“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “TOSCDSPD” = “C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [“TOSHIBA”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “IgfxTray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “HotKeysCmds” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “000StTHK” = “000StTHK.exe” [null data] “TFNF5” = “TFNF5.exe” [“TOSHIBA Corp.”] “SmoothView” = “C:\Program Files\TOSHIBA\Program narzêdziowy TOSHIBA Zooming Utility\SmoothView.exe” [“TOSHIBA Corporation”] “SigmaTel StacMon” = “C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe” [“SigmaTel Inc.”] “Apoint” = “C:\Program Files\Apoint2K\Apoint.exe” [“Alps Electric Co., Ltd.”] “TouchED” = “C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [“TOSHIBA Corporation”] “TFncKy” = “C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe” [“TOSHIBA Corporation”] “NDSTray.exe” = “C:\Program Files\Toshiba\ConfigFree\NDSTray.exe” [“TOSHIBA CORPORATION”] “TPSMain” = “TPSMain.exe” [“TOSHIBA Corporation”] “kav” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe”” [“Kaspersky Lab”] “LogitechCommunicationsManager” = ““C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe”” [“Logitech Inc.”] “LogitechQuickCamRibbon” = ““C:\Program Files\Logitech\QuickCam10\QuickCam10.exe” /hide” [“Logitech Inc.”] “QD FastAndSafe” = “*n” (unwritable string) [file not found] “!AVG Anti-Spyware” = ““C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}(Default) = “Internet Explorer” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE” [MS] >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS(Default) = “Dostosowywanie przegl¹darki” \StubPath = “RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP” [MS] >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS] {2C7339CF-2B09-4501-B3F3-F3508C9228ED}(Default) = “Themes Setup” \StubPath = “C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll” [MS] {44BBA840-CC51-11CF-AAFA-00AA00B6015C}(Default) = “Microsoft Outlook Express 6” \StubPath = ““C:\Program Files\Outlook Express\setup50.exe” /APP:OE /CALLER:WINNT /user /install” [MS] {44BBA842-CC51-11CF-AAFA-00AA00B6015B}(Default) = “NetMeeting 3.01” \StubPath = “rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT” [MS] {5945c046-1e7d-11d1-bc44-00c04fd912be}(Default) = “Windows Messenger 4.7” \StubPath = “rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser” [MS] {6BF52A52-394A-11d3-B153-00C04F79FAA6}(Default) = “Microsoft Windows Media Player” \StubPath = “rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub” [MS] {7790769C-0471-11d2-AF11-00C04FA35D02}(Default) = “Ksi¹¿ka adresowa 6” \StubPath = ““C:\Program Files\Outlook Express\setup50.exe” /APP:WAB /CALLER:WINNT /user /install” [MS] {89820200-ECBD-11cf-8B85-00AA005B4340}(Default) = “Aktualizacja pulpitu Windows” \StubPath = “regsvr32.exe /s /n /i:U shell32.dll” [MS] {89820200-ECBD-11cf-8B85-00AA005B4383}(Default) = “Internet Explorer 6” \StubPath = “C:\WINDOWS\system32\ie4uinit.exe” [MS] {89B4C1CD-B018-4511-B0A1-5476DBF70820}(Default) = (no title provided) \StubPath = “C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\Program files\System\Spybot - Search & Destroy\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{C4213067-97B3-4929-9B98-B5600FBBBA13}” = “TouchED” -> {HKLM…CLSID} = “TouchShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll” [“TOSHIBA Corporation”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}” = “Skladnik rozszerzenia powloki CorelDRAW” -> {HKLM…CLSID} = “CorelDRAW Shell Extension Component” \InProcServer32(Default) = “E:\Program files\grafika\Corel\DRAW\CDRVIEWER\CrlShell110.dll” [null data] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}” = “Adobe.Acrobat.ContextMenu” -> {HKLM…CLSID} = “Acrobat Elements Context Menu” \InProcServer32(Default) = “E:\Program Files\System\Adobe\Acrobat 6.0 CE\Acrobat Elements\ContextMenu.dll” [“Adobe Systems Inc.”] “{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Ochrona WWW” -> {HKLM…CLSID} = “Ochrona WWW” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll” [“Kaspersky Lab”] “{4FED14EE-8086-4b0c-A0DE-C27042ED1296}” = “PDFTransformer2ContextMenu” -> {HKLM…CLSID} = “PDFTransformer2.PDFTContextMenu.1” \InProcServer32(Default) = “C:\Program Files\ABBYY PDF Transformer 2.0\PDFTContextMenu.dll” [“ABBYY Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> igfxcui\DLLName = “igfxsrvc.dll” [“Intel Corporation”] <> klogon\DLLName = “C:\WINDOWS\system32\klogon.dll” [“Kaspersky Lab”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Adobe.Acrobat.ContextMenu(Default) = “{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}” -> {HKLM…CLSID} = “Acrobat Elements Context Menu” \InProcServer32(Default) = “E:\Program Files\System\Adobe\Acrobat 6.0 CE\Acrobat Elements\ContextMenu.dll” [“Adobe Systems Inc.”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll” [“Kaspersky Lab”] MakeFile Class(Default) = “{D8504558-278D-4A93-BCBC-75B142CAA3B3}” -> {HKLM…CLSID} = “MakeFile Class” \InProcServer32(Default) = “C:\WINDOWS\system32\vdshell.dll” [“FarStone Technology Inc.”] PDFTransformer2ContextMenu(Default) = “{4FED14EE-8086-4b0c-A0DE-C27042ED1296}” -> {HKLM…CLSID} = “PDFTransformer2.PDFTContextMenu.1” \InProcServer32(Default) = “C:\Program Files\ABBYY PDF Transformer 2.0\PDFTContextMenu.dll” [“ABBYY Software”] WinMerge(Default) = “{4E716236-AA30-4C65-B225-D68BBA81E9C2}” -> {HKLM…CLSID} = “WinMergeShell Class” \InProcServer32(Default) = “E:\Program Files\WinMerge\ShellExtensionU.dll” [empty string] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] WinMerge(Default) = “{4E716236-AA30-4C65-B225-D68BBA81E9C2}” -> {HKLM…CLSID} = “WinMergeShell Class” \InProcServer32(Default) = “E:\Program Files\WinMerge\ShellExtensionU.dll” [empty string] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ FolderShell Class(Default) = “{24C0824F-BC16-41DB-9845-DE545941C3B0}” -> {HKLM…CLSID} = “FolderShell Class” \InProcServer32(Default) = “C:\WINDOWS\system32\vdshell.dll” [“FarStone Technology Inc.