“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
jestem nowy forum niewiem zgóry dziekóje
w jeden dzien komp się zmienił jak by niemój był.
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“MsnMsgr” = ““C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background” [file not found]
“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]
“CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS]
“ares” = ““C:\Program Files\Ares\Ares.exe” -h” [“Ares Development Group”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”” [“Sun Microsystems, Inc.”]
“osCheck” = ““C:\Program Files\Norton Internet Security\osCheck.exe”” [“Symantec Corporation”]
“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]
“lxccmon.exe” = ““C:\Program Files\Lexmark 3300 Series\lxccmon.exe”” [“Lexmark International, Inc.”]
“IgfxTray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”]
“HotKeysCmds” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”]
“FaxCenterServer” = ““C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s” [null data]
“dvd43” = “C:\Program Files\dvd43\dvd43_tray.exe” [“Captain Red”]
“ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”]
“LXCCCATS” = “rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll” [“Symantec Corporation”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”]
{9030D464-4C02-4ABF-8ECC-5164760863C6}(Default) = (no title provided)
-> {HKLM…CLSID} = “Windows Live Sign-in Helper”
\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll” [MS]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}(Default) = (no title provided)
-> {HKLM…CLSID} = “Windows Live Toolbar Helper”
\InProcServer32(Default) = “C:\Program Files\Windows Live Toolbar\msntb.dll” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{8e9d6600-f84a-11ce-8daa-00aa004a5691}” = “Shell extensions for NetWare”
-> {HKLM…CLSID} = “NetWare Objects”
\InProcServer32(Default) = “nwprovau.dll” [MS]
“{e3f2bac0-099f-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare”
-> {HKLM…CLSID} = “NetWare UNC Folder Menu”
\InProcServer32(Default) = “nwprovau.dll” [MS]
“{52c68510-09a0-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare”
-> {HKLM…CLSID} = “NetWare Hood Verbs”
\InProcServer32(Default) = “nwprovau.dll” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
“WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”
-> {HKLM…CLSID} = “WPDShServiceObj Class”
\InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> igfxcui\DLLName = “igfxsrvc.dll” [“Intel Corporation”]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu(Default) = “{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}”
-> {HKLM…CLSID} = “IEContextMenu Class”
\InProcServer32(Default) = “C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll” [“Symantec Corporation”]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NetWareUNCMenu(Default) = “{e3f2bac0-099f-11cf-8daa-00aa004a5691}”
-> {HKLM…CLSID} = “NetWare UNC Folder Menu”
\InProcServer32(Default) = “nwprovau.dll” [MS]
Symantec.Norton.Antivirus.IEContextMenu(Default) = “{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}”
-> {HKLM…CLSID} = “IEContextMenu Class”
\InProcServer32(Default) = “C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll” [“Symantec Corporation”]
Group Policies {GPedit.msc branch and setting}:
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\Documents and Settings\piotr\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
“SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS]
Enabled Scheduled Tasks:
“User_Feed_Synchronization-{03F06B3A-2E9D-45AB-AF4C-F66DF4FFDEFE}” -> launches: “C:\WINDOWS\system32\msfeedssync.exe sync” [MS]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 21 - 22
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
“{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}”
-> {HKLM…CLSID} = “Windows Live Toolbar”
\InProcServer32(Default) = “C:\Program Files\Windows Live Toolbar\msntb.dll” [MS]
“{F2CF5485-4E02-4F68-819C-B92DE9277049}”
-> {HKLM…CLSID} = “&Links”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
“{90222687-F593-4738-B738-FBEE9C7B26DF}” = “NCO Toolbar”
-> {HKLM…CLSID} = “Show Norton Toolbar”
\InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll” [“Symantec Corporation”]
“{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}” = (no title provided)
-> {HKLM…CLSID} = “Windows Live Toolbar”
\InProcServer32(Default) = “C:\Program Files\Windows Live Toolbar\msntb.dll” [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}”
-> {HKCU…CLSID} = “Java Plug-in 1.6.0_01”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”]
-> {HKLM…CLSID} = “Java Plug-in 1.6.0_01”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”]
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
“MenuText” = “@xpsp3res.dll,-20001”
“Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
“ButtonText” = “Messenger”
“MenuText” = “Windows Messenger”
“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, “C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe” [MS]
Ares Chatroom server, AresChatServer, “C:\Program Files\Ares\chatServer.exe” [“Ares Development Group”]
COM Host, comHost, ““C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe”” [“Symantec Corporation”]
Harmonogram automatycznej usługi LiveUpdate, Harmonogram automatycznej usługi LiveUpdate, ““C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe”” [“Symantec Corporation”]
Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS]
LiveUpdate, LiveUpdate, ““C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE”” [“Symantec Corporation”]
lxcc_device, lxcc_device, “C:\WINDOWS\system32\lxcccoms.exe -service” [“Lexmark International, Inc.”]
SmartLinkService, SLService, “slserv.exe” [" "]
Symantec AppCore Service, SymAppCore, ““C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe”” [“Symantec Corporation”]
Symantec Core LC, Symantec Core LC, ““C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe”” [“Symantec Corporation”]
Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe” /h ccCommon” [“Symantec Corporation”]
Symantec IS Password Validation, ISPwdSvc, ““C:\Program Files\Norton Internet Security\isPwdSvc.exe”” [“Symantec Corporation”]
Symantec Lic NetConnect service, CLTNetCnService, ““C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe” /h cltCommon” [“Symantec Corporation”]
Symantec Network Proxy, ccProxy, ““C:\Program Files\Common Files\Symantec Shared\ccProxy.exe”” [“Symantec Corporation”]
Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe” /h ccCommon” [“Symantec Corporation”]
Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”]
Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]}
Usługa klienta dla systemu NetWare, NWCWorkstation, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\nwwks.dll” [MS]}
Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\MsPMSNSv.dll” [MS]}
Usługa udostępniania w sieci programu Windows Media Player, WMPNetworkSvc, ““C:\Program Files\Windows Media Player\WMPNetwk.exe”” [MS]
Windows CardSpace, idsvc, ““C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe”” [MS]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, “C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup” {“C:\WINDOWS\System32\WUDFSvc.dll” [MS]}
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, “c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe” [MS]
„Usługa stanu ASP.NET, aspnet_state, “C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe” [MS]
Print Monitors:
HKLM\System\CurrentControlSet\Control\Print\Monitors\
3300 Series Port\Driver = “lxcclmpm.DLL” [“Lexmark International, Inc.”]
<>: Suspicious data at a malware launch point.
-
This report excludes default entries except where indicated.
-
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
- To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer “No” at the
first message box and “Yes” at the second message box.
---------- (total run time: 37 seconds, including 5 seconds for message boxes)
:shock: