"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ServUTrayIcon" = "C:\Apps\Serv-U\ServUTray.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ScreenManager Pro for LCD" = "C:\Apps\EIZO\ScreenManager Pro for LCD\Lcdctrl.exe" ["EIZO NANAO CORPORATION"] "Mirabilis ICQ" = "C:\Apps\ICQPRO~1\ICQ\ICQNet.exe" [null data] "CTSysVol" = "C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r" ["Creative Technology Ltd"] "CTDVDDET" = "C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" ["Creative Technology Ltd"] "CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"] "SBDrvDet" = "C:\Program\Creative\SB Drive Det\SBDrvDet.exe /r" ["Creative Technology Ltd"] "DeviceDiscovery" = "C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"] "Zone Labs Client" = "C:\Apps\ZoneAlarmPro\zapro.exe" ["Zone Labs Inc."] "TCASUTIEXE" = "TCAUDIAG.exe -off" [empty string] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS] "SunJavaUpdateSched" = "C:\Program\Java\jre1.5.0_03\bin\jusched.exe" ["Sun Microsystems, Inc."] "WinVNC" = ""C:\Apps\UltraVNC\winvnc.exe" -servicehelper" ["UltraVNC"] "HP Software Update" = ""C:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"] "HP Component Manager" = ""C:\Program\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"] "ATIPTA" = "C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "ekort" = "C:\Program\ekort\ekort.exe /dontopenmycards" ["Orbiscom Ltd. All rights reserved."] "iTunesHelper" = ""C:\Apps\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."] "QuickTime Task" = ""C:\Program\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "SpySweeper" = ""C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D}\(Default) = "e-kort Browser Helper Object" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Bhoekort.dll" ["Orbiscom Ltd. All rights reserved."] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\Apps\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Kontrollpanelstillägg för bildskärmspanorering" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-ikontillägg" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions" -> {CLSID}\InProcServer32\(Default) = "C:\Program\Delade filer\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program\Microsoft Office\Office10\msohev.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Apps\WinRAR\rarext.dll" [null data] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Apps\ICQPRO2003b\ICQ\ICQShExt.dll" ["ICQ"] "{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx" -> {CLSID}\InProcServer32\(Default) = "C:\Apps\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"] "{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\apps\Eraser\erasext.dll" ["-"] "{04466240-beb3-11d1-be1c-00aa006b77f4}" = "WebDrive Shell Extension" -> {CLSID}\InProcServer32\(Default) = "rfshext.dll" ["South River Technologies, LLC"] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\APPS\WINZIP8.1\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\APPS\WINZIP8.1\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\APPS\WINZIP8.1\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\APPS\WINZIP8.1\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{32A9D769-5B55-4a25-9A62-86B5683FE50A}" = "NikonView Drop Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Apps\NikonView6\NkvDropExt.dll" ["Nikon Corporation"] "{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager" -> {CLSID}\InProcServer32\(Default) = "C:\Program\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {CLSID}\InProcServer32\(Default) = "C:\Apps\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{BBA7EB3F-97AB-4EBD-BCA2-C3C8DBED4490}" = "Anapod Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\Apps\Anapod Explorer\anapodpw.dll" ["Red Chair Software, Inc."] "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration" -> {CLSID}\InProcServer32\(Default) = "C:\Program\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\apps\Eraser\erasext.dll" ["-"] ICQMenu\(Default) = "{f802f260-519b-11d1-bb5d-0060974c6013}" -> {CLSID}\InProcServer32\(Default) = "C:\Apps\ICQPRO2003b\ICQ\ICQShExt.dll" ["ICQ"] LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" -> {CLSID}\InProcServer32\(Default) = "C:\Program\Delade filer\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] WebDrive\(Default) = "{04466240-beb3-11d1-be1c-00aa006b77f4}" -> {CLSID}\InProcServer32\(Default) = "rfshext.dll" ["South River