Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange entries in HiJackThis log from weather applet


  • This topic is locked This topic is locked
3 replies to this topic

#1 TripodBob

TripodBob

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Williamsburg, Virginia
  • Local time:12:14 PM

Posted 08 April 2014 - 04:00 PM

Started seeing these additions recently in HIJackThis involving a small weather applet from SourceForge.net.:

 

O4 - S-1-5-21-839522115-115176313-682003330-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 Startup: Weather.exe (User '?')
O4 - S-1-5-21-839522115-115176313-682003330-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1 Startup: Weather.exe (User '?')
O4 - S-1-5-21-839522115-115176313-682003330-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-2 Startup: Weather.exe (User '?')
O4 - Startup: Weather.exe

 

The last entry is the one that is usually present.  I uninstalled the weather applet and then reinstalled it, ran HiJackThis and only got the last entry.  The next day the other entries began showing up. The list seems to grow over time.  Before I uninstalled the weather app I had 6 or more of the strange entries.

 

I've been running the applet for years and never had the additional entries until recently. 

 

System is XP Home with SP3 with all Windows updates.

 

Below are requested files

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.51.2
Run by Robert T. xxxxx at 16:03:41 on 2014-04-08
#Option MBR scan  is disabled.
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3325.2220 [GMT -4:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HitmanPro.Alert\hmpalert.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\EscSvc.exe
C:\Program Files\Renesas Electronics\USB 3.0 Host Controller

Driver\Application\rusb3mon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXRCV.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
C:\Documents and Settings\Robert T. xxxxx\Start Menu\Programs\Startup\Weather.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter

 

.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: {A60C1DC7-64B3-4AD9-8E67-035D11B8B2B0} - <orphaned>
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\rusb3mon.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [FUFAXRCV] "c:\program files\epson software\fax utility\FUFAXRCV.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Malwarebytes Anti-Exploit] c:\program files\malwarebytes anti-exploit\mbae.exe
StartupFolder: c:\documents and settings\robert t. xxxxx\start menu\programs\startup\Weather.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
Trusted Zone: vanguard.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341412017515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1344649594873
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
TCP: NameServer = 192.168.1.1 192.168.0.1
TCP: Interfaces\{40628E54-3350-4389-A185-C4588B457EED} : DHCPNameServer = 192.168.1.1 192.168.0.1
TCP: Interfaces\{C4F06C52-B1C8-4994-A92E-08598A09000B} : DHCPNameServer = 192.168.1.1 192.168.0.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - <orphaned>
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - <orphaned>
SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 0.0.0.0 fr.a2dfp.net
Hosts: 0.0.0.0 m.fr.a2dfp.net
Hosts: 0.0.0.0 mfr.a2dfp.net
Hosts: 0.0.0.0 ad.a8.net
Hosts: 0.0.0.0 asy.a8ww.net
.
Note: multiple HOSTS entries found. Please refer to Attach.txt

 

.
============= SERVICES / DRIVERS ===============
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2013-6-28 16504]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-10-18 37352]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\malwarebytes anti-exploit\mbae.sys [2014-3-31 44632]
R1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2014-3-22 52312]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-10-18 440400]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-10-18 440400]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-10-18 90400]
R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\escsvc.exe [2013-7-26 122000]
R2 hmpalert;HitmanPro.Alert Support Driver;c:\windows\system32\drivers\hmpalert.sys [2014-2-4 14376]
R2 hmpalertsvc;HitmanPro.Alert Service;c:\program files\hitmanpro.alert\hmpalert.exe [2014-2-4 1830768]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\malwarebytes anti-exploit\mbae-svc.exe [2014-3-31 319288]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-3-22 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-3-22 857912]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2013-7-25 75504]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-3-22 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-2-12 107736]
R3 rusb3hub;Renesas Electronics USB 3.0 Hub Driver (Version 3.0);c:\windows\system32\drivers\rusb3hub.sys [2014-1-3 90248]
R3 rusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver (Version 3.0);c:\windows\system32\drivers\rusb3xhc.sys [2014-1-3 180744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\robert~1.roi\locals~1\temp\alsysio.sys --> c:\docume~1\robert~1.roi\locals~1\temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2013-7-25 1691480]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 PSMounterEx;Macrium Reflect Image Explorer Driver;c:\windows\system32\drivers\psmounterex.sys [2013-8-1 65144]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-8-23 13672]
S4 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2013-12-20 605168]
.

=============== Created Last 30 ================
.
2014-04-08 13:10:02 7969936 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{7c1ba3d7-04a2-4343-a19c-8bab71807de4}\mpengine.dll
2014-04-03 20:21:17 -------- d-----w- c:\documents and settings\robert t. xxxxx\local settings\application data\Weather
2014-04-03 20:15:30 -------- d-----w- c:\documents and settings\robert t. xxxxx\local settings\application data\Downloaded Installations
2014-03-31 16:51:33 -------- d-----w- c:\program files\Malwarebytes Anti-Exploit
2014-03-30 14:36:11 7969936 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\backup\mpengine.dll
2014-03-27 21:38:40 333424 ----a-r- c:\documents and settings\robert t. xxxxx\application data\microsoft\installer\{2b03c4a2-1689-40a8-8a36-d1adbd3671af}\BOINCManagerShortc_F9554A6854C94487A6090E1445D3C0AB.exe
2014-03-27 21:38:40 333424 ----a-r- c:\documents and settings\robert t. xxxxx\application data\microsoft\installer\{2b03c4a2-1689-40a8-8a36-d1adbd3671af}\ARPPRODUCTICON.exe
2014-03-27 13:48:00 -------- d-----w- c:\documents and settings\robert t. xxxxx\local settings\application data\Riffstation
2014-03-27 13:47:40 -------- d-----w- c:\program files\Riffstation Trial
2014-03-23 20:51:03 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2014-03-22 16:06:11 52312 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-03-22 16:06:11 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-03-22 16:06:11 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-03-22 16:06:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2014-03-18 19:54:47 -------- d-----w- c:\documents and settings\robert t. xxxxx\application data\MPC-HC
2014-03-18 19:52:13 -------- d-----w- c:\program files\MPC-HC
2014-03-16 00:37:37 -------- d-----w- C:\FRST
2014-03-11 21:15:53 -------- d-----w- c:\documents and settings\robert t. xxxxx\application data\NCR Corporation
.

 

==================== Find3M  ====================
.
2014-04-08 17:50:52 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-03-31 13:35:10 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-03-18 19:35:24 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-18 19:35:24 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-18 15:03:02 107736 ----a-w- c:\windows\system32\drivers\48230029.sys
2014-02-27 19:02:08 890512 ----a-w- c:\windows\boinc.scr
2014-02-24 11:46:36 920064 ----a-w- c:\windows\system32\wininet.dll
2014-02-24 11:45:58 43520 ------w- c:\windows\system32\licmgr10.dll
2014-02-24 11:45:57 1469440 ------w- c:\windows\system32\inetcpl.cpl
2014-02-24 11:45:42 18944 ----a-w- c:\windows\system32\corpol.dll
2014-02-24 10:54:21 385024 ----a-w- c:\windows\system32\html.iec
2014-02-09 14:51:52 17488 ----a-w- c:\windows\gdrv.sys
2014-02-07 02:01:37 1879040 ----a-w- c:\windows\system32\win32k.sys
2014-02-05 08:55:04 562688 ----a-w- c:\windows\system32\qedit.dll
2014-02-04 22:38:33 564312 ----a-w- c:\windows\system32\hmpalert.dll
2014-02-04 22:38:33 14376 ----a-w- c:\windows\system32\drivers\hmpalert.sys
2014-01-18 18:19:30 773968 ----a-w- c:\windows\system32\msvcr100.dll
2014-01-18 18:19:30 421200 ----a-w- c:\windows\system32\]svcp100.dll
2014-01-16 16:01:50 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-01-16 16:01:49 145408 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 16:04:27.19 ===============

 

 

Attached File  attach.zip   98.52KB   0 downloads

.
 



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:14 PM

Posted 09 April 2014 - 04:31 PM

Good evening. :)

Can you tell me exactly what the app is or post a link to it?


So long, and thanks for all the fish.

 

 


#3 TripodBob

TripodBob
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Williamsburg, Virginia
  • Local time:12:14 PM

Posted 09 April 2014 - 05:43 PM

From sourceforge.net:

 

This applet gives you quick, easy access to the latest weather conditions for your location via an icon on your Windows taskbar.

http://sourceforge.net/projects/simpleweather/

 

I've now noticed that the HiJackThis entries come and go.. Yesterday I had 6 additional entries for the weather app as listed in my OP.  Today I have 1 additional entry.

 

O4 - S-1-5-21-839522115-115176313-682003330-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 Startup: Weather.exe (User '?')
O4 - Startup: Weather.exe



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:14 PM

Posted 10 April 2014 - 12:31 PM

Good evening. :)

 

I'll have a look myself when I get a little spare time, but given that it is hosted on sourceforge I would say that it was legitimate.


So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users