jeg sender lige noget mere
"Silent Runners.vbs", revision R50,
http://www.silentrunners.org/Operating System: Windows Vista RC1
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS]
"SUPERAntiSpyware" = "D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (
www.cmedia.com.tw)"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"
-> {HKLM...CLSID} = "Skype add-on (mastermind)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{E7DE9B1A-7533-4556-9484-B26FB486475E}" = (no title provided)
-> {HKLM...CLSID} = "Network Map"
\InProcServer32\(Default) = "C:\Windows\system32\shdocvw.dll" [MS]
"{4A1E5ACD-A108-4100-9E26-D2FAFA1BA486}" = "IGD Property Sheet Handler"
-> {HKLM...CLSID} = "IGD Property Page"
\InProcServer32\(Default) = "C:\Windows\System32\icsigd.dll" [MS]
"{8856f961-340a-11d0-a96b-00c04fd705a2}" = "Microsoft Web Browser"
-> {HKLM...CLSID} = "Microsoft Web Browser"
\InProcServer32\(Default) = "C:\Windows\system32\ieframe.dll" [MS]
"{3050f3d9-98b5-11cf-bb82-00aa00bdce0b}" = "MSHTML Document"
-> {HKLM...CLSID} = "MHTML Document"
\InProcServer32\(Default) = "C:\Windows\system32\mshtml.dll" [MS]
"{25336920-03f9-11cf-8fd0-00aa00686f13}" = "HTML Document"
-> {HKLM...CLSID} = "HTML Document"
\InProcServer32\(Default) = "C:\Windows\system32\mshtml.dll" [MS]
"{74246bfc-4c96-11d0-abef-0020af6b0b7a}" = "Device Manager"
-> {HKLM...CLSID} = "Device Manager"
\InProcServer32\(Default) = "C:\Windows\System32\devmgr.dll" [MS]
"{44f3dab6-4392-4186-bb7b-6282ccb7a9f6}" = "MyDocuments menu and properties"
-> {HKLM...CLSID} = "MyDocuments menu and properties"
\InProcServer32\(Default) = "C:\Windows\system32\mydocs.dll" [MS]
"{D34A6CA6-62C2-4C34-8A7C-14709C1AD938}" = "Common Places Folder"
-> {HKLM...CLSID} = "Common Places FS Folder"
\InProcServer32\(Default) = "C:\Windows\System32\shdocvw.dll" [MS]
"{865e5e76-ad83-4dca-a109-50dc2113ce9a}" = "Programs Folder and Fast Items"
-> {HKLM...CLSID} = "Programs Folder and Fast Items"
\InProcServer32\(Default) = "C:\Windows\system32\shell32.dll" [MS]
"{21ec2020-3aea-1069-a2dd-08002b30309d}" = "Control Panel"
-> {HKLM...CLSID} = "Control Panel"
\InProcServer32\(Default) = "shell32.dll" [MS]
"{25585dc7-4da0-438d-ad04-e42c8d2d64b9}" = "Client application shell extension"
-> {HKLM...CLSID} = "Client application shell extension"
\InProcServer32\(Default) = "C:\Windows\system32\shell32.dll" [MS]
"{4d5c8c2a-d075-11d0-b416-00c04fb90376}" = "Microsoft CommBand"
-> {HKLM...CLSID} = "Microsoft CommBand"
\InProcServer32\(Default) = "C:\Windows\system32\browseui.dll" [MS]
"{92337A8C-E11D-11D0-BE48-00C04FC30DF6}" = "OlePrn.PrinterURL"
-> {HKLM...CLSID} = "prturl Class"
\InProcServer32\(Default) = "C:\Windows\system32\oleprn.dll" [MS]
"{16C2C29D-0E5F-45f3-A445-03E03F587B7D}" = "group_wab_auto_file"
-> {HKLM...CLSID} = ".group shell context menu"
\InProcServer32\(Default) = "C:\Program Files\Common Files\System\wab32.dll" [MS]
"{CF67796C-F57F-45F8-92FB-AD698826C602}" = "contact_wab_auto_file"
-> {HKLM...CLSID} = ".contact shell context menu"
\InProcServer32\(Default) = "C:\Program Files\Common Files\System\wab32.dll" [MS]
"{90b9bce2-b6db-4fd3-8451-35917ea1081b}" = "Search Execute Command"
-> {HKLM...CLSID} = "CLSID_SearchExecute"
\InProcServer32\(Default) = "ExplorerFrame.dll" [MS]
"{1a184871-359e-4f67-aad9-5b9905d62232}" = "Microsoft Windows Font File Context Menu Handler"
-> {HKLM...CLSID} = "Microsoft Windows Font Context Menu Handler"
\InProcServer32\(Default) = "fontext.dll" [MS]
"{8a7cae0e-5951-49cb-bf20-ab3fa1e44b01}" = "Microsoft Windows Font Previewer"
-> {HKLM...CLSID} = "Microsoft Windows Font Preview Handler"
\InProcServer32\(Default) = "fontext.dll" [MS]
"{BC65FB43-1958-4349-971A-210290480130}" = "Network Explorer Property Sheet Handler"
-> {HKLM...CLSID} = "Ncd Property Page"
\InProcServer32\(Default) = "C:\Windows\System32\NcdProp.dll" [MS]
"{0a4286ea-e355-44fb-8086-af3df7645bd9}" = "Windows Media Player"
-> {HKLM...CLSID} = "&Windows Media Player"
\InProcServer32\(Default) = "C:\PROGRA~1\WI4EB4~1\wmpband.dll" [MS]
"{BB6B2374-3D79-41DB-87F4-896C91846510}" = "EMDFileProperties"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "emdmgmt.dll" [MS]
"{7A0F6AB7-ED84-46B6-B47E-02AA159A152B}" = "Sync Center Simple Conflict Presenter"
-> {HKLM...CLSID} = "Simple Conflict Presenter"
