Author Topic: Windows Script Host startup - is this legit?  (Read 18708 times)

0 Members and 1 Guest are viewing this topic.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Windows Script Host startup - is this legit?
« on: May 11, 2011, 12:55:24 PM »
WinPatrol's Scotty has alerted me that a new auto startup program has been detected:

Microsoft (R) Windows Script Host

http://img31.imageshack.us/img31/8027/88b48d1e0c5544efa3daeef.png

I checked my Windows update history, there was no update last night.

I found this info, is this good advice?  Should I have Scotty prevent this program and remove it?

Quote
http://www.sarc.com/avcenter/venc/data/win.script.hosting.html
How to disable (or re-enable) the Windows Scripting Host:
The program, Noscript.exe, will disable the Windows Scripting Host; this will prevent viruses from executing automated scripts.
Note: Disabling the WSH will prevent all the scripts from running on the system.

1. Download Noscript.exe from symantec to a folder on the hard disk.
http://www.symantec.com/avcenter/noscript.exe
2. Double-click the Noscript.exe icon. The Norton Script Disabler/Enabler appears.
* If the WSH is currently enabled on the system, you will be prompted as to whether you want to disable it. To do so, click Disable, and then click OK.

My Avira has shown a hidden file on every scan for a long time.  When I went to the Avira forums and asked about it, they told me it was a harmless system file and not to worry about it, but now I'm wondering if its something more and something is doing something in the deep dark recesses of my registry.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Windows Script Host startup - is this legit?
« Reply #1 on: May 11, 2011, 01:20:00 PM »
The wscript.exe is a legitimate Microsoft file used to launch script files and shouldn't be deleted.  However, in this case, the screen copy cuts off the rest of the information.  The /B indicates that the script is to run as a batch.  

Can you provide further information beyond what is shown in the image following Application Data\?  Also, what is the name of the hidden file?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: Windows Script Host startup - is this legit?
« Reply #2 on: May 11, 2011, 01:51:55 PM »
The screen captures shows everything on the WinPatrol popup. :(

I don't have the paid version, so there is no PLUS information.

I did a windows explorer search for the wscript.exe file, but it found nothing.

I don't know how to find the file name of the hidden file, but here is the report of my last nights Avira scan, can you tell from that?:


Avira AntiVir Personal
Report file date: Wednesday, May 11, 2011  04:00

Scanning for 2707717 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee        : Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode       : Normally booted
Username        : SYSTEM
Computer name   : LIBRARY

Version information:
BUILD.DAT       : 10.0.0.648     31823 Bytes    4/1/2011 18:36:00
AVSCAN.EXE      : 10.0.4.2      442024 Bytes   4/28/2011 06:28:43
AVSCAN.DLL      : 10.0.3.0       46440 Bytes   4/20/2010 08:53:46
LUKE.DLL        : 10.0.3.2      104296 Bytes   12/9/2010 09:52:03
LUKERES.DLL     : 10.0.0.1       12648 Bytes   2/11/2010 04:40:49
VBASE000.VDF    : 7.10.0.0    19875328 Bytes   11/6/2009 09:58:05
VBASE001.VDF    : 7.11.0.0    13342208 Bytes  12/14/2010 09:51:56
VBASE002.VDF    : 7.11.3.0     1950720 Bytes    2/9/2011 09:52:51
VBASE003.VDF    : 7.11.5.225   1980416 Bytes    4/7/2011 06:02:24
VBASE004.VDF    : 7.11.5.226      2048 Bytes    4/7/2011 06:02:24
VBASE005.VDF    : 7.11.5.227      2048 Bytes    4/7/2011 06:02:24
VBASE006.VDF    : 7.11.5.228      2048 Bytes    4/7/2011 06:02:24
VBASE007.VDF    : 7.11.5.229      2048 Bytes    4/7/2011 06:02:24
VBASE008.VDF    : 7.11.5.230      2048 Bytes    4/7/2011 06:02:25
VBASE009.VDF    : 7.11.5.231      2048 Bytes    4/7/2011 06:02:25
VBASE010.VDF    : 7.11.5.232      2048 Bytes    4/7/2011 06:02:25
VBASE011.VDF    : 7.11.5.233      2048 Bytes    4/7/2011 06:02:25
VBASE012.VDF    : 7.11.5.234      2048 Bytes    4/7/2011 06:02:25
VBASE013.VDF    : 7.11.6.28     158208 Bytes   4/11/2011 06:03:18
VBASE014.VDF    : 7.11.6.74     116224 Bytes   4/13/2011 06:03:18
VBASE015.VDF    : 7.11.6.113    137728 Bytes   4/14/2011 06:03:20
VBASE016.VDF    : 7.11.6.150    146944 Bytes   4/18/2011 13:26:35
VBASE017.VDF    : 7.11.6.192    138240 Bytes   4/20/2011 17:41:14
VBASE018.VDF    : 7.11.6.237    156160 Bytes   4/22/2011 17:57:22
VBASE019.VDF    : 7.11.7.45     427520 Bytes   4/27/2011 06:28:43
VBASE020.VDF    : 7.11.7.64     192000 Bytes   4/28/2011 06:29:50
VBASE021.VDF    : 7.11.7.97     182272 Bytes    5/2/2011 06:29:40
VBASE022.VDF    : 7.11.7.127    467968 Bytes    5/4/2011 06:29:49
VBASE023.VDF    : 7.11.7.183    185856 Bytes    5/9/2011 16:08:47
VBASE024.VDF    : 7.11.7.184      2048 Bytes    5/9/2011 16:08:47
VBASE025.VDF    : 7.11.7.185      2048 Bytes    5/9/2011 16:08:47
VBASE026.VDF    : 7.11.7.186      2048 Bytes    5/9/2011 16:08:47
VBASE027.VDF    : 7.11.7.187      2048 Bytes    5/9/2011 16:08:48
VBASE028.VDF    : 7.11.7.188      2048 Bytes    5/9/2011 16:08:48
VBASE029.VDF    : 7.11.7.189      2048 Bytes    5/9/2011 16:08:48
VBASE030.VDF    : 7.11.7.190      2048 Bytes    5/9/2011 16:08:48
VBASE031.VDF    : 7.11.7.214    112128 Bytes   5/10/2011 16:08:46
Engineversion   : 8.2.4.228
AEVDF.DLL       : 8.1.2.1       106868 Bytes   7/30/2010 08:53:02
AESCRIPT.DLL    : 8.1.3.61     1253754 Bytes    5/6/2011 16:08:52
AESCN.DLL       : 8.1.7.2       127349 Bytes  11/23/2010 09:52:29
AESBX.DLL       : 8.1.3.2       254324 Bytes  11/23/2010 09:52:35
AERDL.DLL       : 8.1.9.9       639347 Bytes   3/26/2011 08:52:16
AEPACK.DLL      : 8.2.6.0       549237 Bytes    4/9/2011 06:02:36
AEOFFICE.DLL    : 8.1.1.22      205178 Bytes    5/6/2011 16:08:51
AEHEUR.DLL      : 8.1.2.113    3494263 Bytes    5/6/2011 16:08:51
AEHELP.DLL      : 8.1.16.1      246134 Bytes    2/4/2011 09:52:06
AEGEN.DLL       : 8.1.5.4       397684 Bytes    4/9/2011 06:02:30
AEEMU.DLL       : 8.1.3.0       393589 Bytes  11/23/2010 09:52:02
AECORE.DLL      : 8.1.20.2      196982 Bytes    4/9/2011 06:02:30
AEBB.DLL        : 8.1.1.0        53618 Bytes   4/24/2010 08:52:06
AVWINLL.DLL     : 10.0.0.0       19304 Bytes   1/14/2010 17:03:38
AVPREF.DLL      : 10.0.0.0       44904 Bytes   1/14/2010 17:03:35
AVREP.DLL       : 10.0.0.9      174120 Bytes   4/28/2011 06:28:43
AVREG.DLL       : 10.0.3.2       53096 Bytes   11/3/2010 08:53:33
AVSCPLR.DLL     : 10.0.4.2       84840 Bytes   4/28/2011 06:28:43
AVARKT.DLL      : 10.0.22.6     231784 Bytes   12/9/2010 09:52:00
AVEVTLOG.DLL    : 10.0.0.8      203112 Bytes   1/26/2010 14:53:30
SQLITE3.DLL     : 3.6.19.0      355688 Bytes   1/28/2010 17:57:58
AVSMTP.DLL      : 10.0.0.17      63848 Bytes   3/16/2010 20:38:56
NETNT.DLL       : 10.0.0.0       11624 Bytes   2/19/2010 19:41:00
RCIMAGE.DLL     : 10.0.0.26    2550120 Bytes   1/28/2010 18:10:20
RCTEXT.DLL      : 10.0.58.0      97128 Bytes   11/3/2010 08:53:33

