HJT log question

[Blue Jack]

This is kinda interesting:

Logfile of HijackThis v1.97.7
Scan saved at 4:47:31 PM, on 2/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
H:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
H:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\OSDMenu.EXE
h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\EAX.exe
h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\VRC.exe
h:\Program Files\Creative\SBAudigy\RemoteCenter\Center\RCenter.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\God\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] H:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RemoteCenter] h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37924.4099884259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

What is in my winsock? Anyone know how to fix?

 

[Tiesto]

Kill these:

C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE

Remove:

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

Some kind of virus or spyware bug. Run Adaware and antivirus when your done.

 

[Enyo]

No, don't remove the above

C:\WINDOWS\System32\CTsvcCDA.EXE is a Creative Labs Service

C:\WINDOWS\System32\MsPMSPSv.exe is a Windows Service (WMP)

C:\WINDOWS\System32\MsgSys.EXE is part of LANDesk.

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install is part of the Nvidia driver.

Run LSPFix:

http://www.cexx.org/LSPFix.exe

That should solve the LSP problems.

 

[Blue Jack]

Thanks Enyo!

Actually there is a thirdparty fix on that link you gave me that I found that fixed it. Phew, is that a run on sentance?

Any idea what caused that? The only thing ( that I know of) that I changed was my MediaPlayer license. And that seemed like it was not a choice, there was no cancel option. I was able to restore the old license, but other than that I'm lost.

Norton and NOD32 came up clean.

 

[Tiesto]

Ive never seen any of those running apps, MsgSys.exe in the /System dir just looks too suspicious to me.

 

[Blue Jack]

Ive never seen any of those running apps, MsgSys.exe in the /System dir just looks too suspicious to me.

Thats part of my Norton (corporate) AV.

I found this on it on a different forum:

Quote from Jeff Baker:

MSGSYS.EXE is directly related to the automated message service of Symantec's Corporate Addition virus software (version 7.6) and is a portion of its AMS2 service. The AMS2 service provides administrators with real-time notifications via e-mail, pager, and Windows Messaging regarding virus infections on a network. This service relies on the Intel Ping Discovery Service (PDS), as well as the msgsys.exe application in order for alerts to function properly. If you own Symantec Anti-Virus Corporate Edition 7.6 you were upgraded for free (via snail mail) to version 8.0 which does not seem to contain the MSGSYS.EXE program (at least I have not seen it show itself yet). As far as I can tell the only difference between version 8.0 and version 7.6 is the missing MSGSYS.EXE process. The CBA messages system that your firewall will point to is owned by Intel. It seems to be an old messaging system that Intel used to pinpoint errors in networked machines. This process would send an error message back to Intel and then they would get a group of engineers together to solve the problem (hopefully before the customer noticed). They say it was used world wide so I don't know if they take this "error" information still today but at one time it was in place. Bottom line, you can remove this program without causing a BSOD.

I never really gave it much thought. Its always been there for me, since NAV is usually the first program I install after a format.

 

[Tiesto]

hmm, just strange that it dumps it in the /System folder

 

[Enyo]

Any idea what caused that?

As you may have read on cexx.org Spyware such as New.Net can cause this.

It is of course perfectly feasible that something valid made changes but Ive never come across any situation where this has been the case.

Glad its resolved