vinnie97 Posted July 2, 2008 Report Share Posted July 2, 2008 This happens after running Utorrent for approximately 10 hours, requiring a reboot. Here's the HijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:40:01 AM, on 6/28/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\Ixia\Endpoint\endpoint.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\SanDisk\Sansa Updater\SansaSvr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\UTSCSI.EXEC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\everest\everest.exeC:\Program Files\Windows Media Player\WMPNSCFG.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Trillian\trillian.exeC:\Program Files\Emdat\InScribe\InScribe.exeC:\Program Files\InstText\Exe32\ITVPro.exeC:\Program Files\InstText\Exe32\ITSIA.exeC:\Program Files\Emdat\InScribe\InScribe.exeC:\Program Files\Emdat\InScribe\InScribe.exeC:\Program Files\Emdat\InScribe\InScribe.exeC:\Program Files\CDBurnerXP\NMSAccessU.exeC:\Program Files\Winamp\winamp.exeC:\Documents and Settings\Administrator.SCRIBIN\Desktop\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dllO3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dllO3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dllO4 - HKLM\..\Run: [smartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUpO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exeO4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\everest\everest.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - Global Startup: APC UPS Status.lnk = ?O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202O8 - Extra context menu item: Download All by ASUS Download - C:\Program Files\ASUS\WL-500W Wireless Router Utilities\ASDownloadAll.htmO8 - Extra context menu item: Download using ASUS Download - C:\Program Files\ASUS\WL-500W Wireless Router Utilities\ASDownload.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missingO15 - Trusted Zone: http://asia.msi.com.twO15 - Trusted Zone: http://global.msi.com.twO15 - Trusted Zone: http://www.msi.com.twO15 - Trusted Zone: *.emdat.com (HKLM)O15 - Trusted Zone: *.mytranscriptions.com (HKLM)O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166553416515O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190168703312O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cabO16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cabO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exeO23 - Service: Ixia Endpoint (IxiaEndpoint) - Ixia - C:\PROGRA~1\Ixia\Endpoint\endpoint.exeO23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exeO23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exeO23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXEO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe--Does anything look suspect in this group (yes, I removed a Vundo infection and have since deleted VundoFixSVC.exe)? Link to comment Share on other sites More sharing options...
jewelisheaven Posted July 2, 2008 Report Share Posted July 2, 2008 Why are there three instances of C:\Program Files\Emdat\InScribe\InScribe.exeI'd think it has something to do with Avast Web Scanner... does Peer Guardian mess with your winsock? Is orbit downloader always on? Link to comment Share on other sites More sharing options...
Firon Posted July 2, 2008 Report Share Posted July 2, 2008 What is your net.max_halfopen set to?And truth be told, your system might just be permanently screwed from the infection.O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXEThis also doesn't look legit. Link to comment Share on other sites More sharing options...
vinnie97 Posted July 2, 2008 Author Report Share Posted July 2, 2008 I had 3 instances of it running (it does utilize the network also). PeerGuardian might be a culprit but I did close out the taskbar entry long before opening uTorrent (I believe the above just shows it to be in the startup menu, correct?). I was using another antivirus app prior to this and received the same error. Perhaps it's time for a reinstallation.Edit #2: Firon, to be fair, the problem existed before the infection, it could just be related to an old installation (2 years at least). net.max_halfopen is set to 8.I've deleted UTSCSI.EXE. I think it was installed by a USB flash drive. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.