heres the log:
"Silent Runners.vbs", revision 58,
http://www.silentrunners.org/Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ntuser" = "C:\WINDOWS\system32\drivers\spools.exe" [null data]
"IEUpdate" = "C:\WINDOWS\system32\a3dp.exe" [null data]
"autoload" = "C:\Documents and Settings\sbalsinger\cftmon.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ntuser" = "C:\WINDOWS\system32\drivers\spools.exe" [null data]
"IEUpdate" = "C:\WINDOWS\system32\a3dp.exe" [null data]
"autoload" = "C:\Documents and Settings\sbalsinger\cftmon.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{EEB5B6C2-E405-11d0-9318-0004AC946C18}" = "AS/400 Shell Extensions - AS/400 IPL"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - AS/400 IPL"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunas4.dll" ["IBM Corporation"]
"{38482e00-0ad5-11cf-bc9d-0004ac325a18}" = "AS/400 Network"
-> {HKLM...CLSID} = "AS/400 Network"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunshf.dll" ["IBM Corporation"]
"{DCA251A0-38AC-11d0-82BD-08005AA74F5C}" = "AS/400 Shell Extensions - AS/400 Network"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - AS/400 Network"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunshf.dll" ["IBM Corporation"]
"{8CA2EBC1-40C7-4451-AD01-7DEEB4690358}" = "AS/400 Related Tasks"
-> {HKLM...CLSID} = "AS/400 Related Tasks"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunshf.dll" ["IBM Corporation"]
"{5E44E520-2F69-11d1-9318-0004AC946C18}" = "AS/400 Shell Extensions - Auto Refresh"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Auto Refresh"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunarf.dll" ["IBM Corporation"]
"{C94AFD20-98C1-11d1-9E01-0004AC760C57}" = "AS/400 Shell Extensions - Drag Drop Handler"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Drag Drop Handler"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunddh.dll" ["IBM Corporation"]
"{870C83E1-FF73-11cf-B7F1-0004AC7609F6}" = "AS/400 Shell Extensions - File Systems Properties"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - File Systems Properties"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunfsf.dll" ["IBM Corporation"]
"{1827A857-9C20-11d1-96C3-00062912C9B2}" = "AS/400 Shell Extensions - Java Components"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Java Components"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunjav.dll" ["IBM Corporation"]
"{DCAF7D81-60C4-11d1-9E01-0004AC760C57}" = "AS/400 Shell Extensions - Send Message"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Send Message"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunmgs.dll" ["IBM Corporation"]
"{C60EF841-2F98-11d1-A19A-08005A4F659F}" = "AS/400 Shell Extensions - NFS Server"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - NFS Server"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunnfs.dll" ["IBM Corporation"]
"{8D742A40-77FF-11CF-8877-444553540000}" = "AS/400 Shell Extensions - Security"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Security"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunsec.dll" ["IBM Corporation"]
"{040606B2-1C19-11d2-AA12-08005AD17735}" = "AS/400 Shell Extensions - Visual Basic Components"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Visual Basic Components"
\InProcServer32\(Default) = "C:\WINDOWS\system32\cwbunvba.dll" ["IBM Corporation"]
"{D63E20C4-3F6D-11d3-BCE6-002035C0A6DA}" = "AS/400 Shell Extensions - Journaling"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Journaling"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunjrn.dll" ["IBM Corporation"]
"{01FE9570-15A3-11d2-8309-000629AA1859}" = "AS/400 Shell Extensions - Management Central"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypc.dll" ["IBM Corporation"]
"{7D7E1B60-0EF8-11d2-8307-000629AA1859}" = "AS/400 Shell Extensions - Management Central Task Activity/Scheduled Tasks"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central Task Activity/Scheduled Tasks"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypc.dll" ["IBM Corporation"]
"{3B453C20-21CD-11d2-8318-000629AA1859}" = "AS/400 Shell Extensions - Management Central SW Inventory"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central SW Inventory"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyiv.dll" ["IBM Corporation"]
"{4CE18940-3E8B-11d2-834B-000629AA1859}" = "AS/400 Shell Extensions - Management Central HW Inventory"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central HW Inventory"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyiv.dll" ["IBM Corporation"]
"{B08B7EAD-2FD4-11d3-917F-00203531488C}" = "AS/400 Shell Extensions - Management Central Inventory Tasks"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central Task Activity/Scheduled Tasks - Inventory"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyiv.dll" ["IBM Corporation"]
"{90BE6B50-1041-11d2-8307-000629AA1859}" = "AS/400 Shell Extensions - Management Central Endpoint Systems"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central Endpoint Systems"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypg.dll" ["IBM Corporation"]
"{E4C59510-1050-11d2-8307-000629AA1859}" = "AS/400 Shell Extensions - Management Central System Groups"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Management Central System Groups"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypg.dll" ["IBM Corporation"]
"{C2661801-FFE8-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Messages"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Messages"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunmgf.dll" ["IBM Corporation"]
"{22982561-EEC8-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Spool Files"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Spool Files"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunouf.dll" ["IBM Corporation"]
"{8514E881-FF45-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Printers"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Printers"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunprf.dll" ["IBM Corporation"]
"{FF142762-FAB1-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Jobs"
-> {HKLM...CLSID} = "AS/400 Shell Extensions - Jobs"
\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunjbf.dll" ["IBM Corporation"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> __c00A8054\DLLName = "C:\WINDOWS\system32\__c00A8054.dat" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
Default executables:
--------------------
HKLM\SOFTWARE\Classes\.exe\(Default) = "exefile"
<<!>> HKLM\SOFTWARE\Classes\exefile\shell\open\command\(Default) = "C:\WINDOWS\system32\drivers\spools.exe "%1" %*" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\sbalsinger\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssmypics.scr" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Broadcom ASF IP monitoring service v6.0.4, BAsfIpM, "C:\WINDOWS\system32\basfipm.exe" ["Broadcom Corp."]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}
VNC Server, winvnc, ""C:\Program Files\TightVNC\WinVNC.exe" -service" ["TightVNC Group"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
HP Master Monitor\Driver = "HPBMMON.DLL" ["Hewlett-Packard"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
---------- (launch time: 2008-05-28 09:20:08)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 61 seconds, including 36 seconds for message boxes)