New
#11
here is the silent runners log as well with the supplementry scan
im not sure how to read this either, and its tough to determine if anything is "fishy" this way either.
searching the web on many of these files implies that any of the programs ive used would detect a tampered file
"Silent Runners.vbs", revision 60, Silent Runners - Adware? Disinfect, don't reformat!
Operating System: Windows 7
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"DAEMON Tools Lite" = ""C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun" ["DT Soft Ltd"]
"SpybotSD TeaTimer" = "C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe" ["Safer-Networking Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RtHDVCpl" = "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s" ["Realtek Semiconductor"]
"MSSE" = ""C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
-> {HKLM...CLSID} = "AVG Safe Search"
\InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgssiea.dll" ["AVG Technologies CZ, s.r.o."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9}" = "NVIDIA Play On My TV Context Menu Extension"
-> {HKLM...CLSID} = "NVIDIA CPL Context Menu Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvshext.dll" ["NVIDIA Corporation"]
"{83238FAE-D346-4E12-8734-D42F7554B3E6}" = "DivX Thumbnail Provider"
-> {HKLM...CLSID} = "DivX Thumbnail Provider"
\InProcServer32\(Default) = "C:\Program Files\DivX\DivX Plus Media Foundation Components\DivXThumbnailProvider.dll" ["DivX, Inc."]
"{D8D1CE8C-B1EB-4E95-B63B-1531BA60E992}" = "DivX Property Handler"
-> {HKLM...CLSID} = "DivX Property Handler"
\InProcServer32\(Default) = "C:\Program Files\DivX\DivX Plus Media Foundation Components\DivXPropertyHandler.dll" ["DivX, Inc."]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "KbLogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" ["Logitech, Inc."]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "LogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" ["Logitech, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MSOHEVI.DLL" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG Shell Extension"
-> {HKLM...CLSID} = "AVG Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgsea.dll" ["AVG Technologies CZ, s.r.o."]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "avgrssta.dll" ["AVG Technologies CZ, s.r.o."]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\
<<!>> linkscanner\CLSID = "{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}"
-> {HKLM...CLSID} = "XPLPPFilter Class"
\InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgppa.dll" ["AVG Technologies CZ, s.r.o."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG9 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgsea.dll" ["AVG Technologies CZ, s.r.o."]
MSSE\(Default) = "{0365FE2C-F183-4091-AC82-BFC39FB75C49}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\shellext.dll" [MS]
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
MSSE\(Default) = "{0365FE2C-F183-4091-AC82-BFC39FB75C49}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\shellext.dll" [MS]
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\
NvCplDesktopContext\(Default) = "{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9}"
-> {HKLM...CLSID} = "NVIDIA CPL Context Menu Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvshext.dll" ["NVIDIA Corporation"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG9 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files (x86)\AVG\AVG9\avgsea.dll" ["AVG Technologies CZ, s.r.o."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]
Default executables:
--------------------
HKLM\SOFTWARE\Classes\.hta\(Default) = "htafile"
<<!>> HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = "C:\Windows\SysWOW64\mshta.exe "%1" %*" [MS]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoActiveDesktop" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"ForceActiveDesktopOn" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\blitz\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
MSPlayCDAudioOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.AudioCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.AudioCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"" [MS]
MSPlayDVDMovieOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.DVD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.DVD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /deviceVD "%L"" [MS]
MSPlaySuperVideoCDMovieOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.VCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS]
MSPlayVideoCDMovieOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.VCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS]
MSWMPBurnCDOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.BurnCD"
"InvokeVerb" = "Burn"
HKLM\SOFTWARE\Classes\WMP.BurnCD\shell\Burn\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:CDWrite /Device:"%L"" [MS]
WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files (x86)\Winamp\winamp.exe" "%1"" ["Nullsoft"]
Startup items in "blitz" & "All Users" startup folders:
-------------------------------------------------------
C:\Users\blitz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
<<!>> "CurseClientStartup.ccip" [null data]
Non-disabled Scheduled Tasks:
-----------------------------
C:\Users\blitz\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
C:\Windows\System32\Tasks
"{498F800C-9AA0-44D5-B5B5-47ED713147EE}" -> launches: "C:\Program Files (x86)\Skype\Phone\Skype.exe" ["Skype Technologies S.A."]
