“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\windows\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “Shareaza” = ““C:\Program Files\Shareaza\Shareaza.exe” -tray” [“Shareaza Development Team”] “Komunikator” = "“C:\Program Files\Tlen.pl\tlen.exe” " [“o2.pl Sp. z o.o.”] “SsAAD.exe” = “C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = ““C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”” [“ATI Technologies, Inc.”] “BluetoothAuthenticationAgent” = “rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent” [MS] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”] “APVXDWIN” = ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE” /s” [“Panda Software International”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {031F120A-BBAF-45d8-B306-375F2A6B9398}(Default) = “XBTP05231” -> {HKLM…CLSID} = “XBTP05231 Class” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll” [“IE Toolbar”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {A5366673-E8CA-11D3-9CD9-0090271D075B}(Default) = (no title provided) -> {HKLM…CLSID} = “IeCatch2 Class” \InProcServer32(Default) = “D:\jccatch.dll” [“Amaze Soft”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{29e3fb5b-cf62-45b5-b8bf-1ad500385fc7}” = “Shell Context Menu Handler for Application References” -> {HKLM…CLSID} = “Shell Context Menu Handler for Application References” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{29e3fb5b-cf62-45b5-b8bf-1ad500385fc6}” = “Shell Context Menu Handler for Application Manifests” -> {HKLM…CLSID} = “Shell Context Menu Handler for Application Manifests” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}” = “Shell Icon Handler for Application References” -> {HKLM…CLSID} = “Shell Icon Handler for Application References” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll” [“Alcohol Soft Development Team”] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\windows\system32\browseui.dll” [MS] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] “{65756541-C65C-11CD-0000-4B656E696100}” = “Panda Antivirus” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL” [“Panda Software International”] “{B089FE88-FB52-11d3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ INFECTION WARNING! “{86AA461F-2A5B-4889-B543-E1BBA6746D61}” = “st3d” -> {HKLM…CLSID} = “C:\windows\g300687.dll” \InProcServer32(Default) = “C:\windows\g300687.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] INFECTION WARNING! st3d\DLLName = “C:\windows\g300687.dll” [null data] INFECTION WARNING! WgaLogon\DLLName = “WgaLogon.dll” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "] Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL” [“Panda Software International”] Picajet Organizer(Default) = “{C916D440-D489-4A79-B306-5FDC1E7932C0}” -> {HKLM…CLSID} = “PicaJet Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\PicaJet\PJExt.dll” [null data] VIDEOTRANS(Default) = “{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}” -> {HKLM…CLSID} = “AmvTransform Class” \InProcServer32(Default) = “C:\Program Files\MP3 Player Utilities 3.68\AMVTools\AmvTransform.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "] Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL” [“Panda Software International”] Picajet Organizer(Default) = “{C916D440-D489-4A79-B306-5FDC1E7932C0}” -> {HKLM…CLSID} = “PicaJet Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\PicaJet\PJExt.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\windows\system32\logon.scr” [MS] Startup items in “Pauul” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\Pauul\Menu Start\Programy\Autostart “Installation Monitor” -> shortcut to: “C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe” [“ashampoo GmbH & Co. KG”] “MetaCafe” -> shortcut to: “C:\Program Files\Metacafe\MetacafeAgent.exe /startup” [empty string] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “MetaCafe” -> shortcut to: “C:\Program Files\Metacafe\MetacafeAgent.exe /startup” [empty string] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “At1” -> launches: “C:\DOCUME~1\Pauul\Pulpit\HIJACK~1\Look2Me-Destroyer.exe /task” [“Atribune.org”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS] 000000000005\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: imon.dll ["Eset "], 01 - 08, 43 C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavlsp.dll ["Panda Software "], 09 - 11, 19 %SystemRoot%\system32\mswsock.dll [MS], 12 - 14, 17 - 18, 20 - 42 %SystemRoot%\system32\rsvpsp.dll [MS], 15 - 16 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{1CE4EE89-2D5C-4361-AF3B-D902AB545381}” -> {HKLM…CLSID} = “Alcohol Soft - Alcohol 120% Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll” [“IE Toolbar”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{1CE4EE89-2D5C-4361-AF3B-D902AB545381}” -> {HKLM…CLSID} = “Alcohol Soft - Alcohol 120% Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll” [“IE Toolbar”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” -> {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “D:\fgiebar.dll” [“Amaze Soft”] “{1CE4EE89-2D5C-4361-AF3B-D902AB545381}” = (no title provided) -> {HKLM…CLSID} = “Alcohol Soft - Alcohol 120% Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll” [“IE Toolbar”] Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in 1.5.0_04” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll” [“Sun Microsystems, Inc.”] {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “D:\flashget.exe” [“Amaze Soft”] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\windows\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] BlueSoleil Hid Service, BlueSoleil Hid Service, “C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe” [null data] Bluetooth Support Service, BthServ, “C:\windows\system32\svchost.exe -k bthsvcs” {“C:\windows\System32\bthserv.dll” [MS]} EloSystemService, EloSystemService, “C:\WINDOWS\system32\EloSrvce.exe” [“Elo Touchsystems, Inc.”] HTTP SSL, HTTPFilter, “C:\windows\System32\svchost.exe -k HTTPFilter” {“C:\windows\System32\w3ssl.dll” [MS]} NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] Panda Function Service, PAVFNSVR, ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe”” [“Panda Software”] Panda IManager Service, PSIMSVC, ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe”” [“Panda Software Internacional”] Panda Pavkre, Pavkre, ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe”” [“Panda Software”] Panda PavProt, PavProt, ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe”” [“Panda Software”] Panda Preventium+ Service, PREVSRV, ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe”” [“Panda Software”] Panda Process Protection Service, PavPrSrv, ““C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe”” [“Panda Software”] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 261 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 47 seconds. ---------- (total run time: 376 seconds)