Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
Recently my pc have been running much more slowly and programs have crashed when closing them down and such.
I thougth that maybe something foul had gotten into my system and checked for things running at the moment with taskmanager and found "Sim9sync.exe"
Now I have never heard of this and searched for it on google and found some Hijackthis logs in this forum among others stating it being atleast not something windows / any program that are installed with any knowledge of it.
Anyways I have runned Housecall and Panda something (online free virus scanners) checked my pc with Nod32 antivirus also runned Ad-Aware SE Spybot and Spysweeper none of em found it. I have a Hijackthis log which I will post here. Oh and Spybot finds the same 5 entries of DSO exploit registry changes.

Logfile of HijackThis v1.99.0
Scan saved at 13:49:06, on 13.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Programfiler\TGTSoft\StyleXP\StyleXPService.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\CTHELPER.EXE
D:\Programfiler\Logitech\iTouch\iTouch.exe
D:\Programfiler\Eset\nod32kui.exe
D:\Programfiler\Messenger Plus! 3\MsgPlus.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Programfiler\TGTSoft\StyleXP\StyleXP.exe
D:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe
D:\Programfiler\Logitech\MouseWare\system\em_exec.exe
D:\Programfiler\Symantec\Norton Ghost 2003\GhostStartService.exe
D:\Programfiler\Eset\nod32krn.exe
D:\WINDOWS\System32\sim9sync.exe
D:\Programfiler\WinAce\WinAce.exe
D:\DOCUME~1\MYBROK~1\LOKALE~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ghosts-of-vanadiel.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] D:\Programfiler\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Programfiler\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [nod32kui] "D:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Programfiler\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] D:\Programfiler\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpySweeper] "D:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe" /0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094933162667
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\Programfiler\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: NOD32 Kernel Service - Unknown - D:\Programfiler\Eset\nod32krn.exe
O23 - Service: SIMATIC NET Synchronization Service - Siemens AG - D:\WINDOWS\System32\sim9sync.exe
O23 - Service: StyleXPService - Unknown - D:\Programfiler\TGTSoft\StyleXP\StyleXPService.exe
 

·
Registered
Joined
·
1 Posts
I was curious too about why not much was available to this suspicious looking HJT entry, and like you, saw a number of others with this entry. But there was a clue in the description from the HJT log:

O23 - Service: SIMATIC NET Synchronization Service (Sim9Sync) - Siemens AG - C:\WINDOWS\system32\sim9sync.exe

Looked up SIMATIC NET and the trail led to the Siemens web-site. Have you installed industrial software lately? I have, and that is the only place I can guess it would be from. My assessment: harmless.
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

D:\WINDOWS\System32\sim9sync.exe

once we have examined it we can tell you if it's good or bad and where it came from
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top