C:\Windows\System32\Tasks\Microsoft\Microsoft Antimalware
"MP Scheduled Scan" -> (HIDDEN!) launches: "C:\Program Files\Microsoft Security Essentials\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"
-> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience
"AitAgent" -> launches: "aitagent" [MS]
"ProgramDataUpdater" -> launches: "%windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Autochk
"Proxy" -> launches: "%windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
"KernelCeipTask" -> (HIDDEN!) launches: "{e7ed314f-2816-4c26-aeb5-54a34d02404c}"
-> {HKLM...CLSID} = "KernelCeipCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\kernelceip.dll" [MS]
"UsbCeip" -> (HIDDEN!) launches: "{c27f6b1d-fe0b-45e4-9257-38799fa69bc8}"
-> {HKLM...CLSID} = "UsbCeip"
\InProcServer32\(Default) = "C:\Windows\System32\usbceip.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
"ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis
"Scheduled" -> (HIDDEN!) launches: "{c1f85ef8-bcc2-4606-bb39-70c523715eb3}"
-> {HKLM...CLSID} = "ScheduledDiagnosticCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\sdiagschd.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Location
"Notifications" -> launches: "%windir%\System32\LocationNotifications.exe" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance
"WinSAT" -> launches: "{A9A33436-678B-4C9C-A211-7CC38785E79D}"
-> {HKLM...CLSID} = "WinSAT Task Manger Task"
\InProcServer32\(Default) = "C:\Windows\system32\WinSATAPI.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
"ActivateWindowsSearch" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch" [MS]
"ConfigureInternetTimeService" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService" [MS]
"DispatchRecoveryTasks" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0)" [MS]
"ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS]
"InstallPlayReady" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0)" [MS]
"mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0)" [MS]
"MediaCenterRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask" [MS]
"ObjectStoreRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask" [MS]
"OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS]
"OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0)" [MS]
"PBDADiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery" [MS]
"PBDADiscoveryW1" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery" [MS]
"PBDADiscoveryW2" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery" [MS]
"PvrRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask" [MS]
"PvrScheduleTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -PvrSchedule" [MS]
"RegisterSearch" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0)" [MS]
"ReindexSearchRoot" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot" [MS]
"SqlLiteRecoveryTask" -> launches: "%SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask" [MS]
"UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic
"CorruptionDetector" -> (HIDDEN!) launches: "{190BA3F6-0205-4f46-B589-95C6822899D2}"
-> {HKLM...CLSID} = "MemoryDiagnosticCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\memdiag.dll" [MS]
"DecompressionFailureDetector" -> (HIDDEN!) launches: "{190BA3F6-0205-4f46-B589-95C6822899D2}"
-> {HKLM...CLSID} = "MemoryDiagnosticCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\memdiag.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
"HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}"
-> {HKLM...CLSID} = "HotStart User Agent"
\InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\MUI
"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}"
-> {HKLM...CLSID} = "Microsoft PlaySoundService Class"
\InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace
"GatherNetworkInfo" -> launches: "%windir%\system32\gatherNetworkInfo.vbs" [null data]
C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics
"AnalyzeSystem" -> launches: "%SystemRoot%\System32\powercfg.exe -energy -auto" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\RAC
"RacTask" -> (HIDDEN!) launches: "{42060D27-CA53-41f5-96E4-B1E8169308A6}"
-> {HKLM...CLSID} = "ReliabilityAnalysisCustomHandler"
\InProcServer32\(Default) = "C:\Windows\system32\RacEngn.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Ras
"MobilityManager" -> launches: "{c463a0fc-794f-4fdf-9201-01938ceacafa}"
-> {HKLM...CLSID} = "RasMobilityManager"
\InProcServer32\(Default) = "C:\Windows\system32\rasmbmgr.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Registry
"RegIdleBackup" -> (HIDDEN!) launches: "{ca767aa8-9157-4604-b64b-40747123d5f2}"
-> {HKLM...CLSID} = "RegistryIdleBackupHandler"
\InProcServer32\(Default) = "C:\Windows\System32\regidle.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
"RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
"GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}"
-> {HKLM...CLSID} = "GadgetsManager Class"
\InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
"SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Task Manager
"Interactive" -> (HIDDEN!) launches: "{855fec53-d2e4-4999-9e87-3414e9cf0ff4}"
-> {HKLM...CLSID} = "RunTask"
\InProcServer32\(Default) = "C:\Windows\system32\wdc.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
"IpAddressConflict1" -> launches: "%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]
"IpAddressConflict2" -> launches: "%windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"
-> {HKLM...CLSID} = "MsCtfMonitor task handler"
\InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization
"SynchronizeTime" -> launches: "%windir%\system32\sc.exe start w32time task_started" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\WDI
"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"
-> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform
"BfeOnServiceStartTypeChange" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing
"UpdateLibrary" -> launches: ""%ProgramFiles%\Windows Media Player\wmpnscfg.exe"" [MS]
C:\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup
"ConfigNotification" -> launches: "%systemroot%\System32\sdclt.exe /CONFIGNOTIFICATION" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 10
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Free E-mail Scanner, avg9emc, ""C:\Program Files (x86)\AVG\AVG9\avgemc.exe"" ["AVG Technologies CZ, s.r.o."]
AVG Free WatchDog, avg9wd, ""C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe"" ["AVG Technologies CZ, s.r.o."]
Elite Antikeylogger monitoring service, Elite Antikeylogger monitoring service, "C:\Program Files (x86)\Widestep Software\Elite Antikeylogger\wseaksrv.exe /service" ["Widestep Security Software"]
Microsoft Antimalware Service, MsMpSvc, ""C:\Program Files\Microsoft Security Essentials\MsMpEng.exe"" [MS]
PnkBstrA, PnkBstrA, "C:\Windows\system32\PnkBstrA.exe" [file not found]
Accessibility Tools:
--------------------
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AccessibilityTemp\
"osk" = dword:0x00000000
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\osk\
"Description" = "On-screen Keyboard"
"StartExe" = "C:\Windows\System32\osk.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
BJ Fax Language Monitor1\Driver = "CNHF1LM.DLL" ["CANON INC."]
BJ Language Monitor4\Driver = "CNBLM4.DLL" ["CANON INC."]
---------- (launch time: 2010-02-05 12:23:23)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 95 seconds.
---------- (total run time: 130 seconds)