\InProcServer32\(Default) = "C:\Windows\System32\SyncCenter.dll" [MS]
"{00f20eb5-8fd6-4d9d-b75e-36801766c8f1}" = "PhotoAcqDropTarget"
-> {HKLM...CLSID} = "PhotoAcqDropTarget"
\InProcServer32\(Default) = "C:\Program Files\Windows Photo Gallery\PhotoAcq.dll" [MS]
"{91ADC906-6722-4B05-A12B-471ADDCCE132}" = "Touch Band"
-> {HKLM...CLSID} = "Touch Pointer"
\InProcServer32\(Default) = "C:\Windows\System32\TouchX.dll" [MS]
"{7D4734E6-047E-41e2-AEAA-E763B4739DC4}" = "Windows Media Player Play as Playlist Context Menu Handler"
-> {HKLM...CLSID} = "WMP Play Folder As Playlist Launcher"
\InProcServer32\(Default) = "C:\Windows\system32\wmpshell.dll" [MS]
"{4E5BFBF8-F59A-4e87-9805-1F9B42CC254A}" = "GameUX.RichGameMediaThumbnail"
-> {HKLM...CLSID} = "RichGameMediaThumbnail Class"
\InProcServer32\(Default) = "C:\Windows\System32\gameux.dll" [MS]
"{15D633E2-AD00-465b-9EC7-F56B7CDF8E27}" = "Tablet PC Input Panel"
-> {HKLM...CLSID} = "Tablet PC Input Panel"
\InProcServer32\(Default) = "C:\Program Files\Common Files\microsoft shared\ink\TipBand.dll" [MS]
"{6b9228da-9c15-419e-856c-19e768a13bdc}" = "Windows gadget DropTarget"
-> {HKLM...CLSID} = "Windows gadget DropTarget"
\InProcServer32\(Default) = "C:\Program Files\Windows Sidebar\sbdrop.dll" [MS]
"{8A734961-C4AA-4741-AC1E-791ACEBF5B39}" = "Windows Media Player Shop Music Context Menu Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Windows\system32\wmpshell.dll" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Mine delemapper"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"ConsentPromptBehaviorAdmin" = (REG_DWORD) hex:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}
"ConsentPromptBehaviorUser" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}
"EnableInstallerDetection" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}
"EnableSecureUIAPaths" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}
"EnableVirtualization" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}
"PromptOnSecureDesktop" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Conrol: Switch to the secure desktop when prompting for elevation}
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"FilterAdministratorToken" = (REG_DWORD) hex:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}
"EnableLUA" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\logon.scr" [MS]
Startup items in "frank" & "All Users" startup folders:
-------------------------------------------------------
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Adobe Reader Synchronizer" -> shortcut to: "D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe" ["Adobe Systems Incorporated"]
"WLAN Monitor Utility" -> shortcut to: "C:\Program Files\WLAN\802.11 Wireless LAN\WWlanMonitor.exe" ["ATMEL"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 22
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{77BF5300-1474-4EC7-9980-D32B190E9B07}\
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
-> {HKLM...CLSID} = "Skype add-on (button)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
HOSTS file
----------
C:\Windows\System32\drivers\etc\HOSTS
maps: 2 domain names to IP addresses,
1 of the IP addresses is *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
CNG Key Isolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
Extensible Authentication Protocol, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
Function Discovery Resource Publication, FDResPub, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\fdrespub.dll" [MS]}
IP Helper, iphlpsvc, "C:\Windows\System32\svchost.exe -k NetSvcs" {(missing data)}
Network Store Interface Service, nsi, "C:\Windows\system32\svchost.exe -k LocalService" {(missing data)}
TCP/IP NetBIOS Helper, lmhosts, "C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted" {(missing data)}
UPnP Device Host, upnphost, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\System32\upnphost.dll" [MS]}
Windows Driver Foundation - User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows Event Log, Eventlog, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {(missing data)}
Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
WLAN AutoConfig, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}
----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 188 seconds.
---------- (total run time: 334 seconds)
