"Silent Runners.vbs", revision 53, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS] "LaunchList" = "C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe" [file not found] "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] "AlcoholAutomount" = ""C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount" [file not found] "H/PC Connection Agent" = ""C:\PROGRA~1\MICROS~3\wcescomm.exe"" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"" ["Kaspersky Lab"] "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "PMHandler" = "C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe" ["Lenovo"] "cssauth" = ""C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent" ["Lenovo Group Limited"] "igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"] "OmniPass" = "C:\Program Files\Softex\OmniPass\scureapp.exe" [null data] "ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" [file not found] "QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."] "ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" [file not found] "igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"] "snp2std" = "C:\WINDOWS\vsnp2std.exe" ["Sonix"] "igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"] "Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."] "TPWAUDAP" = "C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe" [null data] "Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "WinampAgent" = ""C:\Program Files\Winamp\winampa.exe"" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx" [empty string] {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}\(Default) = "Winamp Toolbar BHO" -> {HKLM...CLSID} = "Winamp Toolbar BHO" \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] {F040E541-A427-4CF7-85D8-75E3E0F476C5}\(Default) = "ThinkVantage Password Manager" -> {HKLM...CLSID} = "CPwmIEBrowserHelper Object" \InProcServer32\(Default) = "C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll" ["Lenovo Group Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete" -> {HKLM...CLSID} = "IE Microsoft AutoComplete" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."] "{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places" -> {HKLM...CLSID} = "Moje miejsca interfejsu Bluetooth" \InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."] "{D0CE97A0-415B-42E9-B251-34393AF2D5F6}" = "OmniPass Shell Extension" -> {HKLM...CLSID} = "Softex OmniPass Encrypted File" \InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."] "{D5B1944E-DB4E-482E-B3F1-DB05827F0978}" = "OmniPass ShellNameSpace Extension" -> {HKLM...CLSID} = "Softex OmniPass Encrypted Folder" \InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler" -> {HKLM...CLSID} = "NeroDigitalIconHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"] "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler" -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell" -> {HKLM...CLSID} = "Studio.Project" \InProcServer32\(Default) = "C:\Program Files\Pinnacle\Studio 11\programs\BlueShellExt.dll" [file not found] "{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki dla ochrony WWW" -> {HKLM...CLSID} = "Statystyki dla ochrony WWW" \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"] "{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device" -> {HKLM...CLSID} = "Mobile Device" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Wcesview.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> "AppInit_DLLs" = "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll" ["Kaspersky Lab"] HKLM\System\CurrentControlSet\Control\Session Manager\ <> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"] <> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"] <> OPXPGina\DLLName = "C:\Program Files\Softex\OmniPass\opxpgina.dll" [null data] <> tphotkey\DLLName = "C:\Program Files\Lenovo\HOTKEY\tphklock.dll" [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler" -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"] OPShellExt\(Default) = "{D0CE97A0-415B-42E9-B251-34393AF2D5F6}" -> {HKLM...CLSID} = "Softex OmniPass Encrypted File" \InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."] VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}" -> {HKLM...CLSID} = "AmvTransform Class" \InProcServer32\(Default) = "C:\Program Files\MP3 Player Utilities 3.68\AMVTools\AmvTransform.dll" [file not found] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ OPShellExt\(Default) = "{D0CE97A0-415B-42E9-B251-34393AF2D5F6}" -> {HKLM...CLSID} = "Softex OmniPass Encrypted File" \InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opfolderext.dll" ["Softex Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Pulpit\MIREK\ok.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Mirosław\Pulpit\MIREK\ok.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS] Startup items in "Mirosław" & "All Users" startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart "BTTray" -> shortcut to: "C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."] Enabled Scheduled Tasks: ------------------------ "AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 29 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 28 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" -> {HKLM...CLSID} = "Winamp Toolbar" \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" = "Winamp Toolbar" -> {HKLM...CLSID} = "Winamp Toolbar" \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC"] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statystyki dla ochrony WWW" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"] HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {0045D4BC-5189-4B67-969C-83BB1906C421}\ "MenuText" = "ThinkVantage Password Manager..." "CLSIDExtension" = "{0FE81B52-73FA-425F-8F06-3F32451AC73F}" -> {HKLM...CLSID} = "CPwmIEToolsMenuItem Object" \InProcServer32\(Default) = "C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll" ["Lenovo Group Limited"] {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ "ButtonText" = "Create Mobile Favorite" "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {HKLM...CLSID} = "Create Mobile Favorite" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\INetRepl.dll" [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ "MenuText" = "Create Mobile Favorite..." "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {HKLM...CLSID} = "Create Mobile Favorite" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\INetRepl.dll" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): (unwritable string) Missing lines (compared with English-language version): [Version]: 2 lines [RestoreHomePage]: 1 line [RestoreHomePage.reg]: 1 line [RestoreBrowserSettings.reg]: 12 lines [DeleteTemplates.reg]: 5 lines [DeleteAutosearch.reg]: 1 line [Strings]: 1 line [RestoreBrowserSettings]: 2 lines [Strings]: 3 lines Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"] Bluetooth Service, btwdins, "C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."] Fn+F5 Service, FNF5SVC, "C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe" ["Lenovo."] Intel(R) PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"] Intel(R) PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"] Intel(R) PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "] Kaspersky Internet Security 7.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r" ["Kaspersky Lab"] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS] PMSveH, PMSveH, "C:\Program Files\Lenovo\PM Driver\PMSveH.exe" ["Lenovo"] Softex OmniPass Service, omniserv, "C:\Program Files\Softex\OmniPass\Omniserv.exe" ["Softex Inc."] ThinkVantage Registry Monitor Service, ThinkVantage Registry Monitor Service, ""C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe"" [null data] Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]} Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] Port drukarki interfejsu Bluetooth\Driver = "bthcrp.dll" ["Broadcom Corporation."] ---------- (launch time: 2007-12-07 11:07:19) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 107 seconds. ---------- (total run time: 225 seconds)