Thread: windows script hosting keeps popping up! [Moved From General Security}
View Single Post
Old 11-28-2007, 11:26 PM   #4 (permalink)
tetonbob
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,179
OS: 2000 Pro; XP Pro; XP Home


Re: windows script hosting keeps popping up! [Moved From General Security}
Posted so I can read it better. Don't really need the before.

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-11-29 11:57:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:21 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-1454471165-706699826-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'XP')
O4 - HKUS\S-1-5-21-1454471165-706699826-682003330-1003\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'XP')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5299 bytes

-- Files created between 2007-10-29 and 2007-11-29 -----------------------------

2007-11-29 11:42:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-29 11:34:48 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-29 11:34:48 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-29 11:34:48 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-29 11:34:48 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-29 11:34:47 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-29 11:34:47 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-29 11:34:47 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-29 11:34:47 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-29 11:34:47 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-28 13:40:33 0 d-------- C:\Program Files\Trend Micro
2007-11-28 11:10:46 0 d-------- C:\Program Files\Spyware Doctor
2007-11-28 11:10:46 0 d-------- C:\Documents and Settings\XP\Application Data\PC Tools
2007-11-28 11:10:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 11:09:29 0 d-------- C:\Program Files\Lavasoft
2007-11-28 11:09:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-28 11:08:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-28 11:08:19 0 d-------- C:\Program Files\SpywareBlaster
2007-11-27 14:53:09 0 d-------- C:\Documents and Settings\XP\Application Data\U3
2007-11-27 12:35:57 0 d-------- C:\WINDOWS\pss
2007-11-27 12:21:27 0 d-------- C:\Program Files\Alwil Software
2007-11-10 12:58:12 0 d-------- C:\Documents and Settings\XP\Application Data\funkitron
2007-10-31 14:29:09 0 d--h----- C:\Program Files\Zero G Registry
2007-10-31 14:28:31 0 d--h----- C:\Documents and Settings\XP\InstallAnywhere
2007-10-31 12:29:47 0 d-------- C:\Documents and Settings\XP\Application Data\Macromedia
2007-10-31 12:29:17 0 d-------- C:\Program Files\GameHouse


-- Find3M Report ---------------------------------------------------------------

2007-11-28 11:08:59 0 d-------- C:\Program Files\Common Files
2007-10-31 14:35:32 0 d-------- C:\Program Files\Sports Interactive
2007-10-25 08:22:30 0 d-------- C:\Program Files\FM Modifier 2.1
2007-10-22 15:39:04 0 d-------- C:\Program Files\Musicmatch
2007-10-22 15:33:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-22 15:30:22 1306 --a------ C:\Program Files\INSTALL.LOG
2007-10-20 11:18:07 0 d-------- C:\Program Files\KONAMI
2007-10-20 11:15:54 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-20 11:12:10 0 d-------- C:\Program Files\Game
2007-10-20 10:29:15 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-18 15:02:12 17 --a------ C:\WINDOWS\popcinfo.dat
2007-10-01 18:07:54 0 d-------- C:\Program Files\Stock


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTrayp"="VTtrayp.exe" [02/06/2007 06:30 AM C:\WINDOWS\system32\VTTrayp.exe]
"VTTimer"="VTTimer.exe" [09/21/2006 03:36 PM C:\WINDOWS\system32\VTTimer.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 05:04 PM C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [02/26/2007 02:03 PM C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 02:40 PM]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [05/10/2005 03:04 PM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [05/10/2005 03:04 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/27/2007 03:03 PM]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 05:43 PM C:\WINDOWS\Alcmtr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 07:24 PM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [08/14/2007 05:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 08:56 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [11/16/2006 06:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [8/1/2007 11:23:55 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- End of Deckard's System Scanner: finished at 2007-11-29 11:57:53 ------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline