Strange Process 5ybb.exe

[Soran]

I have a weird process that keeps showing up on my WindowsXP Pro box. The process PID is 5yBB.exe I've searched my system, and I can't find it anywhere. I've searched google and it's not listed. I searched the registry and there are also no entries.

It takes up about 8MB of memory and if I leave my system running long enough more instances will eventually start running. The other night I had around 20 instances running. That's when I started to get concerned.

I'd like to find out what this process is doing and how it's started. If you have any suggestions on how I can track this sucker down let me know.

 

[Schadenfroh]

run hijackthis in safe mode, find it in the startup entries. Select it, hit fix, then delete the file manually.

please post your entire hijackthis log for review, that is a random file name generated by malware

see also my sig

 

[Soran]

Thanks. here's the log.

Logfile of HijackThis v1.98.2
Scan saved at 3:56:30 PM, on 11/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\dfifo\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\dfifo\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\dfifo\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\dfifo\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {05E1D81A-1BE3-4F5A-B968-D1912A21ADF1} - C:\WINDOWS\System32\mgbijim.dll (file missing)
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\bj1t9.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [RMremote] C:\Program Files\REALmagic\REALmagic Xcard\RmRemote.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\RunOnce: [mzmf0.exe] C:\WINDOWS\System32\mzmf0.exe /k
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Filter: text/html - {5D2D7313-F291-4539-B7D6-C9AADEEEC3B5} - C:\WINDOWS\System32\mgbijim.dll
O18 - Filter: text/plain - {5D2D7313-F291-4539-B7D6-C9AADEEEC3B5} - C:\WINDOWS\System32\mgbijim.dll

 

[Schadenfroh]

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

• R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
• R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\dfifo\LOCALS~1\Temp\sp.html
• R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\dfifo\LOCALS~1\Temp\sp.html
• R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\dfifo\LOCALS~1\Temp\sp.html
• R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
• R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
• R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
• R3 - Default URLSearchHook is missing
• O2 - BHO: (no name) - {05E1D81A-1BE3-4F5A-B968-D1912A21ADF1} - C:\WINDOWS\System32\mgbijim.dll (file missing)
• O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\bj1t9.dll
• O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
• O4 - HKLM\..\RunOnce: [mzmf0.exe] C:\WINDOWS\System32\mzmf0.exe /k
• O18 - Filter: text/html - {5D2D7313-F291-4539-B7D6-C9AADEEEC3B5} - C:\WINDOWS\System32\mgbijim.dll
• O18 - Filter: text/plain - {5D2D7313-F291-4539-B7D6-C9AADEEEC3B5} - C:\WINDOWS\System32\mgbijim.dll

Additional Steps

1. Clear your Temporary Files
2. Remove the following VIA instructions provided:
[*]delete the file: "C:\WINDOWS\System32\mzmf0.exe"
3.Restart into normal windows