**************************************************************************** * GetRunKeys.Bat - (c) 01/28/2006 By Chaslang * * Beta only partially supports Win9x and ME * * 06/10/2006 Version 1.49 beta * **************************************************************************** * Most of the information reported below is not necessarily bad. You must * * not take any steps on any of these lines without consulting an expert. * **************************************************************************** Windows OS is Microsoft Windows XP [Version 5.1.2600] It's Wed October 4, 2006 09:34:24 PM ****************************************************************************** ShowNew installation folder and files "E:\My Downloads\GetRunKey\" getrun~1.bat 30 Sep 2006 43653 "GetRunKey.bat" grep.exe 14 Apr 2003 80412 "grep.exe" locate.com 13 Jan 2005 11254 "locate.com" ltime.exe 28 Oct 1986 13184 "ltime.exe" 4 items found: 4 files, 0 directories. Total of file sizes: 148,503 bytes 145.02 K ---------------------------------------------------------------------------- Listing Standard Startup (Run) Registry Keys ---------------------------------------------------------------------------- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe" "Creative Detector"="\"C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run] "VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask" "VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe" "OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe" "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe" "MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe" "MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe" "CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe" "KernelFaultCheck"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\ 00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\ 5c,00,64,00,75,00,6d,00,70,00,72,00,65,00,70,00,20,00,30,00,20,00,2d,00,6b,\ 00,00,00 "nwiz"="nwiz.exe /install" "NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" "MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "UpdReg"="C:\\WINDOWS\\UpdReg.EXE" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "PDUiP6000DTskbr"="C:\\Program Files\\Canon\\Memory Card Utility\\PIXMA iP6000D\\PDUiP6000DTskbr.exe" "PDUiP6000DMon"="C:\\Program Files\\Canon\\Memory Card Utility\\PIXMA iP6000D\\PDUiP6000DMon.exe" "PCSuiteTrayApplication"="D:\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup" "P17Helper"="Rundll32 P17.dll,P17Helper" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "iTunesHelper"="\"D:\\iTunes\\iTunesHelper.exe\"" "Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon" "CTSysVol"="C:\\Program Files\\Creative SBAudigy\\Surround Mixer\\CTSysVol.exe /r" "SunServer"="D:\\CounterSpy\\sunserver.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnceEx] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE" ---------------------------------------------------------------------------- Listing MSCONFIG Registry Keys ---------------------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state] "system.ini"=dword:00000000 "win.ini"=dword:00000000 "bootini"=dword:00000000 "services"=dword:00000000 "startup"=dword:00000000 ---------------------------------------------------------------------------- Listing ModuleUsage Registry Keys ---------------------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/bdoscandel.exe] ".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}" "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/bdoscandellang.ini] ".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}" "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/accounttracking.dll] ".Owner"="{4E62C4DE-627D-4604-B157-4B7D6B09F02E}" "{4E62C4DE-627D-4604-B157-4B7D6B09F02E}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/asinst.dll] ".Owner"="{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}" "{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/bdcore.dll] ".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}" "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/bdupd.dll] ".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}" "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/frontdoorFD.DLL] ".Owner"="{0A43D7AC-D6C1-4622-B309-BF975F427C0E}" "{0A43D7AC-D6C1-4622-B309-BF975F427C0E}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ipsupd.dll] ".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}" "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/lang.ini] ".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}" "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/libfn.dll] ".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}" "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/live.ini] ".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}" "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/oscan8.ocx] ".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}" "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/oscan81.ocx_x] ".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}" "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/scanoptions.tsi] ".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}" "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/muweb.dll] ".Owner"="{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}" "{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll] ".Owner"="Unknown Owner" ---------------------------------------------------------------------------- Listing HKCU Policies Registry Keys ---------------------------------------------------------------------------- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] "NoDriveTypeAutoRun"=hex:91,00,00,00 ---------------------------------------------------------------------------- Listing HKLM Policies Registry Keys ---------------------------------------------------------------------------- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 ---------------------------------------------------------------------------- Listing BHO Registry Keys ---------------------------------------------------------------------------- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] @="" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3EC8255F-E043-4cae-8B3B-B191550C2A22}] @="McAfee PopupKiller" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] "NoExplorer"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] ---------------------------------------------------------------------------- Listing SharedTaskScheduler Registry Keys ---------------------------------------------------------------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" ---------------------------------------------------------------------------- Listing ShellExecuteHooks Registry Keys ---------------------------------------------------------------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" "{076394AD-7FDD-44EF-A075-32C68DBAB99B}"="" ---------------------------------------------------------------------------- Listing ShellServiceObjectDelayLoad Registry Keys ---------------------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" ---------------------------------------------------------------------------- Listing Default URL Prefix Keys - a possible hijack point ---------------------------------------------------------------------------- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix] @="http://" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes] "ftp"="ftp://" "gopher"="gopher://" "home"="http://" "mosaic"="http://" "www"="http://" ---------------------------------------------------------------------------- HKEY_CURRENT_USER ZoneMap ProtocolDefaults ---------------------------------------------------------------------------- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] @="" "http"=dword:00000003 "https"=dword:00000003 "ftp"=dword:00000003 "file"=dword:00000003 "@ivt"=dword:00000001 "shell"=dword:00000000 ---------------------------------------------------------------------------- Miscellaneous Malware Detection Report ---------------------------------------------------------------------------- List of Malware found in SharedTaskScheduler ------------------------------------------------------------------------ No Malware found in SharedTaskScheduler ------------------------------------------------------------------------ List of Malware found in C:\WINDOWS\system32 ------------------------------------------------------------------------ No Malware found in C:\WINDOWS\system32 ------------------------------------------------------------------------ Check for Troj-Torpig-D,E,J Keylogger ------------------------------------------------------------------------ Troj-Torpig-D,E,J Keylogger was not found ------------------------------------------------------------------------ Looking for winlogonhook/conhook trojan ------------------------------------------------------------------------ winlogonhook/conhook key not found ------------------------------------------------------------------------