context Menu Shell Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\gspshell.dll” [“G.D.G. Software, http://www.gdgsoft.com”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{45C6AFA5-2C13-402f-BC5D-45CC8172EF6B}” = “Bluetooth” -> {HKLM…CLSID} = “Wymiana informacji - Bluetooth” \InProcServer32(Default) = “C:\WINDOWS\system32\TosBtExt.dll” [“TOSHIBA”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{81559C35-8464-49F7-BB0E-07A383BEF910}” = (no title provided) -> {HKLM…CLSID} = “SpywareGuard.Handler” \InProcServer32(Default) = “C:\Program Files\SpywareGuard\spywareguard.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ DiskChecker(Default) = “{1FE33981-7BF7-11d3-97B7-0020AF892ACF}” -> {HKLM…CLSID} = “Disk Checker Extension” \InProcServer32(Default) = “chckshll.dll” [empty string] GSplitShell(Default) = “{B46C1E0F-F61D-4B19-BC55-B68D8BB3CAFE}” -> {HKLM…CLSID} = “GSplit Context Menu Shell Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\gspshell.dll” [“G.D.G. Software, http://www.gdgsoft.com”] tosBtShllExt(Default) = “{6BEF3D0B-53F0-4b0d-B91C-C19ED3D4C9D1}” -> {HKLM…CLSID} = “Bluetooth File Extenstion” \InProcServer32(Default) = “C:\WINDOWS\system32\TosBtShell.dll” [“TOSHIBA”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ tosBtShllExt(Default) = “{6BEF3D0B-53F0-4b0d-B91C-C19ED3D4C9D1}” -> {HKLM…CLSID} = “Bluetooth File Extenstion” \InProcServer32(Default) = “C:\WINDOWS\system32\TosBtShell.dll” [“TOSHIBA”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ DiskChecker(Default) = “{1FE33981-7BF7-11d3-97B7-0020AF892ACF}” -> {HKLM…CLSID} = “Disk Checker Extension” \InProcServer32(Default) = “chckshll.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Lap\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Lap” & “All Users” startup folders: ----------------------------------------------------- C:\Documents and Settings\Lap\Menu Start\Programy\Autostart “SpywareGuard” -> shortcut to: “C:\Program Files\SpywareGuard\sgmain.exe” [null data] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Gamma Loader” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “Bluetooth Manager” -> shortcut to: “C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe” [null data] “F-Secure Anti-Virus 2006” -> shortcut to: “C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe -startup” [“F-Secure Internet Security 2005”] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task” [“Apple Inc.”] “Scheduled scanning task” -> launches: "C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt " [“F-Secure Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2}” -> {HKLM…CLSID} = “Alcohol Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll” [null data] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2}” = “Alcohol Toolbar” -> {HKLM…CLSID} = “Alcohol Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll” [null data] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_02” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_02” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll” [“Sun Microsystems, Inc.”] {300DB664-75B5-47C0-8B45-A44ACCF73C00}\ “ButtonText” = “Osłona programu IE” “MenuText” = “Osłona programu IE…” “CLSIDExtension” = “{0928F506-07E8-470c-979D-147C296D4879}” -> {HKLM…CLSID} = “F-Secure IE Shield COM button” \InProcServer32(Default) = “C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll” [“F-Secure Corporation”] {D9288080-1BAA-4BC4-9CF8-A92D743DB949}\ “ButtonText” = “Run IMVU” “Exec” = “C:\Documents and Settings\Lap\Menu Start\Programy\IMVU\Run IMVU.lnk” [null data] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] F-Secure Anti-Virus 2006, BackWeb Plug-in - 4476822, “C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE” [“F-Secure Internet Security 2005”] F-Secure Anti-Virus Firewall Daemon, FSDFWD, ““C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe”” [“F-Secure Corporation”] F-Secure Management Agent, FSMA, ““C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE”” [“F-Secure Corporation”] fsbwsys, fsbwsys, ““C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe”” [“F-Secure Corp.”] FSGKHS, F-Secure Gatekeeper Handler Starter, ““C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe”” [“F-Secure Corporation”] Intel® PROSet/Wireless Event Log, EvtEng, “C:\Program Files\Intel\Wireless\Bin\EvtEng.exe” [“Intel Corporation”] Intel® PROSet/Wireless Registry Service, RegSrvc, “C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe” [“Intel Corporation”] Intel® PROSet/Wireless Service, S24EventMonitor, “C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe” ["Intel Corporation "] LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] Outpost Firewall Service, OutpostFirewall, “C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /service” [“Agnitum”] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe” [“Rocket Division Software”] TabletService, TabletService, “C:\WINDOWS\system32\Tablet.exe” [“Wacom Technology, Corp.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Toshiba Bluetooth Monitor\Driver = “tbtmon.dll” [“Toshiba America Business Solutions, Inc.”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 135 seconds. ---------- (total run time: 165 seconds)