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: repair
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Optimised scan......................: on
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+PFS,+SPR,

Start of the scan: Wednesday, May 11, 2011  04:00

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NtmsSvc\Config\Standalone\drivelist
  [NOTE]      The registry entry is invisible.

The scan of running processes will be started
Scan process 'ssbezier.scr' - '17' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '48' Module(s) have been scanned
Scan process 'avscan.exe' - '65' Module(s) have been scanned
Scan process 'notepad.exe' - '27' Module(s) have been scanned
Scan process 'Photoshop.exe' - '133' Module(s) have been scanned
Scan process 'notepad.exe' - '52' Module(s) have been scanned
Scan process 'PngGauntlet.exe' - '88' Module(s) have been scanned
Scan process 'notepad.exe' - '27' Module(s) have been scanned
Scan process 'notepad.exe' - '25' Module(s) have been scanned
Scan process 'msohelp.exe' - '26' Module(s) have been scanned
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '60' Module(s) have been scanned
Scan process 'AgentSvr.exe' - '36' Module(s) have been scanned
Scan process 'EXCEL.EXE' - '90' Module(s) have been scanned
Scan process 'FNPLicensingService.exe' - '15' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'Explorer.exe' - '114' Module(s) have been scanned
Scan process 'wlcomm.exe' - '70' Module(s) have been scanned
Scan process 'alg.exe' - '33' Module(s) have been scanned
Scan process 'wmiapsrv.exe' - '45' Module(s) have been scanned
Scan process 'SMILEYPAD.EXE' - '92' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'sua.exe' - '16' Module(s) have been scanned
Scan process 'jqs.exe' - '83' Module(s) have been scanned
Scan process 'avguard.exe' - '54' Module(s) have been scanned
Scan process 'LightShot.exe' - '47' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '138' Module(s) have been scanned
Scan process 'ctfmon.exe' - '26' Module(s) have been scanned
Scan process 'desktopsV1.01.exe' - '22' Module(s) have been scanned
Scan process 'jusched.exe' - '42' Module(s) have been scanned
Scan process 'SSMMGR.EXE' - '30' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '30' Module(s) have been scanned
Scan process 'winpatrol.exe' - '42' Module(s) have been scanned
Scan process 'avgnt.exe' - '47' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'Explorer.EXE' - '123' Module(s) have been scanned
Scan process 'sched.exe' - '53' Module(s) have been scanned
Scan process 'spoolsv.exe' - '56' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '170' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '38' Module(s) have been scanned
Scan process 'lsass.exe' - '59' Module(s) have been scanned
Scan process 'services.exe' - '27' Module(s) have been scanned
Scan process 'winlogon.exe' - '85' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
    [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
    [INFO]      No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1602' files ).


Starting the file scan:

Begin scan in 'C:\' <Local Disk>


End of the scan: Wednesday, May 11, 2011  04:59
Used time: 59:18 Minute(s)

The scan has been done completely.

  14766 Scanned directories
 464495 Files were scanned
      0 Viruses and/or unwanted programs were found
      0 Files were classified as suspicious
      0 files were deleted
      0 Viruses and unwanted programs were repaired
      0 Files were moved to quarantine
      0 Files were renamed
      0 Files cannot be scanned
 464495 Files not concerned
   3938 Archives were scanned
      0 Warnings
      1 Notes
 680718 Objects were scanned with rootkit scan
      1 Hidden objects were found




Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Windows Script Host startup - is this legit?
« Reply #3 on: May 11, 2011, 02:36:12 PM »
This explains the hidden file:  What are Control Sets? What is CurrentControlSet?

As to WinPatrol, you should be able to mouse over the remainder of the file name to determine where it points to in AppData.  Without more information, there is no way to advise you.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: Windows Script Host startup - is this legit?
« Reply #4 on: May 11, 2011, 02:48:54 PM »
So are you saying my hidden file is a control set and it's ok?


:( I've moused over everything on the alert window.  Nothing gives me any additional file path.

Is there another way to find it?

also, I'm getting an alert to install windows updates.....should I do that now or wait?

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: Windows Script Host startup - is this legit?
« Reply #5 on: May 11, 2011, 03:05:12 PM »
I opened WinPatrol and discovered this in my start up programs list:

http://img833.imageshack.us/img833/5382/5392984370ad4d638256120.png

does that help?

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Windows Script Host startup - is this legit?
« Reply #6 on: May 11, 2011, 05:44:16 PM »
This is what I'm finding for search_assist:  http://www.bleepingcomputer.com/startups/?&act=search&st=0&keyword=search_assist

Perhaps if you were to post an RSIT log, it would show more information. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: Windows Script Host startup - is this legit?
« Reply #7 on: May 11, 2011, 10:13:35 PM »
Only one log file appeared. This is it:

[Edit: I found it, it follows in the next post]


Logfile of random's system information tool 1.06 (written by random/random)
Run by Helena at 2011-05-11 18:11:48
Microsoft Windows XP Professional Service Pack 3
System drive C: has 271 GB (89%) free of 305 GB
Total RAM: 2047 MB (11% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:00 PM, on 5/11/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SAMSUNG\PANELMGR\SSMMGR.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\Helena\Desktop\desktopsV1.01.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Helena\Local Settings\Application Data\Skillbrains\lightshot\1.3.0.30\LightShot.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\PROGRAM FILES\SMILEYPAD\SMILEYPAD.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft Office\OFFICE11\1033\msohelp.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\PNGGauntlet\PngGauntlet.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\GIMP-2.0\bin\gimp-2.6.exe
C:\Program Files\GIMP-2.0\lib\gimp\2.0\plug-ins\script-fu.exe
C:\Documents and Settings\Helena\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Helena.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\SAMSUNG\PANELMGR\SSMMGR.EXE /autorun
O4 - HKLM\..\Run: [ImageShackUtil] C:\PROGRAM FILES\IMAGESHACK\QUICKSHOT\QUICKSHOT.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sysinternals Desktops] C:\Documents and Settings\Helena\Desktop\desktopsV1.01.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
O4 - HKCU\..\Run: [LightShot] C:\Documents and Settings\Helena\Local Settings\Application Data\Skillbrains\lightshot\LightShot.exe Flags: uninsdeletevalue
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Helena\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [search_assist] wscript.exe /B "C:\Documents and Settings\Helena\Local Settings\Application Data\Search Assistant\chrome.js" install "C:\Documents and Settings\Helena\Local Settings\Application Data\Search Assistant\jfelndikbdcohbdimnhdhhokfljdidgn_1.0.2\"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe

--
End of file - 7596 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-562591055-682003330-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-562591055-682003330-1003UA.job
C:\WINDOWS\tasks\update-S-1-5-21-854245398-562591055-682003330-1003.job
C:\WINDOWS\tasks\update-sys.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{FFBF49B3-58D4-4F2F-8EA6-61BFA71209C1}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}]
WOT Helper - C:\Program Files\WOT\WOT.dll [2009-04-15 1290912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{71576546-354D-41c9-AAE8-31F2EC22BF0D} - WOT - C:\Program Files\WOT\WOT.dll [2009-04-15 1290912]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-03-17 16858112]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2008-03-17 69632]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2010-11-03 281768]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2009-10-10 320832]
"nwiz"=C:\Program Files\NVIDIA Corporation\nView\nwiz.exe [2010-07-07 1753192]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2010-07-09 110696]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2010-07-09 13923432]
"QuickTime Task"=C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE [2010-11-29 421888]
"Samsung PanelMgr"=C:\WINDOWS\SAMSUNG\PANELMGR\SSMMGR.EXE [2008-02-25 536576]
"ImageShackUtil"=C:\PROGRAM FILES\IMAGESHACK\QUICKSHOT\QUICKSHOT.EXE []
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2011-01-07 253672]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sysinternals Desktops"=C:\Documents and Settings\Helena\Desktop\desktopsV1.01.exe [2008-09-05 118824]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2010-04-16 3872080]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe []
"LightShot"=C:\Documents and Settings\Helena\Local Settings\Application Data\Skillbrains\lightshot\LightShot.exe [2010-01-02 195072]
"Google Update"=C:\Documents and Settings\Helena\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-20 133104]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"search_assist"=wscript.exe /B C:\Documents and Settings\Helena\Local Settings\Application Data\Search Assistant\chrome.js install C:\Documents and Settings\Helena\Local Settings\Application Data\Search Assistant\jfelndikbdcohbdimnhdhhokfljdidgn_1.0.2\ []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\Helena\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= []
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\FileZilla FTP Client\filezilla.exe"="C:\Program Files\FileZilla FTP Client\filezilla.exe:*:Enabled:FileZilla FTP Client"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======List of files/folders created in the last 1 months======

