Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird Entries in HijackThis


  • This topic is locked This topic is locked
8 replies to this topic

#1 -`29

-`29

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 15 December 2010 - 03:26 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:05:30 PM, on 12/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\D-Link\D-Link RangeBooster N650 DWA-645\acs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe
C:\Documents and Settings\John\Desktop\gmer.exe

F3 - REG:win.ini: load=???????????????U?? ?T
F3 - REG:win.ini: run=???????????????U?? ?T
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1287184985515
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.1.0.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N650 DWA-645\acs.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

--
End of file - 4046 bytes

The two entries at the top have me concerned. According to GMER, they both use a file called win.ini in WINDOWS, the file contains the following:
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo

Thanks for all your help. I can also upload the GMER log if u wish.

BC AdBot (Login to Remove)

 


#2 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:03:44 PM

Posted 25 December 2010 - 08:04 PM

Hello and welcome to Bleeping Computer

I'm judicandus and I'll be helping you out.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

Please post a DDS log and Gmer log. For instructions please read this post:
http://www.bleepingcomputer.com/forums/topic34773.html

#3 -`29

-`29
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 02 January 2011 - 08:27 PM

Since the last time I posted, I have deleted the 2 suspicious lines at the top. However, they are still in Hijack This's backup list, so I can restore them if needed. I have also installed a printer which will be in the Gmer log. Thats about all of the big changes I have done. A problem arose while running dds. It would start normaly, then I would tell COMODO to allow it, and then the program will get 3/4 of the way done, and just sit there. I have tried in safe mode as well. I left it alone for about half an hour, and it freezes my PC when I try to close dds. I have tried this before and after DeFogger, which just said "Finished" and did not ask me to reboot. I clicked re-enable and it said "Finished" also (after a forced shutdown because of dds). Thanks for all your help =) Happy New Year.

#4 -`29

-`29
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 02 January 2011 - 08:39 PM

Oh! I also installed Ad-Aware, but have disabled Ad-Watch Live

Attached Files

  • Attached File  ark.txt   269.68KB   2 downloads


#5 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:03:44 PM

Posted 03 January 2011 - 11:08 AM

Hi 29,


Your Windows needs updating.
Go to Microsoft's windows update site
and do all Critical Updates.


Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

What symptoms do your computer have?

#6 -`29

-`29
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 05 January 2011 - 06:50 PM

I have been using Malwarebytes for a long time, and it has been coming up clean. The last thing I remember was a PUM regarding me disabling the Help and Support button in Start or something. I keep Windows up to date with the High Priority updates, and rarely the optional and hardware. "Driver update for %PackageDesc%1.1" has been in the hardware list for a while, but I think it may be an error as others have had the same. I don't install the Malicious Software Removal tools from Microsoft, and for the longest time "Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86" has been failing to install, even after I completely formatted the drive. I don't think I am infected at all, but I'm still concerned of the weird startup entries. Perhaps they're in a different language, I can paste them into google's translator and see what it says. I have attached a startup log from CCleaner. (in the log, "no" means I disabled the item from startup)

I used Google's auto detect > English translator, and it detected Chinese, and reported the following: ? 㢸  Hu ?
? ? 㢰 ? ਸ਼ cake ˪ ? 㢸  Hu ?
? ? 㢰 ? ਸ਼ cake ˪

Attached Files



#7 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:03:44 PM

Posted 05 January 2011 - 09:47 PM

Hi 29,

I've seen these chinese character startup entries in the past and not always they are threats, they're probably part of the OS which is used to understand and show correctly chinese and chinese simplified characters. I suggested the windows updates because you have IE 6 installed. You should definitely upgrade to IE8. Also, I suggest you install the MRT from microsoft.

#8 -`29

-`29
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 06 January 2011 - 01:31 PM

IE is not my primary browser, I only use it when there's an issue with Opera. I will go ahead and install MRT, and I should upgrade to IE8 for security even in the few times I use it. Anyway, thanks for all your help, if a problem comes up I will post. :thumbup2:

#9 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:03:44 PM

Posted 07 January 2011 - 08:55 PM

Ok :)

I will close the post. If you need further help regarding this issue please send me a PM asking to reopen it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users