Results 1 to 10 of 10

Thread: Uv1g6E6l.exe is trying to open an existing process

  1. #1
    eliana Guest

    Default Uv1g6E6l.exe is trying to open an existing process

    Hi,

    I recently installed ZA and have been getting this message from the security advisor:

    "Uv1g6E6l.exe is trying to open an existing process"

    If I click deny, I then get a winnt/system32/cmd error

    I have been trying to find information online but haven't been successful. Is this malware? The detailed information from the smart defense advisor is below.

    Thanks~
    E

    =============================
    Program Name Uv1g6E6l.exe

    Filename Uv1g6E6l.exe

    Program Size 24128

    Program MD5 d53224ae7976eee7ea00e8bf18aea60f

    Smart Checksum 15a51b40f6b9e28be9a5e4e92f925109

    Date Modified Aug-07-2007 06:00:14 PM

    Event Type Process

    Sub Event Type OpenProcess

    Command Line \SystemRoot\System32\smss.exe

    Operating System:Windows XP Pro
    Software Version:
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Uv1g6E6l.exe is trying to open an existing process

    Could you give the file location, as in folder location or path?

    Could you right click the file and open the properties and see the info about the install date and the vendor and the version?

    Oldsod
    Best regards.
    oldsod

  3. #3
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Uv1g6E6l.exe is trying to open an existing process

    Could you download and run the HJT, please? Just do not make any changes. Just get a log and post it. This may help.

    download from here>

    http://www.majorgeeks.com/HijackThis_d3155.html

    Do the system scan and save the log and post it.

    Also post the log made from .. the panel that comes next after the system scan log is fisnished being made and then open the Config button and then open the Mis Tools tab and then use the Generate Startup Log and check both boxes next to it. Please post this log too.

    Oldsod
    Best regards.
    oldsod

  4. #4
    eliana Guest

    Default Re: Uv1g6E6l.exe is trying to open an existing process

    Hi,

    Thanks for your help. Just a quick update. ZoneAlarm found and quarantined the Uv1g6egl file as a virus. However, I still seem to be having problems (mostly low memory, system resources). The past two times I have run the zon alarm scan it finds and quarantines

    Trojan-Downloader.Win32.Firu.a. located in the system volume information directory.

    I am not sure why it keeps re-appearing.

    My Hijackthis log is below. Thanks again :-)

    E
    -----------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:47:52 PM, on 8/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\system32\wscntfy.exe
    E:\Adobe\Acrobat\Acrotray.exe
    C:\WINNT\system32\devldr32.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\system32\ctfmon.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.ex e
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Netscape\Netscape Browser\netscape.exe
    C:\WINNT\system32\winmds.exe
    C:\WINNT\system32\winmds.exe
    C:\WINNT\system32\winmds.exe
    E:\Program Files\America Online 8.0\waol.exe
    C:\Documents and Settings\Cas\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.state.de.us
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.state.de.us/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Adobe\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Adobe\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = E:\Adobe\Acrobat\AdobeCollabSync.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O8 - Extra context menu item: Append to existing PDF - res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://intranet.state.de.us
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
    O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games Backgammon) - http://zone.msn.com/bingame/zpagames...n.cab64162.cab
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

    --
    End of file - 5928 bytes

  5. #5
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Uv1g6E6l.exe is trying to open an existing process

    Hi

    The detection of Trojan-Downloader.Win32.Firu.a. located in the system volume information directory is easily solved. It is actually a system restore directory and is closed off. The only way the antivirus scanner can enter and remove the infection is if the system restore is disabled. The scanner can enter and read the files, but the files are locked by windows itself. So the antivirus cannot change or remove any files.

    Disable the systems restore [start > right click My computer > open Properties > select the System Restore tab > check the box with "turn off system restore on all drives > Apply and OK > turn off the PC.