2011-04-25 17:00:06 ----D---- C:\Program Files\Common Files\Java
2011-04-25 16:59:45 ----A---- C:\WINDOWS\system32\javaws.exe
2011-04-25 16:59:45 ----A---- C:\WINDOWS\system32\javaw.exe
2011-04-25 16:59:45 ----A---- C:\WINDOWS\system32\java.exe
2011-04-18 19:19:00 ----D---- C:\Documents and Settings\Helena\Application Data\Trusteer
2011-04-18 19:18:56 ----D---- C:\Program Files\Trusteer
2011-04-18 19:15:53 ----D---- C:\Documents and Settings\All Users\Application Data\Trusteer
2011-04-18 12:45:13 ----D---- C:\Program Files\Skillbrains
2011-04-17 20:44:57 ----D---- C:\Program Files\ZScreen
2011-04-15 03:09:44 ----HDC---- C:\WINDOWS\$NtUninstallKB2485663$
2011-04-15 03:08:21 ----HDC---- C:\WINDOWS\$NtUninstallKB2506223$
2011-04-15 03:07:33 ----HDC---- C:\WINDOWS\$NtUninstallKB2412687$
2011-04-15 03:04:40 ----HDC---- C:\WINDOWS\$NtUninstallKB2508272$
2011-04-15 03:04:30 ----HDC---- C:\WINDOWS\$NtUninstallKB2503658$
2011-04-15 03:04:13 ----HDC---- C:\WINDOWS\$NtUninstallKB2507618$
2011-04-15 03:04:07 ----HDC---- C:\WINDOWS\$NtUninstallKB2508429$
2011-04-15 03:03:25 ----HDC---- C:\WINDOWS\$NtUninstallKB2511455$
2011-04-15 03:03:13 ----HDC---- C:\WINDOWS\$NtUninstallKB2506212$
2011-04-15 03:01:13 ----HDC---- C:\WINDOWS\$NtUninstallKB2509553$

======List of files/folders modified in the last 1 months======

2011-05-11 18:11:49 ----D---- C:\WINDOWS\Prefetch
2011-05-11 18:10:50 ----D---- C:\WINDOWS\ERDNT
2011-05-11 17:14:44 ----D---- C:\WINDOWS\Temp
2011-05-11 13:47:25 ----D---- C:\Documents and Settings\Helena\Application Data\gtk-2.0
2011-05-11 13:40:50 ----D---- C:\Program Files\Mozilla Firefox
2011-05-11 08:55:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-05-11 04:59:28 ----SHD---- C:\System Volume Information
2011-05-11 04:58:30 ----D---- C:\WINDOWS\system32\NtmsData
2011-05-10 21:48:16 ----D---- C:\Documents and Settings\Helena\Application Data\FileZilla
2011-05-10 20:51:39 ----D---- C:\WINDOWS
2011-05-09 12:59:26 ----D---- C:\WINDOWS\system32
2011-05-08 16:14:01 ----D---- C:\Program Files\FileZilla FTP Client
2011-05-06 17:20:08 ----SHD---- C:\WINDOWS\Installer
2011-05-06 17:20:08 ----SHD---- C:\Config.Msi
2011-05-06 04:00:09 ----D---- C:\WINDOWS\Registration
2011-05-05 11:09:18 ----D---- C:\WINDOWS\system32\CatRoot2
2011-04-29 02:11:24 ----D---- C:\WINDOWS\Debug
2011-04-26 01:10:43 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2011-04-26 01:10:34 ----D---- C:\Program Files\SpywareBlaster
2011-04-26 00:40:04 ----D---- C:\WINDOWS\system32\CatRoot
2011-04-25 17:00:06 ----D---- C:\Program Files\Common Files
2011-04-25 16:59:31 ----A---- C:\WINDOWS\system32\deployJava1.dll
2011-04-25 16:59:06 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2011-04-22 23:07:40 ----RD---- C:\Program Files
2011-04-21 13:06:50 ----D---- C:\Program Files\r2 Studios
2011-04-21 13:06:13 ----RSD---- C:\WINDOWS\assembly
2011-04-21 12:44:11 ----D---- C:\Program Files\Microsoft Silverlight
2011-04-18 19:18:56 ----D---- C:\WINDOWS\system32\drivers
2011-04-18 15:46:44 ----A---- C:\WINDOWS\system32\MRT.exe
2011-04-18 12:23:47 ----SD---- C:\WINDOWS\Tasks
2011-04-18 11:27:49 ----HD---- C:\WINDOWS\inf
2011-04-17 18:50:25 ----D---- C:\WINDOWS\WinSxS
2011-04-15 03:11:52 ----D---- C:\WINDOWS\Microsoft.NET
2011-04-15 03:09:43 ----HD---- C:\WINDOWS\$hf_mig$
2011-04-15 03:08:22 ----RSHDC---- C:\WINDOWS\system32\dllcache
2011-04-15 03:08:11 ----D---- C:\Program Files\Internet Explorer
2011-04-15 03:07:58 ----D---- C:\WINDOWS\ie8updates

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2011-03-17 137656]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 RapportCerberus_26169;RapportCerberus_26169; \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys []
R1 RapportEI;RapportEI; \??\C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys []
R1 RapportPG;RapportPG; \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys []
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2010-11-23 61960]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-03-17 4737024]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2010-07-10 10604128]
R3 NVENETFD;NVIDIA nForce 10/100 Mbps Ethernet ; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2008-08-01 54784]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2008-08-01 22016]
R3 nvsmu;nvsmu; C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2008-03-17 13312]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S2 DgiVecp;DgiVecp; \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys []
S2 SSPORT;SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
S3 PSI;PSI; C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2011-04-28 136360]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2011-03-17 269480]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2011-04-25 153376]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2010-07-09 155752]
R2 RapportMgmtService;Rapport Management Service; C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-04-08 870200]
R2 Secunia Update Agent;Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [2011-01-10 399416]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2011-02-03 654848]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Secunia PSI Agent;Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: Windows Script Host startup - is this legit?
« Reply #8 on: May 11, 2011, 10:17:31 PM »
oops! I was hiding undersomething. :)

info.txt logfile of random's system information tool 1.06 2009-11-28 10:35:40

======Uninstall list======

-->C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
AFPL Ghostscript 8.51-->C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\gs8.51\uninstal.txt"
AFPL Ghostscript Fonts-->C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\fonts\uninstal.txt"
Apple Application Support-->MsiExec.exe /I{0C34B801-6AEC-4667-B053-03A67E2D0415}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DebugMode Wink-->"C:\Program Files\DebugMode\Wink\uninst.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Finale NotePad 2008-->C:\Program Files\Finale NotePad 2008\uninstallNP.exe
GIMP 2.6.7-->"C:\Program Files\GIMP-2.0\setup\unins000.exe"
Gimp Themes v1.0-->MsiExec.exe /I{833D97B9-AC16-45C1-AD44-0A32198956F8}
Gtk+ Runtime Environment 2.12.9-1-->C:\Program Files\GTK\uninst.exe
HideOutlook v1.0 (build 18)-->C:\Program Files\r2 Studios\HideOutlook\Uninstall.exe
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall  /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Icon Restore 1.0-->C:\WINDOWS\unins000.exe
ImageShack QuickLoad-->MsiExec.exe /I{CD522250-7AEE-4266-A821-6FB7C7018F13}
Inkscape 0.46-->C:\Program Files\Inkscape\Uninstall.exe
Java(TM) 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
LEAD JPEG 2000 PhotoShop® Plugin-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73DC80A0-6C60-4CCF-AB99-A9C180804886}\setup.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox (3.5.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
Nero 8 Essentials-->MsiExec.exe /X{8C6CB33A-AA86-446C-8C4D-304A7FA51033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
PDF-Viewer-->"C:\Program Files\Tracker Software\PDF Viewer\unins000.exe"
PNGGauntlet-->MsiExec.exe /X{C49E87AC-2A1B-4A11-B9F2-A75316319215}
Python 2.5 pycairo-1.4.12-->"C:\Program Files\Python25\Removepycairo.exe" -u "C:\Program Files\Python25\pycairo-wininst.log"
Python 2.5 pygobject-2.14.1-->"C:\Program Files\Python25\Removepygobject.exe" -u "C:\Program Files\Python25\pygobject-wininst.log"
Python 2.5 pygtk-2.12.1-->"C:\Program Files\Python25\Removepygtk.exe" -u "C:\Program Files\Python25\pygtk-wininst.log"
Python 2.5.2-->MsiExec.exe /I{6B976ADF-8AE8-434E-B282-A06C7F624D2F}
QuickShot 1.52-->"C:\Program Files\ImageShack\QuickShot\unins000.exe"
QuickTime-->MsiExec.exe /I{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9  -removeonly
Samsung ML-2510 Series-->C:\Program Files\Samsung\Samsung ML-2510 Series\Install\Setup.exe /R
Secunia PSI-->"C:\Program Files\Secunia\PSI\uninstall.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
SmileyPad v2.28-->"C:\Program Files\SmileyPad\unins000.exe"
SpywareBlaster 4.2-->"C:\Program Files\SpywareBlaster\unins000.exe"
Sumatra PDF reader-->"C:\Program Files\SumatraPDF\uninstall.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 7 (KB976749)-->"C:\WINDOWS\ie7updates\KB976749-IE7\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VC 9.0 Runtime-->MsiExec.exe /I{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}
VC 9.0 Runtime-->MsiExec.exe /I{A040AC77-C1AA-4CC9-8931-9F648AF178F6}
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Windows Installer Clean Up-->MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

=====HijackThis Backups=====

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) [2008-10-21]

======Hosts File======

127.0.0.1   www.007guard.com
127.0.0.1   007guard.com
127.0.0.1   008i.com
127.0.0.1   www.008k.com
127.0.0.1   008k.com
127.0.0.1   www.00hq.com
127.0.0.1   00hq.com
127.0.0.1   010402.com
127.0.0.1   www.032439.com
127.0.0.1   032439.com

======Security center information======

AV: AntiVir Desktop

======System event log======

Computer Name: LIBRARY
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001D92E14858.  The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 14090
Source Name: Dhcp
Time Written: 20090906171226.000000-300
Event Type: warning
User:

Computer Name: LIBRARY
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001D92E14858.  The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 14089
Source Name: Dhcp
Time Written: 20090906171123.000000-300
Event Type: warning
User:

Computer Name: LIBRARY
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001D92E14858.  The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 14088
Source Name: Dhcp
Time Written: 20090906170917.000000-300
Event Type: warning
User:

Computer Name: LIBRARY
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001D92E14858.  The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 14087
Source Name: Dhcp
Time Written: 20090906170503.000000-300
Event Type: warning
User:

Computer Name: LIBRARY
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001D92E14858.  The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 14086
Source Name: Dhcp
Time Written: 20090906165636.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: LIBRARY
Event Code: 88
Message:
Record Number: 9566
Source Name: UmxAgent
Time Written: 20090408225428.000000-300
Event Type:
User:

Computer Name: LIBRARY
Event Code: 88
Message:
Record Number: 9565
Source Name: UmxAgent
Time Written: 20090408225428.000000-300
Event Type:
User:

Computer Name: LIBRARY
Event Code: 88
Message:
Record Number: 9564
Source Name: UmxAgent
Time Written: 20090408121544.000000-300
Event Type:
User:

Computer Name: LIBRARY
Event Code: 88
Message:
Record Number: 9563
Source Name: UmxAgent
Time Written: 20090408121544.000000-300
Event Type:
User:

Computer Name: LIBRARY
Event Code: 88
Message:
Record Number: 9562
Source Name: UmxAgent
Time Written: 20090408121544.000000-300
Event Type:
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%GTK_BASEPATH%\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"GTK_BASEPATH"=C:\PROGRA~1\GTK
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Windows Script Host startup - is this legit?
« Reply #9 on: May 11, 2011, 10:37:37 PM »
Quote
oops! I was hiding undersomething. Smile

info.txt logfile of random's system information tool 1.06 2009-11-28 10:35:40

No you weren't.  Sorry, I was in a hurry this a.m..  There won't be a new info.txt log unless you go to C:\rsit and delete the old log.  Note the date of this is from the first run in 2009.  

Since info.txt is over 2 years old, it appears that you have subsequently installed Google Chrome.  I see various Google updates in the Scheduled task info.

Here is the entry that WinPatrol asked you about:

O4 - HKCU\..\RunOnce: [search_assist] wscript.exe /B "C:\Documents and Settings\Helena\Local Settings\Application Data\Search Assistant\chrome.js" install "C:\Documents and Settings\Helena\Local Settings\Application Data\Search Assistant\jfelndikbdcohbdimnhdhhokfljdidgn_1.0.2\"

WinPatrol is asking for permission to add the "Run Once" entry at startup.  From what I am seeing, once allowed to run at startup, the entry may update the search assistant part of Google Chrome -- then again, I don't care for the name.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: Windows Script Host startup - is this legit?
« Reply #10 on: May 11, 2011, 11:03:46 PM »
Do you need info text?
Should I run RSIT again?

And if I understand correctly, I should allow (wscript.exe)  Windows Script Host startup program to run?

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Windows Script Host startup - is this legit?
« Reply #11 on: May 12, 2011, 12:19:50 AM »
No, let's skip the info.txt log.

I've still been searching this entry.  I don't like that it is a batch file.  I've never used Chrome and, as I understand it, Chrome updates automatically, without user intervention.  Is Chrome working ok?  Do you have any issues with the browser search features? 

That said, based on the WinPatrol image showing search_assist, last saved in 2008, it appears it has been on your computer for some time.  However, if it is indeed a Google Chrome update, it will be offered again.  So, let's nuke it.

Create a System Restore point first and then launch C:\Program Files\Trend Micro\HijackThis\Helena.exe

Close all programs leaving only HijackThis running. Place a check against the following, making sure you do not check anything else by mistake:

O4 - HKCU\..\RunOnce: [search_assist] wscript.exe /B "C:\Documents and Settings\Helena\Local Settings\Application Data\Search Assistant\chrome.js" install "C:\Documents and Settings\Helena\Local Settings\Application Data\Search Assistant\jfelndikbdcohbdimnhdhhokfljdidgn_1.0.2\"

Click on Fix Checked when finished and exit HijackThis.

Keep us posted on how things are.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: Windows Script Host startup - is this legit?
« Reply #12 on: May 12, 2011, 12:31:09 AM »
Chrome is a pain. I only use it for browser testing when I'm building websites.  Secunia is always flagging it as needing updated, and yet Chrome itself says it's up to date.  I have to manually removed the previous version each time.

I don't really use the search feature, so don't have anything to report on that.

Perhaps I should just uninstall Chrome now, and then do a clean install after we clean this up?


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Windows Script Host startup - is this legit?
« Reply #13 on: May 12, 2011, 12:32:36 AM »
Worth a try. :)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: Windows Script Host startup - is this legit?
« Reply #14 on: May 12, 2011, 12:53:32 AM »
OK.  this is what I did:

Created a restore point.
Uninstalled Chrome
Created a second new restore point.

Ran HiJackThis and checked the item listed and the Fix option.

I checked the start up list in WinPatrol and the item is now missing.
HOwever, there is still some kind of google updater in there.

Am I done?

I have not restarted my computer yet.