“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Norton SystemWorks” = ““C:\Program Files\Norton SystemWorks\cfgwiz.exe” /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz” [“Symantec Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “IMJPMIG8.1” = ““C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32” [MS] “PHIME2002ASync” = “C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC” [MS] “PHIME2002A” = “C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName” [MS] “SoundMAXPnP” = “C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe” [“Analog Devices, Inc.”] “SoundMAX” = “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray” [“Analog Devices, Inc.”] “PTHOSTTR” = “C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start” [“Hewlett-Packard Development Company, L.P.”] “AGRSMMSG” = “AGRSMMSG.exe” [“Agere Systems”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “IgfxTray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “HotKeysCmds” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “Persistence” = “C:\WINDOWS\system32\igfxpers.exe” [“Intel Corporation”] “Cpqset” = “C:\Program Files\HPQ\Default Settings\cpqset.exe” [null data] “eabconfg.cpl” = “C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start” ["Hewlett-Packard "] “UpdateManager” = ““C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r” [“Sonic Solutions”] “dla” = “C:\WINDOWS\system32\dla\tfswctrl.exe” [“Sonic Solutions”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “hpWirelessAssistant” = “C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe” [“Hewlett-Packard Company”] “WatchDog” = “C:\Program Files\InterVideo\DVD Check\DVDCheck.exe” [“InterVideo Inc.”] “(Default)” = “(empty string)” [file not found] “IntelWireless” = “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless” [“Intel Corporation”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “SmcService” = “C:\PROGRA~1\Sygate\SPF\smc.exe -startgui” [“Sygate Technologies, Inc.”] “Logitech Hardware Abstraction Layer” = “KHALMNPR.EXE” [“Logitech Inc.”] “ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”] “QD FastAndSafe” = “*_” (unwritable string) [file not found] “Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer” [“Symantec Corporation”] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {5CA3D70E-1895-11CF-8E15-001234567890}(Default) = “*_” (unwritable string) -> {HKLM…CLSID} = “DriveLetterAccess” \InProcServer32(Default) = “C:\WINDOWS\system32\dla\tfswshx.dll” [“Sonic Solutions”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = “NAV Helper” -> {HKLM…CLSID} = “CNavExtBho Class” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{6af09ec9-b429-11d4-a1fb-0090960218cb}” = “My Bluetooth Places” -> {HKLM…CLSID} = “Moje miejsca interfejsu Bluetooth” \InProcServer32(Default) = “C:\WINDOWS\system32\btneighborhood.dll” [“Broadcom Corporation.”] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{5CA3D70E-1895-11CF-8E15-001234567890}” = “DriveLetterAccess” -> {HKLM…CLSID} = “DriveLetterAccess” \InProcServer32(Default) = “C:\WINDOWS\system32\dla\tfswshx.dll” [“Sonic Solutions”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview” -> {HKLM…CLSID} = “ACTHUMBNAIL” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll” [“Autodesk”] “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “Ikona obsługi nakładki Podpisów cyfrowych AutoCAD” -> {HKLM…CLSID} = “AcSignIcon” \InProcServer32(Default) = “C:\WINDOWS\system32\AcSignIcon.dll” [“Autodesk”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] <> IntelWireless\DLLName = “C:\Program Files\Intel\Wireless\Bin\LgNotify.dll” [“Intel Corporation”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” -> {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” -> {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Default executables: -------------------- HKCU\Software\Classes.scr(Default) = “AutoCADScriptFile” <> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command(Default) = "“C:\WINDOWS\notepad.exe” “%1"” [MS] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoDrives” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoViewOnDrive” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “StartMenuLogOff” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoLogoff” = (REG_DWORD) hex:0x00000001 {Disable Logoff} “NoRecentDocsMenu” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ “Colors” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\HP Cityscape.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\HP Cityscape.bmp” Startup items in “ToMi” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Logitech SetPoint” -> shortcut to: “C:\Program Files\Logitech\SetPoint\SetPoint.exe” [“Logitech Inc.”] Enabled Scheduled Tasks: ------------------------ “Funkcja One Button Checkup pakietu Norton SystemWorks” -> launches: “C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE /AUTO” [“Symantec Corporation”] “Norton AntiVirus - Skanuj komputer - ToMi” -> launches: “C:\PROGRA~1\NORTON~1\NORTON~3\Navw32.exe /task:“C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”] “Symantec Drmc” -> launches: “C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” -> {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{F2CF5485-4E02-4F68-819C-B92DE9277049}” -> {HKLM…CLSID} = “&Links” \InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” = “Norton AntiVirus” -> {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {CCA281CA-C863-46EF-9331-5C8D4460577F}\ “ButtonText” = “@btrez.dll,-4015” “MenuText” = “@btrez.dll,-4017” “Script” = “C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm” [null data] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Bluetooth Service, btwdins, “C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe” [“Broadcom Corporation.”] C-DillaCdaC11BA, C-DillaCdaC11BA, “C:\WINDOWS\system32\drivers\CDAC11BA.EXE” [“Macrovision”] EvtEng, EvtEng, “C:\Program Files\Intel\Wireless\Bin\EvtEng.exe” [“Intel Corporation”] HP WMI Interface, hpqwmi, “C:\Program Files\HPQ\Shared\hpqwmi.exe” [“Hewlett-Packard Development Company, L.P.”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] Norton AntiVirus Auto-Protect Service, navapsvc, ““C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe”” [“Symantec Corporation”] Norton AntiVirus Firewall Monitor Service, NPFMntor, ““C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe”” [“Symantec Corporation”] RegSrvc, RegSrvc, “C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe” [“Intel Corporation”] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Spectrum24 Event Monitor, S24EventMonitor, “C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe” ["Intel Corporation "] Speed Disk service, Speed Disk service, “C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE” [“Symantec Corporation”] Sygate Personal Firewall, SmcService, “C:\Program Files\Sygate\SPF\smc.exe” [“Sygate Technologies, Inc.”] Symantec Core LC, Symantec Core LC, “C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe” [“Symantec Corporation”] Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”] Symantec Network Drivers Service, SNDSrvc, ““C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”] Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”] Symantec SPBBCSvc, SPBBCSvc, ““C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe”” [“Symantec Corporation”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Master Monitor\Driver = “HPBMMON.DLL” [“Hewlett-Packard”] HP Mobile Printing Monitor\Driver = “HPMPMW.DLL” [“Hewlett-Packard”] Microsoft Shared Fax Monitor\Driver = “FXSMON.DLL” [MS] Port drukarki interfejsu Bluetooth\Driver = “bthcrp.dll” [“Broadcom Corporation.”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 36 seconds, including 4 seconds for message boxes)