    Start the PC in the safe Mode. To get into the XP Safe mode, as the computer is booting ( the manufactures or "BIOS" screen appears) just press and hold your "F8 Key" ( or just keep tapping the F8 key) which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press your Enter key.
    Select Safe Mode with no networking. When the windows appears for the system restore option, do not use and the windows will then go straight to the safe mode desktop.

    Now open the ZA. The firewall will be off . There is no internet connection when the no networking mode is selected so no danger is present.
    Open the antivirus scanner and do a full scan of all disks and harddrives.
    The scanner will now detect and be able to remove the file in the system volume directory. After this just reboot or restart The scan should be repeated again in the normal mode.

    These three are questionable:

    C:\WINNT\system32\winmds.exe

    They are unknown. Please find these in the directory (right click these and open the Properties) or use the Properties in the ZA Program list and find the time date of installation and change and the specific vendor and version.
    These could be malware. They could be AOL related and if so then they should be OK.

    The log seems Ok, other than these three.

    Could yopu follow up with a Generate Startup Log? There maybe something behind the scenes. It does have a lot more information.

    It may have details about this mysterious Uv1g6E6l.exe

    Oldsod
    Best regards.
    oldsod

  6. #6
    eliana Guest

    Default Re: Uv1g6E6l.exe is trying to open an existing process

    Good morning....

    I think we are making progress! I ran zone alarm while in safe mode and it took care of the Trojan-Downloader.Win32.Firu.a.. The Uv seems to be successfully quarantined.

    The only thing left are the C:\WINNT\system32\winmds.exe.

    After running ZA in safe mode they were gone, however later on one showed up. Eventually there were three or four of them running again. I can end them using the task manager, but eventually they start running again.

    Navigating through the directory on my computer I can only find:

    winmds TYPE: application MODIFIED: 8/7/07 (around the time I started having trouble)
    winmds TYPE: EX_file MODIFIED: 8/11/07 (under properties, "opens with unknown application)

    Here is the "generate start up log" from hijack this:

    Thanks again for your help
    ~E
    ----------------------------------------------

    StartupList report, 8/12/2007, 8:46:14 AM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\Cas\Desktop\HiJackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    * Using default options
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\system32\wscntfy.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\devldr32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINNT\system32\ctfmon.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.ex e
    C:\WINNT\system32\winmds.exe
    C:\Program Files\Netscape\Netscape Browser\netscape.exe
    C:\Documents and Settings\Cas\Desktop\HiJackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Acrobat Speed Launcher.lnk = ?
    Adobe Acrobat Synchronizer.lnk = E:\Adobe\Acrobat\AdobeCollabSync.exe
    Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    (Default) =
    Acrobat Assistant 8.0 = "E:\Adobe\Acrobat\Acrotray.exe"
    ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    ctfmon.exe = C:\WINNT\system32\ctfmon.exe

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINNT\system32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINNT\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINNT\Explorer\Explorer.exe: not present
    C:\WINNT\System\Explorer.exe: not present
    C:\WINNT\System32\Explorer.exe: not present
    C:\WINNT\Command\Explorer.exe: not present
    C:\WINNT\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
    (no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
    (no name) - E:\Adobe\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    At1.job
    At10.job
    At11.job
    At12.job
    At13.job
    At14.job
    At15.job
    At16.job
    At17.job
    At18.job
    At19.job
    At2.job
    At20.job
    At21.job
    At22.job
    At23.job
    At24.job
    At25.job
    At26.job
    At27.job
    At28.job
    At29.job
    At3.job
    At30.job
    At31.job
    At32.job
    At33.job
    At34.job
    At35.job
    At36.job
    At37.job
    At38.job
    At39.job
    At4.job
    At40.job
    At41.job
    At42.job
    At43.job
    At44.job
    At45.job
    At46.job
    At47.job
    At48.job
    At5.job
    At6.job
    At7.job
    At8.job
    At9.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [StagingUI Object]
    InProcServer32 = C:\WINNT\Downloaded Program Files\StagingUI.ocx
    CODEBASE = http://zone.msn.com/binFrameWork/v10...I.cab55579.cab

