Thread: Help, my HJT log

    I recently had my world of warcraft account hacked and I'd like to make sure that my computer is clean. This is my HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:44:02 PM, on 4/16/2007
    Platform: Windows 2003 SP1 (WinNT 5.02.3790)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files (x86)\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files (x86)\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
    C:\Program Files (x86)\Asus\Asus Probe V2.64.03\AsusProb.exe
    C:\Program Files\Logitech\SetPoint\SetPoint32.exe
    C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
    C:\Program Files (x86)\Common Files\AOL\1157144130\ee\AOLSoftware.exe
    C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
    C:\Program Files (x86)\QuickTime\qttask.exe
    C:\Program Files (x86)\Winamp\winampa.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe
    C:\Program Files (x86)\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files (x86)\VentSrv\ventrilo_svc.exe
    C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
    C:\Program Files (x86)\VentSrv\ventrilo_srv.exe
    C:\Program Files (x86)\iPod\bin\iPodService.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files (x86)\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files (x86)\WinRAR\RarExtLoader.exe
    C:\Program Files (x86)\WinRAR\RarExtLoader.exe
    C:\Program Files (x86)\WinRAR\RarExtLoader.exe
    C:\Program Files (x86)\WinRAR\RarExtLoader.exe

    F2 - REG:system.ini: UserInit=userinit
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_11\bin\ssv.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files (x86)\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [RCSystem] "C:\Program Files (x86)\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [ASUS Probe] "C:\Program Files (x86)\Asus\Asus Probe V2.64.03\AsusProb.exe"
    O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files (x86)\PowerISO\PWRISOVM.EXE"
    O4 - HKLM\..\Run: [HostManager] "C:\Program Files (x86)\Common Files\AOL\1157144130\ee\AOLSoftware.exe"
    O4 - HKLM\..\Run: [IPHSend] "C:\Program Files (x86)\Common Files\AOL\IPHSend\IPHSend.exe"
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    O4 - Global Startup: Color Calibration.lnk.disabled
    O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files (x86)\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ( Operating System Class) -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4CB0EAF4-72F6-44D2-B966-989774939998}: NameServer =
    O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
    O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
    O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
    O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
    O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
    O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
    O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
    O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
    O23 - Service: Ventrilo - Unknown owner - C:\Program Files (x86)\VentSrv\ventrilo_svc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
    O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

    /bump for great justice

    Quote Originally Posted by jrl1121 View Post
    /bump for great justice
    If you have waited FOUR days for advice post here.
    hi jrl1121,

    dont see any malware in the log. this probably slipped in with AOL software:
    Viewpoint Manager, worthless foistware, you can uninstall it via add/remove programs panel.
    have you been to windows update lately?

    is that a 64bit version of windows?

    shelf life
    How Can I Reduce My Risk?

    yes, it's the 64-bit version of windows.

    I have the latest security updates for it, etc.

    I didn't know if it was infected or not, but it looks more probable at this point that my computer was not compromised and the hacked got access to the account by some other means. Thanks for helping to make sure of this though.

    hi jrl1121,

    you can always do a online scan for another opinion:

    BitDefender Free Online Virus Scan
    check AutoClean under Scan Options.

    * Once you are on the Panda site click the Scan your PC button
    * A new window will the Check Now button
    * Enter your Country
    * Enter your State/Province
    * Enter your e-mail address and click send (use a fake e-mail)
    * Select either Home User or Company
    * Click the big Scan Now button
    * If it wants to install an ActiveX component allow it
    * It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    * When download is complete, click on My Computer to start the scan
    * When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

    Housecall at TrendMicro
    How Can I Reduce My Risk?

