Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

windows script hosting keeps popping up! [Moved From General Security}

This is a discussion on windows script hosting keeps popping up! [Moved From General Security} within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, all. My pc keeps popping up 'windows script hosting' window and 'My documents' window on every startup after logging


 
 
Thread Tools Search this Thread
Old 11-27-2007, 10:49 PM   #1
Guest
 
Join Date: Sep 2007
Posts: 37
OS:


Question

Hi, all.

My pc keeps popping up 'windows script hosting' window and 'My documents' window on every startup after logging in. Well, it's not really irritating, but i prefer not to have them, if possible. My pc started behaving like this after i installed Avast!home edition, which is not the cause, i guess, as that wasn't the first time for me to install Avast antivirus--i already installed that av in many other computers before.

I've tried finding such entries in 'startup' and also in 'msconfig', but i can't any of them.

Could anyone help me the problem that i am having with the pop-up thing?
Any troubleshooting/suggestion is very much welcomed.


Regards,
F I F I.

P.S. Here is the HijackThis Logfile in case it's needed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:14 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe,userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5235 bytes
Attached Files
File Type: txt hijackthis0.txt (5.1 KB, 62 views)
FIFI is offline  
Sponsored Links
Advertisement
 
Old 11-28-2007, 01:49 PM   #2
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Hi FIFI -

HijackThis logs are only to be posted in this forum. I've moved your thread.

I can see what's likely causing that, but the question remains ... "Why is it there?" For that, more info is required.

First....

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe,userinit.exe

Close HijackThis now.

---------------------------------------------------------------------------------------------

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-28-2007, 09:43 PM   #3
Guest
 
Join Date: Sep 2007
Posts: 37
OS:



I guess I really to say sorry to you, as I didn’t pay attention to your instructions.

I did the DSS scanning first before I fixed the entry that you told me to do in HijackThis scanning.
Once I realized that I hadn’t fixed that particular entry in HJT, I went back to fix-checked the entry directly…then I double-clicked the dss.exe again from the desktop, hoping to get the main.txt as well as extra.txt as the reports to be posted back here. Unfortunately, this second-time scanning, after I did the first scanning before fixing the HJT entry (which resulted in main.txt and extra.txt) and fixed the HJT entry (F2-REG:System.ini:….) only popped up main.txt as the text file.

So, instead of attaching one file, I am going to attach two files. One is the ‘extra.txt’ file and the other is the ‘main_after.txt’ (which is taken after running the dss scan for the second time after fixing the HJT entry).

I hope you understand what I mean . Anyway, here is the summary of what I actually did:
1. I downloaded DSS, saved in desktop, then I ran it, which resulted in ‘main.txt’ (which I now change into main_before.txt) and ‘extra.txt’ text files.
2. Then I realized that I should have fix-checked the HJT entry that you told me to, so I went back and did the scan only with HJT and fix-checked that entry.
3. I ran dss once again (hoping to get new text files after fixing that entry), but it only popped up ‘main.txt’ (which I now change into main_after.txt), no ‘extra.txt.’ file.


Here is the ‘main_before.txt’ file (which is taken for the very first time before fixing the HJT entry):

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-11-29 11:43:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2007-11-29 19:43:59 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2007-11-28 19:09:27 UTC - RP2 - Installed Ad-Aware 2007
1: 2007-11-28 19:07:32 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:08 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe,userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-1454471165-706699826-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'XP')
O4 - HKUS\S-1-5-21-1454471165-706699826-682003330-1003\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'XP')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5537 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>

S3 st3bus28 - c:\windows\system32\drivers\st3bus28.sys (file missing)
S3 st3mp28 - c:\windows\system32\drivers\st3mp28.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: ST3MP28 SCSI Controller
Device ID: ROOT\*ST3L28\0000
Manufacturer: (Standard mass storage controllers)
Name: ST3MP28 SCSI Controller
PNP Device ID: ROOT\*ST3L28\0000
Service: st3mp28

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Plug and Play BIOS Extension
Device ID: ROOT\SYSTEM\0003
Manufacturer: (Standard system devices)
Name: Plug and Play BIOS Extension
PNP Device ID: ROOT\SYSTEM\0003
Service: st3bus28


-- Files created between 2007-10-29 and 2007-11-29 -----------------------------

2007-11-29 11:42:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-29 11:34:48 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-29 11:34:48 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-29 11:34:48 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-29 11:34:48 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-29 11:34:47 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-29 11:34:47 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-29 11:34:47 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-29 11:34:47 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-29 11:34:47 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-28 13:40:33 0 d-------- C:\Program Files\Trend Micro
2007-11-28 11:10:46 0 d-------- C:\Program Files\Spyware Doctor
2007-11-28 11:10:46 0 d-------- C:\Documents and Settings\XP\Application Data\PC Tools
2007-11-28 11:10:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 11:09:29 0 d-------- C:\Program Files\Lavasoft
2007-11-28 11:09:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-28 11:08:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-28 11:08:19 0 d-------- C:\Program Files\SpywareBlaster
2007-11-27 14:53:09 0 d-------- C:\Documents and Settings\XP\Application Data\U3
2007-11-27 12:35:57 0 d-------- C:\WINDOWS\pss
2007-11-27 12:21:27 0 d-------- C:\Program Files\Alwil Software
2007-11-10 12:58:12 0 d-------- C:\Documents and Settings\XP\Application Data\funkitron
2007-10-31 14:29:09 0 d--h----- C:\Program Files\Zero G Registry
2007-10-31 14:28:31 0 d--h----- C:\Documents and Settings\XP\InstallAnywhere
2007-10-31 12:29:47 0 d-------- C:\Documents and Settings\XP\Application Data\Macromedia
2007-10-31 12:29:17 0 d-------- C:\Program Files\GameHouse


-- Find3M Report ---------------------------------------------------------------

2007-11-28 11:08:59 0 d-------- C:\Program Files\Common Files
2007-10-31 14:35:32 0 d-------- C:\Program Files\Sports Interactive
2007-10-25 08:22:30 0 d-------- C:\Program Files\FM Modifier 2.1
2007-10-22 15:39:04 0 d-------- C:\Program Files\Musicmatch
2007-10-22 15:33:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-22 15:30:22 1306 --a------ C:\Program Files\INSTALL.LOG
2007-10-20 11:18:07 0 d-------- C:\Program Files\KONAMI
2007-10-20 11:15:54 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-20 11:12:10 0 d-------- C:\Program Files\Game
2007-10-20 10:29:15 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-18 15:02:12 17 --a------ C:\WINDOWS\popcinfo.dat
2007-10-01 18:07:54 0 d-------- C:\Program Files\Stock


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTrayp"="VTtrayp.exe" [02/06/2007 06:30 AM C:\WINDOWS\system32\VTTrayp.exe]
"VTTimer"="VTTimer.exe" [09/21/2006 03:36 PM C:\WINDOWS\system32\VTTimer.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 05:04 PM C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [02/26/2007 02:03 PM C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 02:40 PM]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [05/10/2005 03:04 PM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [05/10/2005 03:04 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/27/2007 03:03 PM]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 05:43 PM C:\WINDOWS\Alcmtr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 07:24 PM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [08/14/2007 05:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 08:56 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [11/16/2006 06:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [8/1/2007 11:23:55 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe,userinit.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- End of Deckard's System Scanner: finished at 2007-11-29 11:45:48 ------------


And here are the two attached files:
Attached Files
File Type: txt extra.txt (11.4 KB, 45 views)
File Type: txt main_after.txt (11.0 KB, 44 views)
FIFI is offline  
Sponsored Links
Advertisement
 
Old 11-28-2007, 10:26 PM   #4
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Posted so I can read it better. Don't really need the before.

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-11-29 11:57:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:21 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-1454471165-706699826-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'XP')
O4 - HKUS\S-1-5-21-1454471165-706699826-682003330-1003\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'XP')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5299 bytes

-- Files created between 2007-10-29 and 2007-11-29 -----------------------------

2007-11-29 11:42:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-29 11:34:48 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-29 11:34:48 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-29 11:34:48 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-29 11:34:48 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-29 11:34:47 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-29 11:34:47 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-29 11:34:47 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-29 11:34:47 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-29 11:34:47 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-29 11:34:47 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-28 13:40:33 0 d-------- C:\Program Files\Trend Micro
2007-11-28 11:10:46 0 d-------- C:\Program Files\Spyware Doctor
2007-11-28 11:10:46 0 d-------- C:\Documents and Settings\XP\Application Data\PC Tools
2007-11-28 11:10:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 11:09:29 0 d-------- C:\Program Files\Lavasoft
2007-11-28 11:09:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-28 11:08:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-28 11:08:19 0 d-------- C:\Program Files\SpywareBlaster
2007-11-27 14:53:09 0 d-------- C:\Documents and Settings\XP\Application Data\U3
2007-11-27 12:35:57 0 d-------- C:\WINDOWS\pss
2007-11-27 12:21:27 0 d-------- C:\Program Files\Alwil Software
2007-11-10 12:58:12 0 d-------- C:\Documents and Settings\XP\Application Data\funkitron
2007-10-31 14:29:09 0 d--h----- C:\Program Files\Zero G Registry
2007-10-31 14:28:31 0 d--h----- C:\Documents and Settings\XP\InstallAnywhere
2007-10-31 12:29:47 0 d-------- C:\Documents and Settings\XP\Application Data\Macromedia
2007-10-31 12:29:17 0 d-------- C:\Program Files\GameHouse


-- Find3M Report ---------------------------------------------------------------

2007-11-28 11:08:59 0 d-------- C:\Program Files\Common Files
2007-10-31 14:35:32 0 d-------- C:\Program Files\Sports Interactive
2007-10-25 08:22:30 0 d-------- C:\Program Files\FM Modifier 2.1
2007-10-22 15:39:04 0 d-------- C:\Program Files\Musicmatch
2007-10-22 15:33:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-22 15:30:22 1306 --a------ C:\Program Files\INSTALL.LOG
2007-10-20 11:18:07 0 d-------- C:\Program Files\KONAMI
2007-10-20 11:15:54 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-10-20 11:12:10 0 d-------- C:\Program Files\Game
2007-10-20 10:29:15 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-18 15:02:12 17 --a------ C:\WINDOWS\popcinfo.dat
2007-10-01 18:07:54 0 d-------- C:\Program Files\Stock


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTrayp"="VTtrayp.exe" [02/06/2007 06:30 AM C:\WINDOWS\system32\VTTrayp.exe]
"VTTimer"="VTTimer.exe" [09/21/2006 03:36 PM C:\WINDOWS\system32\VTTimer.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 05:04 PM C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [02/26/2007 02:03 PM C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 02:40 PM]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [05/10/2005 03:04 PM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [05/10/2005 03:04 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/27/2007 03:03 PM]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 05:43 PM C:\WINDOWS\Alcmtr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 07:24 PM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [08/14/2007 05:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 08:56 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [11/16/2006 06:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [8/1/2007 11:23:55 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- End of Deckard's System Scanner: finished at 2007-11-29 11:57:53 ------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-28-2007, 10:29 PM   #5
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



I don't see any active infection. Did the scripting popup stop?

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-29-2007, 01:08 AM   #6
Guest
 
Join Date: Sep 2007
Posts: 37
OS:



really sorry again this time, tetonbob...

This computer of mine is not connected to internet. In fact, no connection at all ...I use my friend's computer to post in this forum.

Is there any other way to troubleshoot this scripting pop up, without performing the online scan? (the 'windows script hosting' and 'my documents' windows still pop up on every boot).
FIFI is offline  
Old 11-29-2007, 07:38 AM   #7
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Well, to rule out malware as the cause, because I'm not sure it is, I'd like to get some sort of scanner run on the machine which provides me with useful output.

Assuming you're transporting logs from the affected machine to friend's machine with USB stick or other removable media, we can use this freestanding scanner to accomplish the same thing.

Download this to removable media, and transport it to the affected machine.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
  • Doubleclick the drweb-cureit.exe file.
  • Click on Start, and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, we need to change the default settings.
  • In the Menu Bar, Go to Options>Change Settings.
  • Click on the Actions tab
  • Using the drop down menus, change each item under Objects, Infected Packages and Malware to Report, then click OK
  • Next, tick the Complete Scan radio button.
  • Click the green arrow at the right, and the scan will start.
  • Click 'No to All' if it asks if you want to cure/move the file.
  • After the scan has completed, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Ignore and close any windows which open, prompting you to buy DrWeb.
  • Post the contents of the log from Dr.Web you saved previously in your next reply.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-29-2007, 07:52 AM   #8
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Hi FIFI -

Also, please do this. create this batch on the friend's machine, and carry it to the affected machine, so you can copy/paste and not potentially cause any syntax errors.

Open notepad and copy/paste the text in the codebox below into it:

Code:
 
@echo off
If exist C:\peek.txt del /q /s C:\peek.txt
regedit /a C:\peek.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" 
start notepad C:\peek.txt
Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:

Carry this batch to the affected machine.

Double click on peek.bat & allow it to run

Post back the contents of the notepad file which opens.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-29-2007, 09:31 PM   #9
Guest
 
Join Date: Sep 2007
Posts: 37
OS:



Short scan resulted in no virus found.

Complete scan resulted in one virus found--it is the removable media that I use to transfer file from the affected comp to my friend's--

What is shocking is that the scripting is now gone, i don't know how or why, do u?
However there is one new thing that i find quite disturbing: after booting and loading desktop icons, my pc takes around 1-2 minutes to be able to access files, which used to be only 20-30 seconds loading. is there a new problem here?

Here is the Dr.Web report:
killVBS.vbs F:\ VBS.Generic.553


report from the new batch (peek.bat) file:
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec"="1"
"ExcludeProfileDirs"="Local Settings;Temporary Internet Files;History;Temp"
"BuildNumber"=dword:00000a28



Was it because of the removable media that I got the scripting pops up?
I do have a real time antivirus and spyware doctor...how could it be not detected by them then?

anyway, what to do next? is it done?
FIFI is offline  
Old 11-29-2007, 09:37 PM   #10
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Flash drives are often victim to infection.

Can you delete the file DrWeb found on the removable media?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-29-2007, 09:52 PM   #11
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Also, as far as loading times go, it looks like you've added both Ad-Aware and Spyware Doctor recently? They are both fighting for resources on startup, as they are both running services.

Uninstall one, or both, and see what your machine feels like then.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-30-2007, 01:14 AM   #12
Guest
 
Join Date: Sep 2007
Posts: 37
OS:



The file found by DrWeb has been deleted.

I already uninstalled Ad-aware2007, and my pc starts to behave faster than before it was affected.

I prefer not to uninstall spyware doctor as it is said to be a real time anti spyware. Is that ok?

Thanks for the help given, tetonbob.
FIFI is offline  
Old 11-30-2007, 07:39 AM   #13
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



That's fine. Having the two of them installed at the same time seems to negatively affect some machines.

Empty your Recycle Bin.

Clear your temp files. (Start > Run > cleanmgr)

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

---------------------------------------------------------------------------------------------



Think prevention:

https://www.techsupportforum.com/f174...ed-115548.html

Here are some additional utilities that will further enhance your safety.
  • https://www.trillian.cc ? Trillian or https://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • https://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • https://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • https://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 11-30-2007, 08:07 PM   #14
Guest
 
Join Date: Sep 2007
Posts: 37
OS:



Ok, that's all then.

Thanks for the articles and also the help given, you are awesome, tetonbob.

Hopefully everything should be ok now, or else i might come and talk to you again here

My gratitude to TSF and all of the people behind the scene.
You're doing a great job, guys!
FIFI is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 04:50 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts