“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““D:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Konnekt” = ““D:\Program Files\Konnekt\konnekt.exe” /autostart” [“Stamina”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Zone Labs Client” = ““D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs, LLC”] “High Definition Audio Property Page Shortcut” = “HDAShCut.exe” [“Windows ® Server 2003 DDK provider”] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] “QuickTime Task” = ““D:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “iTunesHelper” = ““D:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Computer, Inc.”] “DAEMON Tools” = ““D:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “NeroFilterCheck” = “D:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “BearShare” = ““D:\Program Files\BearShare\BearShare.exe” /pause” [“Free Peers, Inc.”] “kav” = ““D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe”” [“Kaspersky Lab”] “(Default)” = “(empty string)” [file not found] “Hidder” = “D:\PROGRA~1\GDATAS~1\SEKRET~1\Hidder.exe /start” [“G DATA Software Sp. z o.o.”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““D:\WINDOWS\System32\rundll32.exe” “D:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {259F616C-A300-44F5-B04A-ED001A26C85C}(Default) = (no title provided) -> {HKLM…CLSID} = “Solid Converter PDF” \InProcServer32(Default) = “D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll” [“VoyagerSoft, LLC”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “D:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “D:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{259F616C-A300-44F5-B04A-ED001A26C85C}” = “SolidConverter extension” -> {HKLM…CLSID} = “Solid Converter PDF” \InProcServer32(Default) = “D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll” [“VoyagerSoft, LLC”] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “D:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” = “Webroot Spy Sweeper Context Menu Integration” -> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration” \InProcServer32(Default) = “D:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [“Webroot Software, Inc.”] “{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Ochrona WWW” -> {HKLM…CLSID} = “Ochrona WWW” \InProcServer32(Default) = “D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> klogon\DLLName = “D:\WINDOWS\System32\klogon.dll” [“Kaspersky Lab”] <> WRNotifier\DLLName = “WRLogonNTF.dll” [“Webroot Software, Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “D:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll” [“Kaspersky Lab”] SolidConverterPDF(Default) = “{259F616C-A300-44F5-B04A-ED001A26C85C}” -> {HKLM…CLSID} = “Solid Converter PDF” \InProcServer32(Default) = “D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll” [“VoyagerSoft, LLC”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “D:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ FineReader8(Default) = “{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}” -> {HKLM…CLSID} = “FineReader8ExplorerContextMenuHandler” \InProcServer32(Default) = “D:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll” [“ABBYY Software”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll” [“Kaspersky Lab”] SolidConverterPDF(Default) = “{259F616C-A300-44F5-B04A-ED001A26C85C}” -> {HKLM…CLSID} = “Solid Converter PDF” \InProcServer32(Default) = “D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll” [“VoyagerSoft, LLC”] SpySweeper(Default) = “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” -> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration” \InProcServer32(Default) = “D:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [“Webroot Software, Inc.”] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ SpySweeper(Default) = “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” -> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration” \InProcServer32(Default) = “D:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [“Webroot Software, Inc.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “D:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “D:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “D:\WINDOWS\System32\logon.scr” [MS] Startup items in “patryk” & “All Users” startup folders: -------------------------------------------------------- D:\Documents and Settings\patryk\Menu Start\Programy\Autostart “Xfire” -> shortcut to: “D:\Program Files\Xfire\xfire.exe” [“Xfire Inc.”] Enabled Scheduled Tasks: ------------------------ “AppleSoftwareUpdate” -> launches: “D:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task” [“Apple Computer, Inc.”] “wrSpySweeperTrialSweep” -> launches: “D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /ScheduleSweep=wrSpySweeperTrialSweep” [“Webroot Software, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{259F616C-A300-44F5-B04A-ED001A26C85C}” = (no title provided) -> {HKLM…CLSID} = “Solid Converter PDF” \InProcServer32(Default) = “D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll” [“VoyagerSoft, LLC”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Ochrona WWW” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll” [“Kaspersky Lab”] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ “ButtonText” = “Ochrona WWW” {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “D:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] iPod Service, iPod Service, ““D:\Program Files\iPod\bin\iPodService.exe”” [“Apple Computer, Inc.”] Kaspersky Anti-Virus 6.0, AVP, “D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe -r” [“Kaspersky Lab”] SolidPDFConverterReadSpool, ScReadSpool, “D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe” [“VoyagerSoft, LLC”] TrueVector Internet Monitor, vsmon, “D:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] Webroot Spy Sweeper Engine, WebrootSpySweeperService, ““D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe”” [“Webroot Software, Inc.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 195 seconds, including 8 seconds for message boxes)