Seite 1 von 3 123 LetzteLetzte
Ergebnis 1 bis 10 von 21

Thema: Help With This Log File

  1. #1
    txiong
    Gast
    I have a dog icon of an exe in %system%\temp and a process by the same name running. If I kill the process, the file disappears so I can't delete the file at all.

    I've look all over but found nothing. Can anyone look at my hijack log and check?

    Logfile of HijackThis v1.98.2
    Scan saved at 1:03:56 PM, on 9/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\nslsvice.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\WINDOWS\TEMP\XS156A.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\lotus\notes\NLNOTES.EXE
    C:\Program Files\lotus\notes\ntaskldr.EXE
    C:\WINDOWS\system32\mmc.exe
    C:\WINDOWS\System32\mstsc.exe
    C:\Documents and Settings\txiong\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.akebono-usa.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.akebono-usa.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Akebono Corporation
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunServices: [ZipGenius Clean] "C:\WINDOWS\zg.exe" -cleantemp
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.D LL
    O15 - Trusted Zone: http://*.acna-mi-it3
    O15 - Trusted Zone: acna-it-1.akebono-usa.com
    O15 - Trusted Zone: acna-mi-it3.akebono-usa.com
    O15 - Trusted Zone: http://*.helix
    O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://acna-it-1.akebono-usa.com/officesca...html/AtxEnc.cab
    O16 - DPF: {69B502DF-D12F-4FD7-9892-D8DFA2D96474} (OfficeScan Management Console) - https://acna-it-1.akebono-usa.com/officesca.../AtxConsole.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://acna-it-1.akebono-usa.com/officesca...html/AtxPie.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Para meters: Domain = akebono-usa.com
    O17 - HKLM\Software\..\Telephony: DomainName = akebono-usa.com
    O17 - HKLM\System\CS1\Services\Tcpip\Para meters: Domain = akebono-usa.com
    O17 - HKLM\System\CS2\Services\Tcpip\Para meters: Domain = akebono-usa.com



    Thanks in advance. Everytime the system is restarted, its a new filename. If I start in safe mode, it doesn't run. There's no entries in the startup/run/runonce/runservices settings.

  2. #2
    Erfahrener Benutzer
    Registriert seit
    31.07.2004
    Beiträge
    173
    Difficlt to say.
    You could send the file in your temp folder to virus@hijackthis.de and/or to virus@rokop-security.de if you want.

    BTW: Whats this http://www.akebono-usa.com/ ? Internal Homepage (intranet?)
    MfG Ralf

  3. #3
    txiong
    Gast
    yes.. that is our intranet site.


    Will they accept EXE files?

  4. #4
    Administrator Team-Mitglied Avatar von Matze
    Registriert seit
    01.10.2004
    Ort
    Salzgitter
    Beiträge
    2.057
    virus@hijackthis.de is accepting all file formats.
    Freundliche Grüße
    – Matze

  5. #5
    txiong
    Gast
    Thank you . I will send them the file.

  6. #6
    abe
    Gast

    AW: Help With This Log File

    I have the same thing (got here through google search on "dog icon" and C:\windows\temp.

    Interesting to note that I'm also using trend micro? Maybe just a coincidence. Anyway, so far I haven't found anything to help me resolve the error yet.

  7. #7
    antonbijl
    Gast

    AW: Help With This Log File

    And here is my logfile:
    Logfile of HijackThis v1.98.2

    Scan saved at 12:11:32 PM, on 2004/10/27
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\Program Files\Okidata\OKI LPR Utility\OKILPR.exe
    C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\WINDOWS\TEMP\PE65BD.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\Antonb\My Documents\My Downloads\hijackthis_198\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ourcompany (Pty) Ltd
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.100.10:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Search and Recover Disk Image Service] C:\Program Files\iolo\Search and Recover\DiskImageService.exe
    O4 - Startup: ISATRAY.lnk = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    O4 - Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
    O4 - Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: ISATRAY.lnk = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...aa5d8e6cd7ad71
    O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://ourcompany-web-01.ourcompany...tml/AtxEnc.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096650515094
    O16 - DPF: {69B502DF-D12F-4FD7-9892-D8DFA2D96474} (OfficeScan Management Console) - https://ourcompany-web-01.ourcompany...AtxConsole.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://ourcompany-web-01/officescan...tml/AtxPie.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ourcompany.co.za
    O17 - HKLM\Software\..\Telephony: DomainName = ourcompany.co.za
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ourcompany.co.za
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ourcompany.co.za
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

    You can see the process C:\WINDOWS\TEMP\PE65BD.EXE that is the guilty party. If I end this process through task manager the file disappears. If I reboot the file gets a new random name (always format similar to above AA00AA, two alpha characters, two numbers and two alpha characters or something like it) Looking at the file in Windows explorer it has a rather cute little "running dog icon". If I end the process from task manager it goes away until the next reboot. The ....Run key in the registry has been cleaned up as has the ...Startup folder, so I'm a bit baffled about how this thing manages to start itself again every time.

  8. #8
    Unregistriert
    Gast

    AW: Help With This Log File

    BTW, I have Spybot and Trend Micro fully updated and neither of them finds anything.

  9. #9
    Antonbijl
    Gast

    AW: Help With This Log File

    Ok found some more info and this thing is either from Trend Micro or its pretending to be...

    I rebooted then immediately did a search on all .exe files accessed within the last day (in order to try and find an .exe that might be responsible for creating this file...). So I sort by 'Last accessed' and look at anything where the 'Last Accessed' matches the 'Created on' date and time of the file in C:\Windows\Temp

    So looking through the list there is nothing that really seems very out of the ordinary (except Symantec Liveupdate, which shouldn't be there because I haven't had any Symantec product installed for at least a few months...)

    But then I found this:
    The 'Last modified' for this file: C:\Program Files\Trend Micro\OfficeScan\ClientOfcPfwSvc.exe matches the 'Last Modified' for the randomly named file in C:\Windows\Temp exactly. Now how much of a coincidence would that be?

  10. #10
    Vielschreiber
    Registriert seit
    23.10.2004
    Beiträge
    344

    Re: Help With This Log File

    If you wish me to assist in diagnosing this please do not post your log file into someone elses thread this can get very confusing.

    Post in a NEW THREAD your Hijackthis.exe log
    The processlist.txt log (Hijackthis.exe->Config->Open Process Manager->DiskIcon(righthandside)
    Also Download and Run GetServices
    Post this log as well.

    Make sure you put each log in code separators

Seite 1 von 3 123 LetzteLetzte

Aktive Benutzer

Aktive Benutzer

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)

Ähnliche Themen

  1. Antworten: 15
    Letzter Beitrag: 16.03.2005, 00:43
  2. Boese Sache eingefangen
    Von botzele im Forum Archiv
    Antworten: 35
    Letzter Beitrag: 17.02.2005, 19:03
  3. Probleme mit Hotoffers und Co.
    Von Honk im Forum Archiv
    Antworten: 26
    Letzter Beitrag: 08.02.2005, 21:20
  4. trusted IP range
    Von benny im Forum Archiv
    Antworten: 49
    Letzter Beitrag: 05.01.2005, 16:17
  5. Homesearch, D3iq32.exe
    Von Christian im Forum Archiv
    Antworten: 9
    Letzter Beitrag: 07.09.2004, 23:51

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •