HijackThis Log

[Guyon]

Anyone can check this log and tell me if there is something unusual?

Code:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11.36.24, on 20/11/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\Comodo\Firewall\cmdagent.exe
C:\Programmi\NVIDIA Corporation\nTune\nTuneService.exe
C:\Programmi\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Comodo\Firewall\CPF.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\Logitech\GamePanel Software\LgDevAgt.exe
C:\Programmi\Nike\Nike+ Connect\Nike+ Connect daemon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Giochi\World of Warcraft\WoW.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tommy\Documenti\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programmi\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programmi\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min /ns
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Programmi\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Nike+ Connect] "C:\Programmi\Nike\Nike+ Connect\Nike+ Connect daemon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-21-861567501-706699826-725345543-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programmi\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programmi\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1284931652015
O17 - HKLM\System\CCS\Services\Tcpip\..\{16515235-805E-45A8-9BCA-7CD1ADDE1D50}: NameServer = 85.37.17.10,85.38.28.86
O17 - HKLM\System\CS1\Services\Tcpip\..\{16515235-805E-45A8-9BCA-7CD1ADDE1D50}: NameServer = 85.37.17.10,85.38.28.86
O17 - HKLM\System\CS2\Services\Tcpip\..\{16515235-805E-45A8-9BCA-7CD1ADDE1D50}: NameServer = 85.37.17.10,85.38.28.86
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programmi\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmi\Comodo\Firewall\cmdagent.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Programmi\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Programmi\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6249 bytes

[Deleted]

What is the problem exactly? Not sure what I am looking for atm, so far nothing unusual.

[Deleted]

First of all, run Hijackthis from an installed location. Download the installer or save the file on like.. your desktop or a folder in C:\ somewhere. *NOT TEMP*
Update your PC. You're still running Windows XP SP2. Make sure you update fully (SP3 is out).

Besides that looks fine. I assume you did run Malwarebytes full scan, etc etc?

[Guyon]

Since yesterday, i got randomly dc from wow. Only from wow.
So after running all the tests on the earth (reinstalling wow, cleaning ghe ui, running the repair tool, testing wow on 3 different pcs), i noticed that if i disable upnp on my router i stop getting dc.
I have a netgear dgn 2200 and i never ever had a problem since i bought it (a year and a half ago). But since yesterday i get these dcs.
I did a complete scan with Antivir+malware bytes, and i also have comodo frw. According to all these softwares im clean.
I really don't know what to look for anymore, so i tried HT to chek for something strange, but i dont see anything wrong up there so i though about posting it here and see if someone see some little issue that i might be missing...

---------- Post added 2011-11-20 at 11:50 AM ----------

First of all, run Hijackthis from an installed location. Download the installer or save the file on like.. your desktop or a folder in C:\ somewhere. *NOT TEMP*
Update your PC. You're still running Windows XP SP2. Make sure you update fully (SP3 is out).

Besides that looks fine. I assume you did run Malwarebytes full scan, etc etc?

\Temp is the folder i created and where i put a few files. And ye i did a malware bytes full scan, says im clean.

These were the ports opened in the upnp page on the router:

YES TCP 3150 3150 192.168.X.X
YES TCP 1232 1232 192.168.X.X
YES TCP 1833 1833 192.168.X.X
YES UDP 6881 6881 192.168.X.X
YES TCP 2301 2301 192.168.X.X

[Deleted]

Since yesterday, i got randomly dc from wow. Only from wow.
So after running all the tests on the earth (reinstalling wow, cleaning ghe ui, running the repair tool, testing wow on 3 different pcs), i noticed that if i disable upnp on my router i stop getting dc.
I have a netgear dgn 2200 and i never ever had a problem since i bought it (a year and a half ago). But since yesterday i get these dcs.
I did a complete scan with Antivir+malware bytes, and i also have comodo frw. According to all these softwares im clean.
I really don't know what to look for anymore, so i tried HT to chek for something strange, but i dont see anything wrong up there so i though about posting it here and see if someone see some little issue that i might be missing...

---------- Post added 2011-11-20 at 11:50 AM ----------



\Temp is the folder i created and where i put a few files. And ye i did a malware bytes full scan, says im clean.

These were the ports opened in the upnp page on the router:

YES TCP 3150 3150 192.168.X.X
YES TCP 1232 1232 192.168.X.X
YES TCP 1833 1833 192.168.X.X
YES UDP 6881 6881 192.168.X.X
YES TCP 2301 2301 192.168.X.X

UpnP is simply a thingy that automatically (temporary) opens certain ports when a program (outbound) requires it to. It shouldn't be any problem security wise. It might be however that the function in your router is broke, did you try rebooting the router? (get power off for a minute or 2), or upgrade its firmware?

If you disable and it works fine you can also leave it like that. However if you start getting connection issues with other programs it's probably better to leave it enabled, it's just something you gotta try out and see for yourself

[Guyon]

UpnP is simply a thingy that automatically (temporary) opens certain ports when a program (outbound) requires it to. It shouldn't be any problem security wise. It might be however that the function in your router is broke, did you try rebooting the router? (get power off for a minute or 2), or upgrade its firmware?

If you disable and it works fine you can also leave it like that. However if you start getting connection issues with other programs it's probably better to leave it enabled, it's just something you gotta try out and see for yourself

Ye i know what upnp is, i was warried that some malicious software was opening a route and making some ports be redirected to this machine.
Particularly that port tcp 3150 :\

[Deleted]

Ye i know what upnp is, i was warried that some malicious software was opening a route and making some ports be redirected to this machine.
Particularly that port tcp 3150 :\

Any AV should recognize the malware (DeepThroat) on port 3150 these days. It's almost ancient malware. (it's from the year 2000)
As long as you ran Malwarebytes full scan (on all your computers, of course) and a normal scan with Avira it shouldn't be any problems. If you would like to manually check, here's a link:
http://forums.spybot.info/showthread.php?t=38117

[Deleted]

It could also be your provider doing maintance, bad connection * insert all other possible options that are beyond your control? *

[Guyon]

I restored the router to factory default and then restored a backup and it works fine since then.
I still see some unusual ports on the upnp panel of the router tho.

For example today i see:

YES TCP 1150 1150 192.168.X.X

That port is not open nor listening on my pc, i runned a full antivir and malware bytes scan, aswell as a prevx scan and a tdsskiller scan.
All these softwares says im clean, i dont see any request on my firewall on these ports (in or out traffic), and hijackthis logs are still the same as i posted above (and i guess any suspicious software would be in the HT log, at least).

My connection has always been very good so these upnp ports might have been there since forever and i just noticed em now, i have no idea, but it feels strange to see em opened on the router honestly..

[TheSerialSniper]

Try using a different router i.e. borrowing one from a friend, your router could just be going up.