"Silent Runners.vbs", revision 58,
http://www.silentrunners.org/Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Jnskdfmf9eldfd" = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe" [file not found]
"[system]" = "C:\WINDOWS\system32\drivers\services.exe" [file not found]
"winlogon" = "C:\Documents and Settings\Administrator\svchost.exe" [file not found]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"[system]" = "C:\WINDOWS\system32\drivers\services.exe" [file not found]
"winlogon" = "C:\Documents and Settings\Peggy\svchost.exe" [file not found]
"service.exe" = "C:\WINDOWS\system32\service.exe" [file not found]
"C:\WINDOWS\system32\kdhqf.exe" = "C:\WINDOWS\system32\kdhqf.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"K7SystemTray" = ""C:\Program Files\K7 Computing\Common\K7SysTry.exe"" ["K7 Computing Pvt Ltd"]
"K7TSStart" = ""C:\Program Files\K7 Computing\K7TSecurity\Common\K7TSecurity.exe"" ["K7 Computing Pvt Ltd"]
"007ca80e" = "rundll32.exe "C:\WINDOWS\system32\owcsbrya.dll",b" [MS]
"BM034f9b92" = "Rundll32.exe "C:\WINDOWS\system32\wdmpcfbe.dll",s" [MS]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS]
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}\(Default) = "Browser Customizations"
\StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\(Default) = "Browser Customizations"
\StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\(Default) = "Themes Setup"
\StubPath = "C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6"
\StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS]
{5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "Windows Messenger 4.7"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}\(Default) = "Address Book 6"
\StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default) = "Windows Desktop Update"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -BaseSettings" [MS]
{89B4C1CD-B018-4511-B0A1-5476DBF70820}\(Default) = (no title provided)
\StubPath = "C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{5F0D1F1B-7161-4FC0-9C72-213C146788C1}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nnnnLfGY.dll" [null data]
{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\khfEVmlk.dll" [null data]
{C5AF49A2-94F3-42BD-F434-2604812C897D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "C:\WINDOWS\system32\jfiehayd.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\jfiehayd.dll" [file not found]
{d717b292-951d-4dfc-ad84-e4d3fcce9690}\(Default) = "{0969eccf-3d4e-48da-cfd4-d159292b717d}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\fcsmpu.dll" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NVCPL.DLL" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{C5AF49A2-94F3-42BD-F434-2604812C897D}" = "jhsf8d984jief8dsfus98jkefn"
-> {HKLM...CLSID} = "C:\WINDOWS\system32\jfiehayd.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\jfiehayd.dll" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" = "*b" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\khfEVmlk.dll" [null data]
HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "kdhqf.exe" [null data]
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\nnnnLfGY"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> khfevmlk\DLLName = "khfEVmlk.dll" [null data]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
k7computing.k7avscanner\(Default) = "{FD23B962-BADB-11D7-B0FE-00C026A19B93}"
-> {HKLM...CLSID} = "K7AVPEExplorerExtn Class"
\InProcServer32\(Default) = "C:\Program Files\K7 Computing\K7TSecurity\K7AntiVirus\K7AVSExt.dll" ["K7 Computing Pvt Ltd"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
k7computing.k7avscanner\(Default) = "{FD23B962-BADB-11D7-B0FE-00C026A19B93}"
-> {HKLM...CLSID} = "K7AVPEExplorerExtn Class"
\InProcServer32\(Default) = "C:\Program Files\K7 Computing\K7TSecurity\K7AntiVirus\K7AVSExt.dll" ["K7 Computing Pvt Ltd"]
Default executables:
--------------------
HKLM\SOFTWARE\Classes\.exe\(Default) = "exefile"
<<!>> HKLM\SOFTWARE\Classes\exefile\shell\open\command\(Default) = "C:\WINDOWS\system32\drivers\services.exe "%1" %*" [file not found]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoFolderOptions" = (REG_DWORD) dword:0x00000001
{Removes the Folder Options menu item from the Tools menu}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableRegistryTools" = (REG_DWORD) dword:0x00000001
{Prevent access to registry editing tools}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\
"Disable Config" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "(None)"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "%SystemRoot%\System32\logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
CTPlayAudioOnArrival\
"Provider" = "@C:\Program Files\Creative\MediaSource\CTCMS.CRL,-14345"
"InvokeProgID" = "CTAutoPL.AudioCDPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPL.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Program Files\Creative\MediaSource\CTCMS.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"]
TVPPlayDVDMovieOnArrival\
"Provider" = "Total Video Player"
"InvokeProgID" = "totalplayer.dvd"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\totalplayer.dvd\shell\open\command\(Default) = "C:\Program Files\Total Video Converter\tvp.exe -dvd %1" [file not found]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\K7WSLsp.dll ["K7 Computing Pvt. Ltd."], 01 - 19, 39
%SystemRoot%\system32\mswsock.dll [MS], 20 - 22, 25 - 38
%SystemRoot%\system32\rsvpsp.dll [MS], 23 - 24
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{D49E9D35-254C-4C6A-9D17-95018D228FF5}" = "Starware"
-> {HKLM...CLSID} = "Starware"
\InProcServer32\(Default) = "C:\Program Files\Starware\bin\Starware.dll" ["Starware"]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{2D51D869-C36B-42BD-AE68-0A81BC771FA5}\(Default) = "Starware"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\Starware\bin\Starware.dll" ["Starware"]
HKLM\SOFTWARE\Classes\CLSID\{7BED0340-176B-44BC-915E-C21C1DD6F617}\(Default) = "Starware"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Starware\bin\Starware.dll" ["Starware"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------
AOL TopSpeed Monitor, AOL TopSpeedMonitor, "C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" ["America Online, Inc"]
Application Management, AppMgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\appmgmts.dll" [file not found]}
ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe" [MS]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" [file not found]
K7Computng - EMail Proxy Server, k7emlpxy, "C:\Program Files\K7 Computing\Common\K7EmlPxy.exe" ["K7 Computing Pvt Ltd"]
K7Firewall Services, k7fwsrvc, "C:\Program Files\K7 Computing\K7TSecurity\K7FireWall\K7FWSrvc.exe" ["K7 Computing Pvt Ltd"]
K7Privacy Services, k7pssrvc, "C:\Program Files\K7 Computing\K7TSecurity\K7Privacy\K7PSSrvc.exe" ["K7 Computing Pvt Ltd"]
K7RealTime AntiVirus Services, k7rtscan, "C:\Program Files\K7 Computing\K7TSecurity\K7AntiVirus\K7RTScan.exe" ["K7 Computing Pvt Ltd"]
K7SpmSrc, k7spmsrc, "C:\Program Files\K7 Computing\K7TSecurity\K7AntiSpam\K7SpmSrc.exe" ["K7 Computing Pvt Ltd"]
K7TotalSecurity Manager, k7tsmngr, "C:\Program Files\K7 Computing\K7TSecurity\Common\K7TSMngr.exe" ["K7 Computing Pvt Ltd"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [file not found]
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS\system32\drivers\services.exe" [file not found]
Windows Media Connect (WMC), WmcCds, "c:\program files\windows media connect\mswmccds.exe" [MS]
Windows Media Connect (WMC) Helper, WmcCdsLs, "C:\Program Files\Windows Media Connect\mswmcls.exe" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
---------- (launch time: 2008-07-05 15:15:15)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 94 seconds.
---------- (total run time: 177 seconds)