"Silent Runners.vbs", revision 35,
http://www.silentrunners.org/Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"sudcvpirpp.exe" = "C:\WINDOWS\system\sudcvpirpp.exe" [file not found]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"Acme.PCHButton" = "C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe" ["Motive Communications, Inc."]
"MSMSGS" = ""C:\Program Files\Messenger\MSMSGS.EXE" /background" [MS]
"ACE Mega CoDecS Pack" = "C:\windows\ACE Mega CoDecS Pack.exe" [file not found]
"Mozilla Quick Launch" = ""C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo" ["Mozilla Foundation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"ccApp" = ""c:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{23EF5EB9-71F5-47D3-AD20-0562E35CC780}\(Default) = "iuctg" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\iuctg.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}" = "OmniPass Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opshelle.dll" ["Softex Incorporated"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.5\contmenu.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! OPXPGina\DLLName = "C:\Program Files\Softex\OmniPass\opxpgina.dll" [null data]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
Default executables:
--------------------
.BAT: HKLM\SOFTWARE\Classes\batfile\shell\open\command\
INFECTION WARNING! "Default" = "C:\windows\WinBat.exe %1"
Enabled Wallpaper and Active Desktop:
-------------------------------------
Active Desktop is disabled.
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------
INFECTION WARNING! D:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]
Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."]
"Updates from HP" -> shortcut to: "C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe -startup" [null data]
Enabled Scheduled Tasks:
------------------------
"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Yahoo! Messenger"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]
{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\
-> {CLSID}\(Default) = "hp toolkit"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Yahoo! Messenger"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]
{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\
-> {CLSID}\(Default) = "hp toolkit"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\
(Default) = "hp toolkit"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\
(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Norton Personal Firewall Accounts Manager, NISUM, ""c:\Program Files\Norton Personal Firewall\NISUM.EXE"" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Softex OmniPass Service, omniserv, "C:\Program Files\Softex\OmniPass\Omniserv.exe" [null data]
Symantec Event Manager, ccEvtMgr, ""c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Proxy Service, ccPxySvc, ""c:\Program Files\Norton Personal Firewall\ccPxySvc.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
here we are
Sexy