    [{166B1BCA-3F9C-11CF-8075-444553540000}]
    CODEBASE = http://fpdownload.macromedia.com/pub...irector/sw.cab

    [MSN Games Buddy Invite]
    InProcServer32 = C:\WINNT\Downloaded Program Files\ZBuddy.ocx
    CODEBASE = http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab

    [ZonePAChat Object]
    InProcServer32 = C:\WINNT\Downloaded Program Files\ZPAChat.ocx
    CODEBASE = http://zone.msn.com/binframework/v10...t.cab55579.cab

    [MSN Games - Installer]
    InProcServer32 = C:\WINNT\Downloaded Program Files\ZIntro.ocx
    CODEBASE = http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash9c.ocx
    CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

    [MSN Games Game Communicator]
    InProcServer32 = C:\WINNT\Downloaded Program Files\StProxy.dll
    CODEBASE = http://zone.msn.com/binframework/v10...y.cab55579.cab

    [MSN Games Backgammon]
    InProcServer32 = C:\WINNT\Downloaded Program Files\ZPA_Backgammon.ocx
    CODEBASE = http://zone.msn.com/bingame/zpagames...n.cab64162.cab

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
    DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Schedule: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    TrueVector Internet Monitor: C:\WINNT\system32\ZoneLabs\vsmon.exe -service (autostart)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    WAN Miniport (ATW) Service: "C:\WINNT\wanmpsvc.exe" (autostart)
    WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINNT\system32\SHELL32.dll
    CDBurn: C:\WINNT\system32\SHELL32.dll
    WebCheck: C:\WINNT\system32\webcheck.dll
    SysTray: C:\WINNT\system32\stobject.dll

    --------------------------------------------------
    End of report, 11,168 bytes
    Report generated in 0.530 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    HERE IS THE MOST RECENT HIJACKTHIS LOG:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:47:30 AM, on 8/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\system32\wscntfy.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\devldr32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINNT\system32\ctfmon.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.ex e
    C:\WINNT\system32\winmds.exe
    C:\Program Files\Netscape\Netscape Browser\netscape.exe
    C:\Documents and Settings\Cas\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://intranet.state.de.us
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

    http://intranet.state.de.us/
    O2 - BHO: Adobe PDF Reader Link Helper -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

    Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

    C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no

    file)
    O2 - BHO: Adobe PDF Conversion Toolbar Helper -

    {AE7CD045-E861-484f-8273-0445EE161910} -

    E:\Adobe\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -

    E:\Adobe\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0]

    "E:\Adobe\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone

    Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

    Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Acrobat Synchronizer.lnk =

    E:\Adobe\Acrobat\AdobeCollabSync.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

    Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program

    Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O8 - Extra context menu item: Append to existing PDF -

    res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF -

    res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF -

    res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF -

    res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF -

    res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF -

    res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF -

    res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF -

    res://E:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

    C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

    C:\WINNT\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://intranet.state.de.us
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) -

    http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy

    Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) -

    http://zone.msn.com/binframework/v10...t.cab55579.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games -

    Installer) -

    http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game

    Communicator) -

    http://zone.msn.com/binframework/v10...y.cab55579.cab
    O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games

    Backgammon) -

    http://zone.msn.com/bingame/zpagames...n.cab64162.cab
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -

    C:\Program Files\Common Files\Macrovision Shared\FLEXnet

    Publisher\FNPLicensingService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

    C:\WINNT\system32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -

    America Online, Inc. - C:\WINNT\wanmpsvc.exe

    --
    End of file - 5624 bytes

  7. #7
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Uv1g6E6l.exe is trying to open an existing process

    Hi eliana

    The elusive "winmds.exe". When I did a google and Live search the other day, all I found in the results were our posts and a Pevx info that said file unknown. The Prevx result still says file unknown, but the search results have yielded more results. Unfortuantely they are all dead ends.

    From what I cn see, the HJThis log looks OK. Not an expert with HJT, just using my experience and some lookups. But it looks OK.

    I would suggest now to do some online scans to get some second opinions and further results. No one single scanner is perfect and some second opinions are always helpful in not only removing malware, but in giving some confidence that the PC is clean and not still infected.

    Please use the Internet Explorer and please shut down the ZA AV and AS once at the security sites. They each require a safe activeX installation for the online scabbers to work and using the ZA AV at the same time of the online scanner will cause conflicts.

    Use these for the scans:

    http://www.ewido.net/en/onlinescan/

    http://www.bitdefender.com/scan8/ie.html

    http://www.microsoft.com/security/ma...e/default.mspx



    The online line scanners will leave "mini" scan engines on the drive, but they will not interfere with your PC or the security on your PC. They can stay and never do any harm. Leaving them inplace is good, if you wish to do another online scan from these sites. They can be removed after if you wish.
    The only exception is the Ewido. It will leave it's files in the temporary folder and the first disk clean will delete all of them.
    The MS scanner is actually on the PC when the windows updates, but a new scan is always helpful.

    After the scans are finished, then please download these tools and once again disable the ZA AV before doing the scans. Use these if the Online scan detected something and removed or could not remove the malware. Either way, use these tools if something was detected and regardless if they removed the malware or not.


    http://vil.nai.com/vil/stinger/

    download link is here:

    http://download.nai.com/products/mca...rt/stinger.exe





    http://www.avast.com/eng/avast-virus-cleaner.html

    download link is here:

    http://files.avast.com/files/eng/aswclnr.exe





    http://www.superantispyware.com/

    download link is here:

    http://www.superantispyware.com/down...NTISPYWAREFREE




    http://www.emsisoft.com/en/software/free/

    download link is here:

    http://download5.emsisoft.com/a2FreeSetup.exe

    All of these can stay on the PC or be removed after their tasks are finished. Not an issue.



    There is the question of rootkits. A basic scanner that is simple to use is BlackLight. I strongly urge to use this tool even if the previous scans were clean. They will miss many of the common rootkits and only specifically designed rootkit scanners will find rootkits.



    download link is here:

    http://www.f-secure.com/blacklight/try_blacklight.html

    at the bottom of the page click the Accept button and the new page opens and then select the download button for the "Download Blacklight Beta graphical user interface version".
    Again turn off the ZA for the scanning by the BlackLight.

    Then follow it up with this rootkit detector to make sure.

    http://free.grisoft.com/doc/download.../frt/0?prd=arw

    download link is here:

    http://www.grisoft.cz/filedir/beta/a...p-1.1.0.42.exe


    This will keep you busy, So pace it out and do not be afraid to leave the room once the major online scans have fully started. But the PC should be clean and you can be at ease that it is clean.

    Cheers,
    Oldsod

    Message Edited by Oldsod on 08-12-2007 03:33 PM
    Best regards.
    oldsod

  8. #8
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Uv1g6E6l.exe is trying to open an existing process

    I found this today:

    http://research.sunbelt-software.com...hreatid=153096

    and this

    http://translate.google.com/translat...8%26oe%3DUTF-8

    this does point that it is malware. If the scans removed it, then OK. If they did not, then delete manually or ask here for a software that will do it. Even the HJT has remove file on boot function, but it is not always powerful enough.

    Oldsod
    Best regards.
    oldsod

  9. #9
    eliana Guest

    Default Re: Uv1g6E6l.exe is trying to open an existing process

    Thanks!

    I actually tried a system restore to before the date of the program, but it was still there. So I created a system restore point and manually deleted both items(thinking if it messed anything up I could restore back).

    My system is running MUCH better, no more low memory problems. And it doesn't seem to have come back *crossing my fingers*. So I think I am good to go.

    :-)

    E

  10. #10
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Uv1g6E6l.exe is trying to open an existing process

    You are welcome, eliana.

    Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •