Thread: windows script hosting keeps popping up! [Moved From General Security}
View Single Post
Old 11-28-2007, 10:43 PM   #3 (permalink)
FIFI
Registered User
 
Join Date: Sep 2007
Posts: 37
OS: Win XP


Re: windows script hosting keeps popping up! [Moved From General Security}
I guess I really to say sorry to you, as I didn’t pay attention to your instructions.

I did the DSS scanning first before I fixed the entry that you told me to do in HijackThis scanning.
Once I realized that I hadn’t fixed that particular entry in HJT, I went back to fix-checked the entry directly…then I double-clicked the dss.exe again from the desktop, hoping to get the main.txt as well as extra.txt as the reports to be posted back here. Unfortunately, this second-time scanning, after I did the first scanning before fixing the HJT entry (which resulted in main.txt and extra.txt) and fixed the HJT entry (F2-REG:System.ini:….) only popped up main.txt as the text file.

So, instead of attaching one file, I am going to attach two files. One is the ‘extra.txt’ file and the other is the ‘main_after.txt’ (which is taken after running the dss scan for the second time after fixing the HJT entry).

I hope you understand what I mean . Anyway, here is the summary of what I actually did:
1. I downloaded DSS, saved in desktop, then I ran it, which resulted in ‘main.txt’ (which I now change into main_before.txt) and ‘extra.txt’ text files.
2. Then I realized that I should have fix-checked the HJT entry that you told me to, so I went back and did the scan only with HJT and fix-checked that entry.
3. I ran dss once again (hoping to get new text files after fixing that entry), but it only popped up ‘main.txt’ (which I now change into main_after.txt), no ‘extra.txt.’ file.


Here is the ‘main_before.txt’ file (which is taken for the very first time before fixing the HJT entry):

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-11-29 11:43:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2007-11-29 19:43:59 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2007-11-28 19:09:27 UTC - RP2 - Installed Ad-Aware 2007
1: 2007-11-28 19:07:32 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:08 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe,userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-1454471165-706699826-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'XP')
O4 - HKUS\S-1-5-21-1454471165-706699826-682003330-1003\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'XP')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5537 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>

S3 st3bus28 - c:\windows\system32\drivers\st3bus28.sys (file missing)
S3 st3mp28 - c:\windows\system32\drivers\st3mp28.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: ST3MP28 SCSI Controller
Device ID: ROOT\*ST3L28\0000
Manufacturer: (Standard mass storage controllers)
Name: ST3MP28 SCSI Controller
PNP Device ID: ROOT\*ST3L28\0000
Service: st3mp28

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Plug and Play BIOS Extension
Device ID: ROOT\SYSTEM\0003
Manufacturer: (Standard system devices)
Name: Plug and Play BIOS Extension
PNP Device ID: ROOT\SYSTEM\0003
Service: st3bus28


-- Files created between 2007-10-29 and 2007-11-29 -----------------------------

2007-11-29 11:42:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-29 11:34:48 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-29 11:34:48 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-29 11:34:48 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-29 11:34:48 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-29 11:34:47 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-29 11:34:47 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-29 11:34:47 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-29 11:34:47 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-29 11:34:47 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-28 13:40:33 0 d-------- C:\Program Files\Trend Micro
2007-11-28 11:10:46 0 d-------- C:\Program Files\Spyware Doctor
2007-11-28 11:10:46 0 d-------- C:\Documents and Settings\XP\Application Data\PC Tools
2007-11-28 11:10:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 11:09:29 0 d-------- C:\Program Files\Lavasoft
2007-11-28 11:09:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-28 11:08:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-28 11:08:19 0 d-------- C:\Program Files\SpywareBlaster
2007-11-27 14:53:09 0 d-------- C:\Documents and Settings\XP\Application Data\U3
2007-11-27 12:35:57 0 d-------- C:\WINDOWS\pss
2007-11-27 12:21:27 0 d-------- C:\Program Files\Alwil Software
2007-11-10 12:58:12 0 d-------- C:\Documents and Settings\XP\Application Data\funkitron
2007-10-31 14:29:09 0 d--h----- C:\Program Files\Zero G Registry
2007-10-31 14:28:31 0 d--h----- C:\Documents and Settings\XP\InstallAnywhere
2007-10-31 12:29:47 0 d-------- C:\Documents and Settings\XP\Application Data\Macromedia
2007-10-31 12:29:17 0 d-------- C:\Program Files\GameHouse


-- Find3M Report ---------------------------------------------------------------

2007-11-28 11:08:59 0 d-------- C:\Program Files\Common Files
2007-10-31 14:35:32 0 d-------- C:\Program Files\Sports Interactive
2007-10-25 08:22:30 0 d-------- C:\Program Files\FM Modifier 2.1
2007-10-22 15:39:04 0 d-------- C:\Program Files\Musicmatch
2007-10-22 15:33:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-22 15:30:22 1306 --a------ C:\Program Files\INSTALL.LOG
2007-10-20 11:18:07 0 d-------- C:\Program Files\KONAMI
2007-10-20 11:15:54 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-20 11:12:10 0 d-------- C:\Program Files\Game
2007-10-20 10:29:15 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-18 15:02:12 17 --a------ C:\WINDOWS\popcinfo.dat
2007-10-01 18:07:54 0 d-------- C:\Program Files\Stock


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTrayp"="VTtrayp.exe" [02/06/2007 06:30 AM C:\WINDOWS\system32\VTTrayp.exe]
"VTTimer"="VTTimer.exe" [09/21/2006 03:36 PM C:\WINDOWS\system32\VTTimer.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 05:04 PM C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [02/26/2007 02:03 PM C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 02:40 PM]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [05/10/2005 03:04 PM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [05/10/2005 03:04 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/27/2007 03:03 PM]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 05:43 PM C:\WINDOWS\Alcmtr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 07:24 PM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [08/14/2007 05:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 08:56 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [11/16/2006 06:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [8/1/2007 11:23:55 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe,userinit.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- End of Deckard's System Scanner: finished at 2007-11-29 11:45:48 ------------


And here are the two attached files:
Attached Files
File Type: txt extra.txt (11.4 KB, 1 views)
File Type: txt main_after.txt (11.0 KB, 1 views)
FIFI is offline