HJT log question

Blue Jack

OSNN Addict
Joined
Jan 21, 2004
Messages
103
#1
This is kinda interesting:

Logfile of HijackThis v1.97.7
Scan saved at 4:47:31 PM, on 2/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
H:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
H:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\OSDMenu.EXE
h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\EAX.exe
h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\VRC.exe
h:\Program Files\Creative\SBAudigy\RemoteCenter\Center\RCenter.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\God\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] H:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RemoteCenter] h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37924.4099884259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

What is in my winsock? Anyone know how to fix?
 

Tiesto

OSNN Addict
Joined
Feb 1, 2004
Messages
112
#2
Kill these:

C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE

Remove:

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

Some kind of virus or spyware bug. Run Adaware and antivirus when your done.
 

Enyo

OSNN Veteran Addict
Joined
Feb 2, 2003
Messages
1,338
#3
No, don't remove the above

C:\WINDOWS\System32\CTsvcCDA.EXE is a Creative Labs Service

C:\WINDOWS\System32\MsPMSPSv.exe is a Windows Service (WMP)

C:\WINDOWS\System32\MsgSys.EXE is part of LANDesk.

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install is part of the Nvidia driver.

Run LSPFix:

http://www.cexx.org/LSPFix.exe

That should solve the LSP problems.
 

Blue Jack

OSNN Addict
Joined
Jan 21, 2004
Messages
103
#4
Thanks Enyo!

Actually there is a thirdparty fix on that link you gave me that I found that fixed it. Phew, is that a run on sentance?

Any idea what caused that? The only thing ( that I know of) that I changed was my MediaPlayer license. And that seemed like it was not a choice, there was no cancel option. I was able to restore the old license, but other than that I'm lost.

Norton and NOD32 came up clean.
 

Tiesto

OSNN Addict
Joined
Feb 1, 2004
Messages
112
#5
Ive never seen any of those running apps, MsgSys.exe in the /System dir just looks too suspicious to me.
 

Blue Jack

OSNN Addict
Joined
Jan 21, 2004
Messages
103
#6
Tiesto said:
Ive never seen any of those running apps, MsgSys.exe in the /System dir just looks too suspicious to me.
Thats part of my Norton (corporate) AV.

I found this on it on a different forum:

Quote from Jeff Baker:

MSGSYS.EXE is directly related to the automated message service of Symantec's Corporate Addition virus software (version 7.6) and is a portion of its AMS2 service. The AMS2 service provides administrators with real-time notifications via e-mail, pager, and Windows Messaging regarding virus infections on a network. This service relies on the Intel Ping Discovery Service (PDS), as well as the msgsys.exe application in order for alerts to function properly. If you own Symantec Anti-Virus Corporate Edition 7.6 you were upgraded for free (via snail mail) to version 8.0 which does not seem to contain the MSGSYS.EXE program (at least I have not seen it show itself yet). As far as I can tell the only difference between version 8.0 and version 7.6 is the missing MSGSYS.EXE process. The CBA messages system that your firewall will point to is owned by Intel. It seems to be an old messaging system that Intel used to pinpoint errors in networked machines. This process would send an error message back to Intel and then they would get a group of engineers together to solve the problem (hopefully before the customer noticed). They say it was used world wide so I don't know if they take this "error" information still today but at one time it was in place. Bottom line, you can remove this program without causing a BSOD.
I never really gave it much thought. Its always been there for me, since NAV is usually the first program I install after a format.
 

Enyo

OSNN Veteran Addict
Joined
Feb 2, 2003
Messages
1,338
#8
Blue Jack said:
Any idea what caused that?
As you may have read on cexx.org Spyware such as New.Net can cause this.

It is of course perfectly feasible that something valid made changes but Ive never come across any situation where this has been the case.

Glad its resolved :)
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Hey ep!

All good with me, applying for microsoft mvp right now, should have done this a while ago.

Notifications don't work, I only found your response by comming back to hunt up some threads, if you want, give me your email address so we can keep in touch easier, mine is perriscalderon at gmail
Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...

Forum statistics

Threads
62,030
Messages
673,544
Members
89,038
Latest member
Samhicks