Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: 4 unknown files showing up in O23 Hijack This! log

  1. #1
    riceorony Guest

    Default 4 unknown files showing up in O23 Hijack This! log

    Good morning to all.

    I apologize for constantly bothering everyone, but after reviewing my HiJack This! log, i've noticed 4 unknown files with O23 (startup) that have their files missing.

    I try to remove them (2 times) with HiJack This! but to no avail.

    I check my HiJack This! log every week to make sure there are no system changes that arise. I've posted the log on other websites for review but ZA forums always has the most prompt reply. And oh how I adore the guru's for their wealth of knowledge!

    Rather than bog down the forums, I'm only listing the programs that I've never seen on my HJT log ever.

    On the previous saturday (04/13/08) when I ran the exact same HiJack This! log, these files were not there, and the only thing I did since Saturday was run Windows OneCare online scan to check for viruses/spyware, clean up the registry (where it removed 408 registry files, some from start-up applications, etc.), and remove temp. files

    O23 - Service: GJICS - Unknown owner - C:\Users\TCELL~1\AppData\Local\Temp\GJICS.exe (file missing)
    O23 - Service: JFTV - Unknown owner - C:\Users\TCELL~1\AppData\Local\Temp\JFTV.exe (file missing)
    O23 - Service: JYXDWEMNUATHB - Unknown owner - C:\Users\TCELL~1\AppData\Local\Temp\JYXDWEMNUATHB. exe (file missing)
    O23 - Service: UDJXFUIWA - Unknown owner - C:\Users\TCELL~1\AppData\Local\Temp\UDJXFUIWA.exe (file missing)

    Any idea's gentlemen?

    And yes I did complete scans with housecall (trend micro), activescan 2.0 (panda), f-secure, onecare, b-i-t-defender and all other big name company free online scans (nothing comes up but cookies).

    Operating System:Windows Vista Home Premium
    Software Version:7.1 (Vista)
    Product Name:ZoneAlarm Internet Security Suite

  2. #2

    Default Re: 4 unknown files showing up in O23 Hijack This! log

    Hello.

    I see that you have posted at <a href="http://www.bleepingcomputer.com/forums/topic142071.html" target=_blank> BC Computers</a target=_blank> as well, I would advise you to only stick to one forum at a single time. Malware Removal helpers are often stretched with the sheer amount of work and we would appreciate that no "double-work" is carried out.


    Regarding those entries that you highlighted,
    Those are definitely 'bad' entries.



    First,
    Please go to this folder and delete everything in it. (But don't delete the folder itself):
    C:\Users\TCELL~1\AppData\Local\Temp\



    Then,
    Run HijackThis and place a checkmark by the following entries:
    O23 - Service: GJICS - Unknown owner - C:\Users\TCELL~1\AppData\Local\Temp\GJICS.exe (file missing)
    O23 - Service: JFTV - Unknown owner - C:\Users\TCELL~1\AppData\Local\Temp\JFTV.exe (file missing)
    O23 - Service: JYXDWEMNUATHB - Unknown owner - C:\Users\TCELL~1\AppData\Local\Temp\JYXDWEMNUATHB. exe (file missing)
    O23 - Service: UDJXFUIWA - Unknown owner - C:\Users\TCELL~1\AppData\Local\Temp\UDJXFUIWA.exe (file missing)



    Next, press "Fix Checked". Then close HijackThis and restart the computer.



    Run HijackThis again, and post the new log in your new reply. Post it in full, don't worry about clogging the forum or whatever.

    Message Edited by chiaz on 04-18-2008 04:10 PM

  3. #3
    riceorony Guest

    Default Re: 4 unknown files showing up in O23 Hijack This! log

    I apologize Chiaz for the inconvienance.

    I am unable to remove those 4 programs using HiJack This! (I've tried 2x with reboot).

    So I go to Control Panel --&gt; Administrative Functions and then select System Startup.

    I find the 4 files and change them to Deactive (and click apply for all 4).

    After rebooting and running HiJack This! again, these 4 are no longer listed in the log because I believe they are deactivated from start-up.


    I have them gone to Control Panel --&gt; Administrative Functions --&gt; Event viewer

    And found that the 4 programs tried loading on 04/13/2008 but were unable to because &quot;service was an interactive service and the system was not set up to allow interactive services and therefore may not work properly&quot;

    Most likely trojan programs or keyloggers (or both)?

  4. #4
    riceorony Guest

    Default Re: 4 unknown files showing up in O23 Hijack This! log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:02:44 PM, on 4/17/2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16643)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    C:\Windows\System32\TpShocks.exe
    C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
    C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
    C:\Program Files\**bleep** Software\CounterSpy\SBCSTray.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Users\T cell\Desktop\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrB kGndMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBa ttLog
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
    O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
    O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] &quot;C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe&quot;
    O4 - HKLM\..\Run: [RoxioDragToDisc] &quot;C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe&quot;
    O4 - HKLM\..\Run: [DiskeeperSystray] &quot;C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe&quot;
    O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    O4 - HKLM\..\Run: [cssauth] &quot;C:\Program Files\Lenovo\Client Security Solution\cssauth.exe&quot; silent
    O4 - HKLM\..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath=&quot;c:\swshare\firstrun.txt&quot;
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] &quot;C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe&quot;
    O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\**bleep** Software\CounterSpy\SBCSTray.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] &quot;C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe&quot;
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [ISUSPM] &quot;C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe&quot; -scheduler
    O4 - Startup: LenovoWelcome.lnk = C:\SWTOOLS\LenovoWelcome\LenovoWelcome.cmd
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O8 - Extra context menu item: &amp;Windows Live Search - res://c:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&amp;xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
    O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall **bleep** Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.**bleep**.com/resour...an8/oscan8.cab
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Intel
    PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: Intel
    PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: **bleep** CounterSpy Antispyware (SBCSSvc) - **bleep** Software - C:\Program Files\**bleep** Software\CounterSpy\SBCSSvc.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
    O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
    O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
    O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    After deactivating the 4 above programs, they are gone from the list (like I stated on previous post).

    They don't show up on my ZA logs (because maybe ZA was still in the temporary &quot;learning&quot; mode) and I was not warned by counterspy of any modifications.

    Done complete scans with ZAIS, webroot, online panda, b-i-t-defender, microsoft onecare, trend micro, etc. nothing comes up -_-

    Message Edited by riceorony on 04-18-2008 08:51 AM

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: 4 unknown files showing up in O23 Hijack This! log

    Guru chiaz is a trained HJT expert plus a very good experienced security expert all around. So I am leaving this bascially up to him.

    But I see two different instances of rundll32.exe in your HJT log.
    Normally there should be only one. Vista may differ from XP, as I use XP and have no Vista experiences, so it maybe okay to have two rundll32.exe listed. But I would be uncertain about that. Plus I never trained to be HJT expert. Guru Chiaz has done the HJT courses long ago.
    Even minor changes or nuances in the HJT logs from what is normally seen can have different meaning and imply some form of malware and even the type of malware.
    So I best leave this to Guru Chiaz.

    Oldsod.
    Best regards.
    oldsod

  6. #6
    riceorony Guest

    Default Re: 4 unknown files showing up in O23 Hijack This! log

    The 3 rundll32.exe files have always been there and correspond to the 3 files for the video card.

    I wish I could take the HJT class and become knowledgable too.

    Sometimes having a little information on things but not understanding everything (in my case) leads to paranoia :-(

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: 4 unknown files showing up in O23 Hijack This! log

    OK. Three it is then.
    Usually if there is a rogue rundll32.exe, then there is often an unusual rundll32 entry in the HKLM\..\Run section of the log.
    I did not see any rogue entry and the ones listed refer to hardware usage. So I just wondered.

    I often consdered taking the HJT courses and get trained. I suppose it is never too late.
    Trained experts helpers at the HJT forums are always needed.

    Best regards.
    Oldsod.
    Best regards.
    oldsod

  8. #8

    Default Re: 4 unknown files showing up in O23 Hijack This! log

    Hello. I apologize for the delay, as I was away for the long weekend.

    Oldsod, your comments are pretty kind. Thanks.


    Riceorony, I'm not surprised that HijackThis had problems removing those O23 entries, as this is not uncommon. Nice work on getting those services disabled. The files associated with them are gone, so by disabling it I think that should be enough.


    I've have taken a look at your newest HijackThis log, and everything appears to be clean to me. Any more problems?

  9. #9
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: 4 unknown files showing up in O23 Hijack This! log

    You are welcome Guru chiaz.
    I hope you enjoyed the weekend and that it was very pleasant.
    Best regards.
    Oldsod.

    Message Edited by Oldsod on 04-20-2008 11:26 PM
    Best regards.
    oldsod

  10. #10
    riceorony Guest

    Default Re: 4 unknown files showing up in O23 Hijack This! log

    No more problems, Thanks very much for the help!

    I hope you had a wonderful weekend also =)

    Do you know what type of problem those programs could have been? (e.g. keyloggers or trojans? And would they have still affected my computer if I didn't disable the services?)

    Thanks again for the help.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •