“Silent Runners.vbs”, revision RED (R28) (Echo output), launched at: 12:38 Operating System: Windows XP SP2 Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “MailScanner” = “C:\Program Files\MKS_VIR_2006\Mks_mail.exe” [file not found] “PcSync” = “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog” [“Time Information Services Ltd.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “NeroCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “CARPService” = “carpserv.exe” [“Conexant Systems, Inc.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “mkstray” = “C:\Program Files\mks_vir_2007\bin\mkstray.exe” [“MKS Sp z o.o.”] “mks_mail” = “C:\Program Files\mks_vir_2007\bin\mks_mail.exe” [“MkS Sp. z o.o.”] “MKSRegmon” = “C:\Program Files\mks_vir_2007\bin\mksregmon.exe” [null data] “PCSuiteTrayApplication” = “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup” [“Nokia”] HKLM\Software\Microsoft\Active Setup\Installed Components\ “>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}(Default)” = “Windows Media Player” \StubPath = “C:\WINDOWS\inf\unregmp2.exe /ShowWMP” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” -> resolves to: {CLSID}\InprocServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = “SSVHelper Class” -> resolves to: {CLSID}\InprocServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “PostBootReminder” = “{7849596a-48ea-486e-8937-a2a3009f31a9}” -> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “CDBurn” = “{fbeb8a05-beee-4442-804e-409d6c4515e9}” -> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “WebCheck” = “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}” -> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\system32\webcheck.dll” [MS] “SysTray” = “{35CEC8A3-2BE6-11D2-8773-92E220524153}” -> resolves to: {CLSID}\InprocServer32(Default) = “C:\WINDOWS\System32\stobject.dll” [MS] Startup items in “Zygmunt” & “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “hp psc 1000 series” -> shortcut to: “C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe” [“Hewlett-Packard Co.”] “hpoddt01.exe” -> shortcut to: “C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe” [“Hewlett-Packard”] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “FRU Task #Hewlett-Packard#hp psc 1200 series#1150176439” -> launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I “#Hewlett-Packard#hp psc 1200 series#1150176439"” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Aktualizacje automatyczne, wuauserv, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\wuauserv.dll” [MS]} Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] Bufor wydruku, Spooler, “C:\WINDOWS\system32\spoolsv.exe” [MS] Centrum zabezpieczeä, wscsvc, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\wscsvc.dll” [MS]} Dziennik zdarzeä, Eventlog, “C:\WINDOWS\system32\services.exe” [MS] Harmonogram zadaä, Schedule, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\schedsvc.dll” [MS]} HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} Instrumentacja zarzĄdzania Windows, winmgmt, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\wbem\WMIsvc.dll” [MS]} Klient DHCP, Dhcp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\dhcpcsvc.dll” [MS]} Klient DNS, Dnscache, “C:\WINDOWS\System32\svchost.exe -k NetworkService” {“C:\WINDOWS\System32\dnsrslvr.dll” [MS]} Klient ledzenia Ączy rozproszonych, TrkWks, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\trkwks.dll” [MS]} Kompozycje, Themes, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\shsvcs.dll” [MS]} Konfiguracja zerowej sieci bezprzewodowej, WZCSVC, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\wzcsvc.dll” [MS]} Logowanie pomocnicze, seclogon, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\seclogon.dll” [MS]} Magazyn chroniony, ProtectedStorage, “C:\WINDOWS\system32\lsass.exe” [MS] Menedľer