Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Onsoft Scan?

  • This topic is locked This topic is locked
2 replies to this topic

#1 TTC


  • Members
  • 77 posts
  • Local time:01:41 PM

Posted 30 June 2008 - 02:49 PM

Hey all! ^____^;

Recently I was using skype and got this message:
Posted Image

Steps taken so far:
1. Did not click the link; did not download anything from said text chat.
2. Blocked the user that sent it to me
3. Switched skype settings so I could only be text-chatted to by people on my friends list
4. Deleted said chat from chat history

Seeing that I did have a malware issue in the past (that might have been a false positive), I figured it'd be best to take a deeper look into things to make sure there's nothing in there. Do you think I have anything else to worry about regarding this?

Note the following before checking log
1. I'm in the process of updating my java; I know its outdated, because I was told so in another thread.
2. I recently ran computer in safe mode --> administrator for the first time to do a clean with spybot, ad-aware 2007, and SUPERantispyware. (This was before the above message), which may be why the stuff regarding the administrator settings is being picked up by deckard's system scanner.
Normally my system runs under the user account, not the administrator.
3. I use google search every day; I heard about the recent hijack issue google experienced but I didn't download anything. The browser I use is firefox.
4. I set my IE to open to a blank page; that's why there's a blank page entry in the log.

Deckard's System Scanner v20071014.68
Run by User on 2008-06-30 15:42:27
Computer is in Normal Mode.

-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:29 PM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\User\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187973649515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187973716328
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

End of file - 5880 bytes

-- Files created between 2008-05-30 and 2008-06-30 -----------------------------

2008-06-29 01:49:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-06-29 01:24:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-29 00:44:36 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-29 00:44:36 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-29 00:44:36 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-29 00:44:36 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-29 00:44:36 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-29 00:44:36 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-29 00:44:36 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-29 00:44:36 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-29 00:44:36 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-29 00:44:36 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-29 00:44:36 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-29 00:44:36 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-29 00:44:36 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-29 00:44:35 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-25 20:27:44 0 d-------- C:\Documents and Settings\User\.SunDownloadManager
2008-06-24 08:32:39 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-24 08:32:34 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-24 08:32:34 0 d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-06-23 23:21:36 0 d-------- C:\Program Files\Trend Micro

-- Find3M Report ---------------------------------------------------------------

2008-06-30 15:08:02 0 d-------- C:\Documents and Settings\User\Application Data\Skype
2008-06-30 15:00:52 0 d-------- C:\Program Files\SpeedFan
2008-06-29 21:59:41 0 d-------- C:\Program Files\Lineage II
2008-06-28 11:30:51 0 d-------- C:\Documents and Settings\User\Application Data\AVG7
2008-06-24 08:32:21 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 21:32:34 0 d-------- C:\Documents and Settings\User\Application Data\Ventrilo
2008-05-09 13:20:19 0 d-------- C:\Documents and Settings\User\Application Data\teamspeak2
2008-05-09 13:20:18 0 d-------- C:\Program Files\Teamspeak2_RC2

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

"RTHDCPL"="RTHDCPL.EXE" [08/24/2007 02:12 PM C:\WINDOWS\RTHDCPL.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [06/27/2008 05:59 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [09/14/2006 07:55 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"Alcmtr"="ALCMTR.EXE" [08/24/2007 02:12 PM C:\WINDOWS\Alcmtr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/01/2006 05:22 AM]
"nwiz"="nwiz.exe" [06/01/2006 05:22 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [06/01/2006 05:22 AM C:\WINDOWS\system32\nvmctray.dll]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/20/2007 04:30 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"AIM"="C:\Program Files\AIM\aim.exe" [08/01/2006 04:35 PM]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcwPVRReset]
C:\PROGRA~1\WinTV\hcwP1Utl.exe -Quiet -ResetHardware -NotifyResetFailure -KeepTrying

AutoRun\command- K:\Programs\nu2menu\nu2menu.exe

-- End of Deckard's System Scanner: finished at 2008-06-30 15:42:43 ------------

Edited by TTC, 30 June 2008 - 03:22 PM.

BC AdBot (Login to Remove)


#2 lusitano


    Portuguese Malware Fighter

  • Members
  • 1,443 posts
  • Gender:Male
  • Location:Portugal
  • Local time:05:41 PM

Posted 22 July 2008 - 05:19 AM


You might want to save this page on your favorites, so you can find it again when you return.

Welcome to the Bleeping Computer Malware Removal Forum, sorry for the delay in responding, but the amount of people posting with infected computers is through the roof and we sometimes can't get to logs as fast as we would like to.

If you have not resolved this issue and still need assistance, post a HJT log as your system may have changed since your original post.

Thanks for your patience. :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano


    Portuguese Malware Fighter

  • Members
  • 1,443 posts
  • Gender:Male
  • Location:Portugal
  • Local time:05:41 PM

Posted 28 July 2008 - 07:26 AM

Due to inactivity this thread has been closed to prevent others with similar problems posting to it.
If you need it re-opened please PM a member of the moderating team with a link to your thread.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users