Please review my log :)

[4W4K3]

I've been having some weird pop-ups lately, and some problems connecting to the internet. If you could review my file and tell me if you see anything fishy? I noticed it's got some unknown things I didn't have before, so maybe that is the problem.

Logfile of HijackThis v1.99.1
Scan saved at 8:06:55 PM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitComet\BitComet.exe
E:\Installs\Programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ---
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Startup: startup.vbs
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124240695566
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe

 

[Geoff]

the only process that im not sure about is this one:
C:\WINDOWS\system32\acs.exe

And these ones im not sure of either:
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe


Now i dont think Atheros is spyware, im just not aware of a product called that. If thats not spyware, then i dont see anything wrong in your log.

 

[SFR]

Now i dont think Atheros is spyware, im just not aware of a product called that. If thats not spyware, then i dont see anything wrong in your log.

It is wireless software for HP/Compaq

 

[4W4K3]

Atheros is the drivers that I use for my wireless D-Link card instead of the original drivers, no worries. They work alot better.

Hmm...well for some reason whenever I am running a certain program I can't load webpages besides Google (my homepage). But when I close this program everythign works fine. It is a P2P program.

 

[Geoff]

is the p2p program using up almost all of your bandwidth? since google's home page is incredibly small compared to others, it may be why you can only go there.

 

[4W4K3]

is the p2p program using up almost all of your bandwidth? since google's home page is incredibly small compared to others, it may be why you can only go there.

probably...although i've only set it to use 92kb, it slows down internet considerably. Now that i've got rid of some junk with M$ Antispyware everythign seems to be in order again. I can't believe I didn't use that program beore its wonderful. Thanks guys.

 

[Yusuke]

You are infected ...

You download and start this: Click, and you can click soon on FINISH



Enabling Show All Files


This procedure allows you to access hidden malware files using Windows Explorer.

• On Windows NT

1. Open Windows Explorer. Right-click Start then click Explore.
2. On the View menu, click Options or Folders Options.
3. Click the View tab.
4. Select Show all files, then click OK.

• On Windows 2000 and XP

1. Open Windows Explorer. Right-click Start then click Explore.
2. On the Tools menu, click Folder Options.
3. Click the View tab.
4. Select Show hidden files and folders, then click OK.
5. Uncheck the Hide protected operating system files check box (if found).
6. Click Yes when prompted.
7. Uncheck the Hide file extension for known file types check box.
8. Click OK.

__________________________________________________________________________________________________________

How to disable System Restore

The following procedure disables the System Restore feature:

For Windows ME

1. Right-click the My Computer icon on the Desktop and click Properties.
2. Click the Performance tab.
3. Click the File System button.
4. Click the Troubleshooting tab.
5. Select Disable System Restore.
6. Click Apply > Close > Close.
7. When prompted to restart, click Yes.
8. Press F8 while the system restarts.
9. Choose Safe Mode then hit the Enter key.
10. After your system has restarted, continue with the scan/clean process. Files under the _Restore folder can now be deleted.
11. Re-enable System Restore by clearing Disable System Restore and restarting your system normally.

For Windows XP

1. Log on as Administrator.
2. Right-click the My Computer icon on the desktop and click Properties.
3. Click the System Restore tab.
4. Select Turn off System Restore.
5. Click Apply > Yes > OK.
6. Continue with the scan/clean process. Files under the _Restore folder can now be deleted.
7. Re-enable System Restore by clearing Turn off System Restore.

__________________________________________________________________________________________________________

Restarting in Safe Mode

• On Windows NT (VGA mode)

1. Click Start>Settings>Control Panel.
2. Double-click the System icon.
3. Click the Startup/Shutdown tab.
4. Set the Show List field to 10 seconds and click OK to save this change.
5. Shut down and restart your computer.
6. Select VGA mode from the startup menu.

• On Windows 2000

1. Restart your computer.
2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

• On Windows XP

1. Restart your computer.
2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

__________________________________________________________________________________________________________

1. Start hijack and click on "do a system scan only"

2. Tick off the following lines and click on "fix checked"

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O4 - Startup: startup.vbs



After the instructions

Always from the safe mode you repeat the security scannings ( SpyBot, Ad Aware and antivirus,updated) apply the protections of CwShredder and SpyWareBlaster.
You clean the registry with RegSeeker and you must clean cache and Cookies and Prefetch (XP) file with Ccleaner (not modifying the options).
Restart the Pc in normal mode and you restore the system restore, you do again the Log and put it here for a last control.
If the voices do not appear in safe mode, they have to be fixed in the normal one.

 

[4W4K3]

Umm...can I ask you why you think I am infected? The .dll files are from my M$ firewall client...i use that everyday, probably for 6 months now. not an infection.

The Creative Service file doesn't seem to have any possible threat to it. spybot, adware, avg, M$ antispyware all see it as fine.

I've uninstalled Windows messenger, I use Trillian...but I kept most of the info incase I need the actual messenger for w/e reason. I can delete the Pragram File if i don't want it, but i've kept it for a reason.

the startup.vbs file is one i've written to work with XP Home and my network. Home doesn't support network printers or network drives, but i need them on a daily basis. when i run the script it takes my login credentials and connects me to these manually and it's easier than mapping network drives and connecting to a remote server after EVERY reboot. that's not an infection.

EDIT: actually "CTsvcCDA.exe " is a creative labs process, my speakers are made by Creative Labs along with the software/drivers. i use nVidia drivers for my sound, so that file is probably jsut a left over from when i uninstalled the original drivers.

 

[cell4me]

You are infected ...

You download and start this: Click, and you can click soon on FINISH



Enabling Show All Files


This procedure allows you to access hidden malware files using Windows Explorer.

• On Windows NT

1. Open Windows Explorer. Right-click Start then click Explore.
2. On the View menu, click Options or Folders Options.
3. Click the View tab.
4. Select Show all files, then click OK.

• On Windows 2000 and XP

1. Open Windows Explorer. Right-click Start then click Explore.
2. On the Tools menu, click Folder Options.
3. Click the View tab.
4. Select Show hidden files and folders, then click OK.
5. Uncheck the Hide protected operating system files check box (if found).
6. Click Yes when prompted.
7. Uncheck the Hide file extension for known file types check box.
8. Click OK.

__________________________________________________________________________________________________________

How to disable System Restore

The following procedure disables the System Restore feature:

For Windows ME

1. Right-click the My Computer icon on the Desktop and click Properties.
2. Click the Performance tab.
3. Click the File System button.
4. Click the Troubleshooting tab.
5. Select Disable System Restore.
6. Click Apply > Close > Close.
7. When prompted to restart, click Yes.
8. Press F8 while the system restarts.
9. Choose Safe Mode then hit the Enter key.
10. After your system has restarted, continue with the scan/clean process. Files under the _Restore folder can now be deleted.
11. Re-enable System Restore by clearing Disable System Restore and restarting your system normally.

For Windows XP

1. Log on as Administrator.
2. Right-click the My Computer icon on the desktop and click Properties.
3. Click the System Restore tab.
4. Select Turn off System Restore.
5. Click Apply > Yes > OK.
6. Continue with the scan/clean process. Files under the _Restore folder can now be deleted.
7. Re-enable System Restore by clearing Turn off System Restore.

__________________________________________________________________________________________________________

Restarting in Safe Mode

• On Windows NT (VGA mode)

1. Click Start>Settings>Control Panel.
2. Double-click the System icon.
3. Click the Startup/Shutdown tab.
4. Set the Show List field to 10 seconds and click OK to save this change.
5. Shut down and restart your computer.
6. Select VGA mode from the startup menu.

• On Windows 2000

1. Restart your computer.
2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

• On Windows XP

1. Restart your computer.
2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

__________________________________________________________________________________________________________

1. Start hijack and click on "do a system scan only"

2. Tick off the following lines and click on "fix checked"

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\microsoft firewall client 2004\fwcwsp.dll

O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O4 - Startup: startup.vbs



After the instructions

Always from the safe mode you repeat the security scannings ( SpyBot, Ad Aware and antivirus,updated) apply the protections of CwShredder and SpyWareBlaster.
You clean the registry with RegSeeker and you must clean cache and Cookies and Prefetch (XP) file with Ccleaner (not modifying the options).
Restart the Pc in normal mode and you restore the system restore, you do again the Log and put it here for a last control.
If the voices do not appear in safe mode, they have to be fixed in the normal one.

Dont do this!

He is useing a hijack this log analysis program that that is mistaking these files as spyware!

geoff5093 stands correct!

 

[Byteman]

4W4K3,

Yusuke's suggestions are blattantly wrong, don't follow them. Please check the following:

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v6.cab

NOTE TO ALL WHO POST A HJT LOG: Please take suggestions by users at your own risk! Waiting for a moderator would be far more safe and usefull, (good going 4W4K3!! I'm glad you didn't take Yusuke's advice)

 

[4W4K3]

I got rid of the popcap .dll file, i think that was some kind of tracker or w/e they are called. it was like "notspy.porn.popcap.dll" or something siimiliar. Thanks for pointing that out.