kont zabezpieczeä, SamSs, “C:\WINDOWS\system32\lsass.exe” [MS] Menedľer poĄczeä usugi Dost©p zdalny, RasMan, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\rasmans.dll” [MS]} MkS_Scan, MkS_Scan, “C:\Program Files\mks_vir_2007\bin\mks_scan.exe” [empty string] mks_vir file monitor, MksVirMonSvc, “C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe” [null data] MksFwall, MksFwall, ““C:\Program Files\mks_vir_2007\bin\MksFwall.exe”” [“MKS Sp z o.o.”] MksPC, MksPC, ““C:\Program Files\mks_vir_2007\bin\MksPC.exe”” [null data] MksUpdate, MksUpdate, ““C:\Program Files\mks_vir_2007\bin\mksupdate.exe”” [“MKS Sp. z o. o.”] Plug and Play, PlugPlay, “C:\WINDOWS\system32\services.exe” [MS] Pml Driver HPZ12, Pml Driver HPZ12, “C:\WINDOWS\System32\HPZipm12.exe” [“HP”] Pomoc i obsuga techniczna, helpsvc, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll” [MS]} Pomoc TCP/IP NetBIOS, LmHosts, “C:\WINDOWS\System32\svchost.exe -k LocalService” {“C:\WINDOWS\System32\lmhsvc.dll” [MS]} PoĄczenia sieciowe, Netman, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\netman.dll” [MS]} Program uruchamiajĄcy proces serwera DCOM, DcomLaunch, “C:\WINDOWS\system32\svchost -k DcomLaunch” {“C:\WINDOWS\system32\rpcss.dll” [MS]} PrzeglĄdarka komputera, Browser, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\browser.dll” [MS]} Rozpoznawanie lokalizacji w sieci (NLA), Nla, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\mswsock.dll” [MS]} ServiceLayer, ServiceLayer, ““C:\Program Files\PC Connectivity Solution\ServiceLayer.exe”” [“Nokia.”] Serwer, lanmanserver, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\srvsvc.dll” [MS]} Stacja robocza, lanmanworkstation, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\wkssvc.dll” [MS]} System zdarzeä COM+, EventSystem, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\es.dll” [MS]} Telefonia, TapiSrv, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\tapisrv.dll” [MS]} Usuga bramy warstwy aplikacji, ALG, “C:\WINDOWS\System32\alg.exe” [MS] Usuga Czas systemu Windows, W32Time, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\w32time.dll” [MS]} Usuga inteligentnego transferu w tle, BITS, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\qmgr.dll” [MS]} Usuga odnajdywania SSDP, SSDPSRV, “C:\WINDOWS\System32\svchost.exe -k LocalService” {“C:\WINDOWS\System32\ssdpsrv.dll” [MS]} Usuga przywracania systemu, srservice, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\srsvc.dll” [MS]} Usuga raportowania b©d˘w, ERSvc, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ersvc.dll” [MS]} Usugi IPSEC, PolicyAgent, “C:\WINDOWS\System32\lsass.exe” [MS] Usugi kryptograficzne, CryptSvc, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\cryptsvc.dll” [MS]} Usugi terminalowe, TermService, “C:\WINDOWS\System32\svchost -k DComLaunch” {“C:\WINDOWS\System32\termsrv.dll” [MS]} WebClient, WebClient, “C:\WINDOWS\System32\svchost.exe -k LocalService” {“C:\WINDOWS\System32\webclnt.dll” [MS]} Windows Audio, AudioSrv, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\audiosrv.dll” [MS]} Windows Image Acquisition (WIA), stisvc, “C:\WINDOWS\System32\svchost.exe -k imgsvc” {“C:\WINDOWS\system32\wiaservc.dll” [MS]} Wykrywanie sprz©tu powoki, ShellHWDetection, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\shsvcs.dll” [MS]} Zapora systemu Windows/Udost©pnianie poĄczenia internetowego, SharedAccess, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ipnathlp.dll” [MS]} Zawiadomienie o zdarzeniu systemowym, SENS, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\sens.dll” [MS]} Zdalne wywoywanie procedur (RPC), RpcSs, “C:\WINDOWS\system32\svchost -k rpcss” {“C:\WINDOWS\system32\rpcss.dll” [MS]} Zgodno† szybkiego przeĄczania uľytkownik˘w, FastUserSwitchingCompatibility, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\shsvcs.dll” [MS]}