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll” [“Kaspersky Lab”] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\TOSHIBA Satellite 1024x768.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\TOSHIBA Satellite 1024x768.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Enabled Scheduled Tasks: ------------------------ “Symantec Drmc” -> launches: “C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {182EC0BE-5110-49C8-A062-BEB1D02A220B}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF” \InProcServer32(Default) = “E:\Program Files\System\Adobe\Acrobat 6.0 CE\Acrobat\AcroIEFavClient.dll” [null data] HKLM\Software\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Ochrona WWW” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll” [“Kaspersky Lab”] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Research” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” -> {HKLM…CLSID} = “Web Browser Applet Control” \InProcServer32(Default) = “C:\WINDOWS\system32\msjava.dll” [MS] {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ “ButtonText” = “Ochrona WWW” {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Research” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): [strings]: START_PAGE_URL=http://www.tiscali.co.uk Missing lines (compared with English-language version): [strings]: 1 line HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “TuneUp” = “file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css” [file not found] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- ASP.NET State Service, aspnet_state, “C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe” [MS] Autodesk Licensing Service, Autodesk Licensing Service, ““C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe”” [null data] AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe” [“Anti-Malware Development a.s.”] Belkin Wireless USB Network Adapter, Belkin Wireless USB Network Adapter Service, “C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe” [null data] Boonty Games, Boonty Games, ““C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe”” [“BOONTY”] ConfigFree Service, CFSvcs, “C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe” [“TOSHIBA CORPORATION”] Crypkey License, Crypkey License, “crypserv.exe” [“Kenonic Controls Ltd.”] DCPFLICS, DCPFLICS, “C:\Program Files\DCPFLICS\DCPFLICS.exe” [null data] IDispChg Service, IDispChgService, “C:\WINDOWS\system32\IDispChg.exe” [null data] Kaspersky Anti-Virus 6.0, AVP, ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe” -r” [“Kaspersky Lab”] LVSrvLauncher, LVSrvLauncher, “C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe” [“Logitech Inc.”] Macromedia Licensing Service, Macromedia Licensing Service, ““C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe”” [null data] NBService, NBService, “E:\Program files\System\Nero 7\Nero BackItUp\NBService.exe” [“Nero AG”] Norton Unerase Protection, NProtectService, “E:\PROGRA~1\System\norton\NORTON~1\NPROTECT.EXE” [“Symantec Corporation”] Office Source Engine, ose, ““C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE”” [MS] Process Monitor, LVPrcSrv, “c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe” [“Logitech Inc.”] Sandra Data Service, SandraDataSrv, “E:\Program files\System\SiSoftware Sandra Professional 2005\RpcDataSrv.exe” [“SiSoftware”] Sandra Service, SandraTheSrv, “E:\Program files\System\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe” [“SiSoftware”] Speed Disk service, Speed Disk service, “E:\PROGRA~1\System\norton\NORTON~1\SPEEDD~1\NOPDB.EXE” [“Symantec Corporation”] Symantec Core LC, Symantec Core LC, “C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe” [“Symantec Corporation”] Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”] Symantec Password Validation, ccPwdSvc, ““C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe”” [“Symantec Corporation”] Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] TuneUp WinStyler Theme Service, TUWinStylerThemeSvc, ““E:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe”” [“TuneUp Software GmbH”] Us³uga administracyjna Mened¿era dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Us³uga dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]} Us³uga numeru seryjnego multimediów przenoœnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\mspmsnsv.dll” [MS]} Zarz¹dzanie aplikacjami, AppMgmt, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\appmgmts.dll” [file not found]} Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Adobe PDF Port\Driver = “C:\WINDOWS\system32\AdobePDF.dll” [“Adobe Systems Incorporated.”] hpzsnt09\Driver = “hpzsnt09.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] Monitor jêzyka BJ\Driver = “CNBJMON.DLL” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 229 seconds. ---------- (total run time: 279 seconds)