“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “HDDHealth” = “C:\Program Files\HDD Health\HDDHealth.exe -wl” [“PANTERASoft”] “Google Desktop Search” = ““C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup” [file not found] “ADS” = “C:\Windows\ADS.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe” [“HP”] “Dit” = “Dit.exe” [“ICSI Technology Ltd.”] “WheelMouse” = “C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [“A4Tech Co.,Ltd.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\Program Files\Neostrada TP\taskbaricon.exe” [“France Télécom R&D”] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “CloneCDTray” = ““C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s” [“SlySoft, Inc.”] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “Zone Labs Client” = ““C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs, LLC”] “MediaFace Integration” = “C:\Program Files\Fellowes\MediaFACE 5.0\SetHook.exe” [“Fellowes, Inc.”] “PWRISOVM.EXE” = “C:\Program Files\PowerISO\PWRISOVM.EXE” [“PowerISO Computing, Inc.”] “Ulead Quick-Drop” = ““C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 5 Plus\Ulead DVD MovieFactory 5\Quick-Drop.exe” WINDOWCALL” [“Ulead Systems, Inc.”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) -> {HKLM…CLSID} = “IeCatch5 Class” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\jccatch.dll” [“FlashGet”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”] {85F685C3-20D9-4943-95E4-EB4224056C3F}(Default) = (no title provided) -> {HKLM…CLSID} = “Expressivo” \InProcServer32(Default) = “C:\Program Files\ivo\Expressivo Demo\IH_iexplore.dll” [“IVO Software Sp. z o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{D0FAC080-AE1A-11ce-8016-CE90976DC901}” = “Picture Publisher File Viewer” -> {HKLM…CLSID} = “Picture Publisher File Viewer” \InProcServer32(Default) = “ppiv30.dll” [null data] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” = “Multiscan” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] “{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}” = “MediaFace Shell Extension” -> {HKLM…CLSID} = “MediaFace Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Fellowes\MediaFACE 5.0\MFShlExt.dll” [“Fellowes, Inc.”] “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” = “PowerISO” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ MediaFaceShellExtension(Default) = “{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}” -> {HKLM…CLSID} = “MediaFace Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Fellowes\MediaFACE 5.0\MFShlExt.dll” [“Fellowes, Inc.”] MkS_Vir(Default) = “{E64226E0-9DA1-479E-8265-8D65BA327BD4}” -> {HKLM…CLSID} = “MkS_Vir Shell Extension” \InProcServer32(Default) = “/u\mksshell.dll” [file not found] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] ZLAVShExt(Default) = “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ MediaFaceShellExtension(Default) = “{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}” -> {HKLM…CLSID} = “MediaFace Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Fellowes\MediaFACE 5.0\MFShlExt.dll” [“Fellowes, Inc.”] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ MkS_Vir(Default) = “{E64226E0-9DA1-479E-8265-8D65BA327BD4}” -> {HKLM…CLSID} = “MkS_Vir Shell Extension” \InProcServer32(Default) = “/u\mksshell.dll” [file not found] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] ZLAVShExt(Default) = “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Startup items in “Arek” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\Arek\Menu Start\Programy\Autostart “irPC” -> shortcut to: “C:\Program Files\irPC\irPC.exe” [“www.ELMAK.pl”] “UniSpiker-2.6” -> shortcut to: “C:\Program Files\ivo\UniSpiker-2.6\uni_spiker-2.6.exe” [null data] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Action Manager 32” -> shortcut to: “C:\Program Files\ScannerU\AM32.exe” [null data] “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “Expressivo” -> shortcut to: “C:\Program Files\ivo\Expressivo Demo\expressivo.exe” [“IVO Software Sp. z o.o.”] “InterVideo WinCinema Manager” -> shortcut to: “C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe” [“InterVideo Inc.”] “Kalendarz XP” -> shortcut to: “C:\Program Files\Kalendarz XP\Kalendarz.exe” [null data] “U.S. Robotics 802.11g Wireless Network Utility” -> shortcut to: “C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe” [“U.S. Robotics”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\ZoneLabs\vetredir.dll [“Computer Associates International, Inc.”], 01 - 03, 25 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 24 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” -> {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\fgiebar.dll” [“Amaze Soft”] “{85F685C3-20D9-4943-95E4-EB4224056C3F}” = “Expressivo” -> {HKLM…CLSID} = “Expressivo” \InProcServer32(Default) = “C:\Program Files\ivo\Expressivo Demo\IH_iexplore.dll” [“IVO Software Sp. z o.o.”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_09” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_09” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“FlashGet.com”] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ CA ISafe, CAISafe, “C:\WINDOWS\system32\ZoneLabs\isafe.exe” [“Computer Associates International, Inc.”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] NetAccess Service, NA_Service, “C:\WINDOWS\system32\NA_Service.exe” [“Schneider Automation SAS”] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] Ulead Burning Helper, UleadBurningHelper, “C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe” [“Ulead Systems, Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt04\Driver = “hpzlnt04.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 229 seconds, including 18 seconds for message boxes)