“Silent Runners.vbs”, revision RED (R28) (Echo output), launched at: 17:56 Operating System: Windows XP Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “swg” = “C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [“Google Inc.”] “Gadu-Gadu” = ““E:\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ “^SetupICWDesktop” = “” [(file not found)] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “Ptipbmf” = “rundll32.exe ptipbmf.dll,SetWriteCacheMode” [MS] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France T‚l‚com R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe” [“France T‚l‚com R&D”] “APVXDWIN” = ““C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE” /s” [“Panda Software International”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “Adobe PDF Reader Link Helper” -> resolves to: {CLSID}\InprocServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = “Google Toolbar Helper” -> resolves to: {CLSID}\InprocServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “PostBootReminder” = “{7849596a-48ea-486e-8937-a2a3009f31a9}” -> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “CDBurn” = “{fbeb8a05-beee-4442-804e-409d6c4515e9}” -> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “WebCheck” = “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}” -> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\System32\webcheck.dll” [MS] “SysTray” = “{35CEC8A3-2BE6-11D2-8773-92E220524153}” -> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\System32\stobject.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! “avldr\DLLName” = “avldr.dll” [“Panda Software”] Startup items in “Bozena” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “E:\Microsoft Office\Office10\OSA.EXE -b -l” [MS] “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “Adobe Reader Synchronizer” -> shortcut to: “C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe” [null data] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Aktualizacje automatyczne, wuauserv, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\wuauserv.dll” [MS]} Bufor wydruku, Spooler, “C:\WINDOWS\system32\spoolsv.exe” [MS] Dziennik zdarzeä, Eventlog, “C:\WINDOWS\system32\services.exe” [MS] France Telecom Routing Table Service, FTRTSVC, “C:\WINDOWS\System32\FTRTSVC.exe” [“France Telecom”] Harmonogram zadaä, Schedule, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\schedsvc.dll” [MS]} Instrumentacja zarzĄdzania Windows, winmgmt, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\wbem\WMIsvc.dll” [MS]} Klient DHCP, Dhcp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\dhcpcsvc.dll” [MS]} Klient DNS, Dnscache, “C:\WINDOWS\System32\svchost.exe -k NetworkService” {“C:\WINDOWS\System32\dnsrslvr.dll” [MS]} Klient ledzenia Ączy rozproszonych, TrkWks, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\trkwks.dll” [MS]} Kompozycje, Themes, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\shsvcs.dll” [MS]} Konfiguracja zerowej sieci bezprzewodowej, WZCSVC, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\wzcsvc.dll” [MS]} Logowanie pomocnicze, seclogon, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\seclogon.dll” [MS]} Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] Magazyn chroniony, ProtectedStorage, “C:\WINDOWS\system32\lsass.exe” [MS] Menedľer dysk˘w logicznych, dmserver, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\dmserver.dll” [“Microsoft Corp.”]} Menedľer kont zabezpieczeä, SamSs, “C:\WINDOWS\system32\lsass.exe” [MS] Menedľer poĄczeä usugi Dost©p zdalny, RasMan, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\rasmans.dll” [MS]} Menedľer przekazywania, uploadmgr, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll” [MS]} Numer seryjny nonika przenonego, WmdmPmSp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\mspmspsv.dll” [MS]} Panda anti-virus service, PAVSRV, ““C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe”” [“Panda Software International”] Panda Function Service, PAVFNSVR, ““C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe”” [“Panda Software International”] Panda IManager Service, PSIMSVC, ““C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe”” [“Panda Software”] Panda Network Manager, PNMSRV, ““c:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE”” [“Panda Software International”] Panda Process Protection Service, PavPrSrv, ““C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe”” [“Panda Software”] Plug and Play, PlugPlay, “C:\WINDOWS\system32\services.exe” [MS] Pomoc i obsuga techniczna, helpsvc, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll” [MS]} Pomoc TCP/IP NetBIOS, LmHosts, “C:\WINDOWS\System32\svchost.exe -k LocalService” {“C:\WINDOWS\System32\lmhsvc.dll” [MS]} Posaniec, Messenger, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\msgsvc.dll” [MS]} PoĄczenia sieciowe, Netman, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\netman.dll” [MS]} PrzeglĄdarka komputera, Browser, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\browser.dll” [MS]} Rejestr zdalny, RemoteRegistry, “C:\WINDOWS\system32\svchost.exe -k LocalService” {“C:\WINDOWS\system32\regsvc.dll” [MS]} Rozpoznawanie lokalizacji w sieci (NLA), Nla, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\mswsock.dll” [MS]} Serwer, lanmanserver, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\srvsvc.dll” [MS]} Stacja robocza, lanmanworkstation, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\wkssvc.dll” [MS]} System zdarzeä COM+, EventSystem, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\es.dll” [MS]} Telefonia, TapiSrv, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\tapisrv.dll” [MS]} Usuga Czas systemu Windows, W32Time, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\w32time.dll” [MS]} Usuga odnajdywania SSDP, SSDPSRV, “C:\WINDOWS\System32\svchost.exe -k LocalService” {“C:\WINDOWS\System32\ssdpsrv.dll” [MS]} Usuga przywracania systemu, srservice, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\srsvc.dll” [MS]} Usuga raportowania b©d˘w, ERSvc, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ersvc.dll” [MS]} Usugi IPSEC, PolicyAgent, “C:\WINDOWS\System32\lsass.exe” [MS] Usugi kryptograficzne, CryptSvc, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\cryptsvc.dll” [MS]} Usugi terminalowe, TermService, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\termsrv.dll” [MS]} WebClient, WebClient, “C:\WINDOWS\System32\svchost.exe -k LocalService” {“C:\WINDOWS\System32\webclnt.dll” [MS]} Windows Audio, AudioSrv, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\audiosrv.dll” [MS]} Windows Image Acquisition (WIA), stisvc, “C:\WINDOWS\System32\svchost.exe -k imgsvc” {“C:\WINDOWS\system32\wiaservc.dll” [MS]} Wykrywanie sprz©tu powoki, ShellHWDetection, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\shsvcs.dll” [MS]} Zawiadomienie o zdarzeniu systemowym, SENS, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\sens.dll” [MS]} Zdalne wywoywanie procedur (RPC), RpcSs, “C:\WINDOWS\system32\svchost -k rpcss” {“C:\WINDOWS\system32\rpcss.dll” [MS]} Zgodno† szybkiego przeĄczania uľytkownik˘w, FastUserSwitchingCompatibility, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\shsvcs.dll” [MS]}