Technologies, LLC"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Apps\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\APPS\WINZIP8.1\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ICQMenu\(Default) = "{f802f260-519b-11d1-bb5d-0060974c6013}" -> {CLSID}\InProcServer32\(Default) = "C:\Apps\ICQPRO2003b\ICQ\ICQShExt.dll" ["ICQ"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Apps\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\APPS\WINZIP8.1\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\apps\Eraser\erasext.dll" ["-"] LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" -> {CLSID}\InProcServer32\(Default) = "C:\Program\Delade filer\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" -> {CLSID}\InProcServer32\(Default) = "C:\Program\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] WebDrive\(Default) = "{04466240-beb3-11d1-be1c-00aa006b77f4}" -> {CLSID}\InProcServer32\(Default) = "rfshext.dll" ["South River Technologies, LLC"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Apps\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\APPS\WINZIP8.1\WZSHLSTB.DLL" ["WinZip Computing, Inc."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Daniel\Lokala inställningar\Application Data\Microsoft\Wallpaper1.bmp" Startup items in "Daniel" & "All Users" startup folders: -------------------------------------------------------- C:\Documents and Settings\Daniel\Start-meny\Program\Autostart "Anapod Manager" -> shortcut to: "C:\Apps\Anapod Explorer\anamgr.exe" ["Red Chair Software, Inc."] "Monitor Apache Servers" -> shortcut to: "C:\Program\Apache Group\Apache2\bin\ApacheMonitor.exe" ["Apache Software Foundation"] "ServUDaemon" -> shortcut to: "C:\Apps\Serv-U\ServUDaemon.exe" [file not found] C:\Documents and Settings\All Users\Start-meny\Program\Autostart "Adobe Gamma Loader" -> shortcut to: "C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] "HP Digital Imaging Monitor" -> shortcut to: "C:\Program\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."] "Microsoft Office" -> shortcut to: "C:\Program\Microsoft Office\Office10\OSA.EXE -b -l" [MS] "NkvMon.exe" -> shortcut to: "C:\Apps\NikonView6\NkvMon.exe" ["Nikon Corporation"] "Tray Monitor" -> shortcut to: "C:\Apps\Serv-U\ServUTray.exe" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 28 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java-konsol" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Program\Java\jre1.5.0_03\bin\npjpi150_03.dll" ["Sun Microsystems, Inc."] {4C730913-3961-439B-83D5-F4E445520422}\ "ButtonText" = "e-kort" "Exec" = "C:\Program\ekort\ekort.exe" ["Orbiscom Ltd. All rights reserved."] {6224F700-CBA3-4071-B251-47CB894244CD}\ "ButtonText" = "ICQ Pro" "MenuText" = "ICQ" "Exec" = "C:\Apps\ICQPRO~1\ICQ\ICQ.exe" ["ICQ Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program\Messenger\msmsgs.exe" [MS] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 1 domain name to an IP address, 1 of the IP addresses is *not* localhost! All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- Adobe LM Service, Adobe LM Service, ""C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe"" [null data] Apache2, Apache2, ""C:\Program\Apache Group\Apache2\bin\Apache.exe" -k runservice" ["Apache Software Foundation"] ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe" [MS] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] ATI Smart, ATI Smart, "C:\WINDOWS\system32\ati2sgag.exe" [empty string] Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]} Cisco Systems, Inc. VPN Service, CVPND, ""C:\Apps\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."] Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"] DefWatch, DefWatch, ""C:\Program\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"] Diskeeper, Diskeeper, ""C:\Program\Executive Software\Diskeeper\DkService.exe"" ["Executive Software International, Inc."] HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]} iPod Service, iPodService, "C:\Program\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corporation, Veritas Software"] MySQL41, MySQL41, ""C:\Program\MySQL\MySQL Server 4.1\bin\mysqld-nt" --defaults-file="C:\Program\MySQL\MySQL Server 4.1\my.ini" MySQL41" [null data] Network Provisioning Service, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]} Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"] Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]} Symantec AntiVirus Client, Norton AntiVirus Server, ""C:\Program\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"] TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."] VNC Server, winvnc, ""C:\Apps\UltraVNC\winvnc.exe" -service" ["UltraVNC"] WebDrive Service, WebDriveService, "C:\Apps\WebDrive\wdservice.exe" [null data] Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 45 seconds, including 18 seconds for message boxes)