Results 1 to 6 of 6

Thread: Help, my HJT log

  1. #1
    Junior Member
    Join Date
    Apr 2007
    Posts
    3

    Default Help, my HJT log

    Hello,

    I recently had my world of warcraft account hacked and I'd like to make sure that my computer is clean. This is my HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:44:02 PM, on 4/16/2007
    Platform: Windows 2003 SP1 (WinNT 5.02.3790)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\SysWOW64\ctfmon.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files (x86)\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\WINDOWS\system32\CTXFIHLP.EXE
    C:\Program Files (x86)\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
    C:\WINDOWS\SysWOW64\CTXFISPI.EXE
    C:\Program Files (x86)\Asus\Asus Probe V2.64.03\AsusProb.exe
    C:\Program Files\Logitech\SetPoint\SetPoint32.exe
    C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
    C:\Program Files (x86)\Common Files\AOL\1157144130\ee\AOLSoftware.exe
    C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
    C:\Program Files (x86)\QuickTime\qttask.exe
    C:\Program Files (x86)\Winamp\winampa.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe
    C:\Program Files (x86)\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\SysWOW64\CTsvcCDA.EXE
    C:\Program Files (x86)\VentSrv\ventrilo_svc.exe
    C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
    C:\Program Files (x86)\VentSrv\ventrilo_srv.exe
    C:\Program Files (x86)\iPod\bin\iPodService.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files (x86)\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files (x86)\WinRAR\RarExtLoader.exe
    C:\Program Files (x86)\WinRAR\RarExtLoader.exe
    C:\Program Files (x86)\WinRAR\RarExtLoader.exe
    C:\Program Files (x86)\WinRAR\RarExtLoader.exe
    C:\HijackThis\HijackThis.exe

    F2 - REG:system.ini: UserInit=userinit
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_11\bin\ssv.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files (x86)\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [RCSystem] "C:\Program Files (x86)\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [ASUS Probe] "C:\Program Files (x86)\Asus\Asus Probe V2.64.03\AsusProb.exe"
    O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files (x86)\PowerISO\PWRISOVM.EXE"
    O4 - HKLM\..\Run: [HostManager] "C:\Program Files (x86)\Common Files\AOL\1157144130\ee\AOLSoftware.exe"
    O4 - HKLM\..\Run: [IPHSend] "C:\Program Files (x86)\Common Files\AOL\IPHSend\IPHSend.exe"
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    O4 - Global Startup: Color Calibration.lnk.disabled
    O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files (x86)\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...6/mcinsctl.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1129494443703
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4CB0EAF4-72F6-44D2-B966-989774939998}: NameServer = 192.168.1.1
    O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
    O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
    O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
    O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
    O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
    O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
    O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
    O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
    O23 - Service: Ventrilo - Unknown owner - C:\Program Files (x86)\VentSrv\ventrilo_svc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
    O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

  2. #2
    Junior Member
    Join Date
    Apr 2007
    Posts
    3

    Default

    /bump for great justice

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    32,510

    Default

    Quote Originally Posted by jrl1121 View Post
    /bump for great justice
    If you have waited FOUR days for advice post here.
    Microsoft MVP. Consumer Security 2006-2014


  4. #4
    Security Expert shelf life's Avatar
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,073

    Default

    hi jrl1121,

    dont see any malware in the log. this probably slipped in with AOL software:
    Viewpoint Manager, worthless foistware, you can uninstall it via add/remove programs panel.
    have you been to windows update lately?

    is that a 64bit version of windows?

    shelf life
    How Can I Reduce My Risk?

  5. #5
    Junior Member
    Join Date
    Apr 2007
    Posts
    3

    Default

    yes, it's the 64-bit version of windows.

    I have the latest security updates for it, etc.

    I didn't know if it was infected or not, but it looks more probable at this point that my computer was not compromised and the hacked got access to the account by some other means. Thanks for helping to make sure of this though.

  6. #6
    Security Expert shelf life's Avatar
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,073

    Default

    hi jrl1121,

    you can always do a online scan for another opinion:

    BitDefender Free Online Virus Scan
    http://www.bitdefender.com/scan/licence.php
    check AutoClean under Scan Options.

    http://www.pandasoftware.com/products/activescan.htm

    * Once you are on the Panda site click the Scan your PC button
    * A new window will open...click the Check Now button
    * Enter your Country
    * Enter your State/Province
    * Enter your e-mail address and click send (use a fake e-mail)
    * Select either Home User or Company
    * Click the big Scan Now button
    * If it wants to install an ActiveX component allow it
    * It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    * When download is complete, click on My Computer to start the scan
    * When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

    Housecall at TrendMicro
    http://housecall.trendmicro.com/hous...start_corp.asp
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •