"Silent Runners.vbs", revision 36,
http://www.silentrunners.org/Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"xifwts" = "C:\WINNT\system32\xifwts.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"LTWinModem1" = "ltmsg.exe 9" ["Agere Systems"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "ShimLayer Property Page"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\apppatch\slayerui.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"]
"{DB8DC413-C0AA-11D0-9545-080009B1C2F3}" = "Hummingbird Neighborhood"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hummingbird\Connectivity\7.00\HostExplorer\Ftp\HESHELL.DLL" ["Hummingbird Ltd."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{A58686ED-FC46-44C3-95C6-4A812AB776F1}" = "NetFerret IE Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\FerretSoft\WebFerret\FerretBand.dll" [null data]
"{fe7634c0-f7b3-11cf-b9b4-444553540000}" = "NetFerret"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\NetFerret.dll" [null data]
"{80230FFA-53DD-11D2-AE5F-0000832F3A64}" = "West Group CiteLink Microsoft IE DeskBand Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\West Group\CiteLink\clie\clie.dll" ["West Group"]
"{80230FFC-53DD-11D2-AE5F-0000832F3A64}" = "West Group CiteLink Microsoft IE Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\West Group\CiteLink\clie\clie.dll" ["West Group"]
"{80230FFE-53DD-11D2-AE5F-0000832F3A64}" = "West Group CiteLink Microsoft IE Shell"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\West Group\CiteLink\clie\clie.dll" ["West Group"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
Enabled Wallpaper and Active Desktop:
-------------------------------------
Active Desktop is enabled.
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Laura11.jpg"
Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\palmOne\HOTSYNC.EXE" ["Palm, Inc."]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Instant Wireless Configuration Utility" -> shortcut to: "C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe" ["The Linksys Group, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Hummingbird Inetd, HCLInetd, "C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe" ["Hummingbird Ltd."]
Hummingbird Jconfig Daemon, Jconfigd, "C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe" ["Hummingbird Ltd."]
IBM PM Service, IBMPMSVC, "C:\WINNT\system32\ibmpmsvc.exe" [null data]
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Thanks,
John