"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SystemTray" = "SysTray.Exe" [MS] "Synchronization Manager" = "mobsync.exe /logon" [MS] "Pure Networks Port Magic" = ""C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run" ["Pure Networks, Inc."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++} "(Default)" = (empty string) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Microsoft Office\Office10\MLSHEXT.DLL" [MS] "{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\UNBIND.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS] "{FACEB421-912E-11D3-B7D5-0080AD41AF95}" = "ZipStar Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPEEDPROJECT\ZIPSTAR 4\ZSSHELL.DLL" ["SpeedProject"] "{0D302F2C-8EA6-11CE-B035-444553540000}" = "pcANYWHERECallerShellExt" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"] "{92A681A0-9f0D-11CE-B035-444553540000}" = "pcANYWHERECallerPage" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"] "{DF44ACC1-972F-11CE-B035-444553540000}" = "pcANYWHERERemoteCtrlShellExt" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"] "{92a681a1-9f0d-11CE-B035-444553540000}" = "pcANYWHERERemoteCtrlPage" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"] "{DF44ACC2-972F-11CE-B035-444553540000}" = "pcANYWHEREBeHostExt" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"] "{92A681A2-9f0D-11CE-B035-444553540000}" = "pcANYWHEREBeHostPage" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"] "{DF44ACC3-972F-11CE-B035-444553540000}" = "pcANYWHEREOnlineSvcExt" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"] "{92A681A3-9f0D-11CE-B035-444553540000}" = "pcANYWHEREOnlineSvcPage" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"] "{DF44ACC4-972F-11CE-B035-444553540000}" = "pcANYWHEREGatewayExt" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshell.DLL" ["Symantec Corporation"] "{92A681A4-9f0D-11CE-B035-444553540000}" = "pcANYWHEREGatewayPage" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Symantec\pcAnywhere\awshllpg.DLL" ["Symantec Corporation"] "{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}" = "ShellPlusContextMenu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\B4FM.dll" [null data] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: "] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "GinaDLL" = "C:\WINDOWS\System32\awgina.dll" ["Symantec Corporation"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\WebshotsForSysadmin.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\Webshots.scr" ["Auralis, Inc."] Startup items in "sysadmin" & "All Users" startup folders: ---------------------------------------------------------- C:\Documents and Settings\sysadmin\Start Menu\Programs\Startup "Webshots" -> shortcut to: "C:\Program Files\Webshots\WebshotsTray.exe" ["The Webshots Corporation"] C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"] Enabled Scheduled Tasks: ------------------------ "Modem & Network" -> launches: "C:\WINDOWS\Desktop\modem network.BHF" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 08, 11 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."] {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHDOCVW.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {C02E3700-038B-11D6-9DFD-00065B61A109}\ "ButtonText" = "Dell Home" "Exec" = "http://business.dellnet.com/" [file not found] HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."] {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ "ButtonText" = "Messenger" "MenuText" = "Yahoo! Messenger" "CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."] {4982D40A-C53B-4615-B15B-B5B5E98D167C}\ "ButtonText" = "AOL Toolbar" "MenuText" = "AOL Toolbar" "CLSIDExtension" = "{4982D40A-C53B-4615-B15B-B5B5E98D167C}" {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\ "ButtonText" = "AIM" "Exec" = "C:\Program Files\AIM95\aim.exe" ["America Online, Inc."] {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ "ButtonText" = "Real.com" Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"] Kodak Camera Connection Software, KodakCCS, "C:\WINDOWS\system32\drivers\KodakCCS.exe" ["Eastman Kodak Company"] ObjectStore Cache Manager R6.0, ObjectStore Cache Manager R6.0, "C:\ODI\OStore\BIN\OSCMGR6.EXE" ["eXcelon Corp."] ObjectStore Server R6.0, ObjectStore Server R6.0, "C:\ODI\OStore\BIN\OSSERVER.EXE" ["eXcelon Corp."] ptssvc, ptssvc, "C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe" ["KODAK"] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = INFECTION WARNING! "aw_host" [file not found] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ----------