PDA

View Full Version : something running in my TEMP folder can someone help



jao_madn
2007-09-21, 12:13
hi i scan my computer for spyware scanner and i detect this small program that runs in the c:Winnt\Temp\ folder and i check in the process he had about 2mb of process i try to stop and delete the ????.exe file but after i while it come back again with another name. i try it many times but it will come back again.with another name and process name..and also it can detect but it cannot recognise as malware..hope you can help me..

Shaba
2007-09-22, 13:08
Hi jao_madn

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

jao_madn
2007-09-24, 04:42
this is my log file this process this maybe a child process because i use the windows taskmanager to stop this process it can,t stop has error and says file is lock or used by i used the S&D process to terminated it ok but in a few minutes or hour it will come back with another name,last ly i try to delete the C:\winnt\temp folder and it disapear, is this necessary to create a temp folder. i restore again the temp folder and the problem happen again.can i send you the >EXE file i compress it with .RAR


thanks for the reply..

here are the log file


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at AM 09:30:07, on 2007/9/24
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\system32\UTSCSI.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\TEMP\PO703C.EXE >>>>> this one keep running this is my problem
C:\WINNT\Explorer.EXE
C:\WINNT\system32\conime.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Desktop-3D Notes\Desktop-3D Notes.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
D:\Program Files\ClearInfo\clearinfo.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\PROGRA~1\TRUSTV~1\TRUSTD~1.EXE
C:\Program Files\NetTerm\netterm.exe
C:\Program Files\UltraEdit\uedit32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo!c_?¡Â¡Ó?R||C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\system32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - SearchDestroy\SpybotSD.exe" /autocheck /autoclose
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [Desktop-3D Notes] "D:\Program Files\Desktop-3D Notes\Desktop-3D Notes.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ClearInfo.lnk = D:\Program Files\ClearInfo\clearinfo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Crawler Notes - {035E680E-B668-472F-91F3-E850BCC5051F} - C:\PROGRA~1\Crawler\Notes\CNotes.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_15\bin\npjpi142_15.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187944264953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187944244641
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O16 - DPF: {C4346D6A-0FB5-48AE-95BD-06DE766EB6C8} (LBP_VBAuthentic.Authentic) - https://www.lbpweaccess.com/download/Authentic/LBP_VBAuthentic.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab

O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINNT\system32\UTSCSI.EXE

--
End of file - 8078 bytes

Shaba
2007-09-24, 11:09
Hi

I think that random exe from temp folder is related to Trend software; it has that kind of file.

However, let's run one online scan to be sure:

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

jao_madn
2007-09-26, 07:29
hi

about the kaspersky log file report..i cant download the online scanner it seem that company firewall or proxy server block it..cause sometimes i installed spybot 1.5 but it must first conect to your server before it finish installed..

so the .exe file is generated by trend micro..

i have also some problem there a .exe file running in the dir: C:\DOCUME~1\S11430\LOCALS~1\TEMP\XF\S11430_ADMIN\XF\ and it generate log file..with a size exactly 1.2mb in succesion if the log file approach 1.2mb it generate another..once i opened one log file and it has an ip address in our network with label terminal 1 and i can open it..

would you want to see the log file i will paste it

2007/09/24 17:19:35:241](08D0): <!> (Set_X_Log) WinSocket Error(10054:WSAECONRESET: Connection reset by peer.): (Send Error(Connection Reset By Peer)). Retry Again...(1)
[2007/09/24 17:19:35:241](08D0): Excute Command: DisconnectWithServer.
[2007/09/24 17:19:35:351](08D0):
[2007/09/24 17:19:35:366](08D0): ====== XHound Command (New)======
[2007/09/24 17:19:35:366](08D0): Command = 1921
[2007/09/24 17:19:35:366](08D0): Execute Command: Set_X_Log
[2007/09/24 17:19:35:366](08D0): <**> Previous server = Terminal1
[2007/09/24 17:19:35:366](08D0): Connect to Main Server(Terminal1:24137)...
[2007/09/24 17:19:35:366](08D0): @_@<ClassSocket>Address count = 1
[2007/09/24 17:19:35:366](08D0): @_@<ClassSocket>try connect to: 192.168.112.175
[2007/09/24 17:19:35:366](08D0): Connect to Main Server(Terminal1:24137) OK.
[2007/09/24 17:19:35:366](08D0): Execute Command: Get_FortSystemId
[2007/09/24 17:19:35:366](08D0): Params Data for Server Sended. Wait for reply...
[2007/09/24 17:19:35:554](08D0): @_@<ClassSocket>Recv done.
[2007/09/24 17:19:35:554](08D0): @_@<ClassSocket>Recv done.
[2007/09/24 17:19:35:554](08D0): @_@<ClassSocket>Recv done.
[2007/09/24 17:19:35:554](08D0): Data(C) Size = 40
[2007/09/24 17:19:35:554](08D0): Get_FortSystemId Success.
[2007/09/24 17:19:35:554](08D0): [2007/09/24 17:19:35:554](08D0): ClientID = 0x1A00000228
[2007/09/24 17:19:35:554](08D0): UserID = 0x228
[2007/09/24 17:19:35:554](08D0): ComputerID = 0x1A
[2007/09/24 17:19:35:569](08D0): Log Size = 73113
[2007/09/24 17:19:35:569](08D0): Send Log Data ...
[2007/09/24 17:19:35:710](08D0): <!> (Set_X_Log) WinSocket Error(10054:WSAECONRESET: Connection reset by peer.): (Send Error(Connection Reset By Peer)). Retry Again...(0)
[2007/09/24 17:19:35:710](08D0): Excute Command: DisconnectWithServer.
[2007/09/24 17:19:35:819](08D0): <**> Previous server = Terminal1
[2007/09/24 17:19:35:819](08D0): Connect to Main Server(Terminal1:24137)...
[2007/09/24 17:19:35:819](08D0): @_@<ClassSocket>Address count = 1
[2007/09/24 17:19:35:819](08D0): @_@<ClassSocket>try connect to: 192.168.112.175
[2007/09/24 17:19:35:819](08D0): Connect to Main Server(Terminal1:24137) OK.
[2007/09/24 17:19:35:819](08D0): Execute Command: Get_FortSystemId
[2007/09/24 17:19:35:819](08D0): Params Data for Server Sended. Wait for reply...
[2007/09/24 17:19:36:101](08D0): @_@<ClassSocket>Recv done.
[2007/09/24 17:19:36:101](08D0): @_@<ClassSocket>Recv done.
[2007/09/24 17:19:36:101](08D0): @_@<ClassSocket>Recv done.
[2007/09/24 17:19:36:101](08D0): Data(C) Size = 40
[2007/09/24 17:19:36:101](08D0): Get_FortSystemId Success.
[2007/09/24 17:19:36:101](08D0):[2007/09/24 17:19:36:101](08D0): ClientID = 0x1A00000228
[2007/09/24 17:19:36:101](08D0): UserID = 0x228
[2007/09/24 17:19:36:101](08D0): ComputerID = 0x1A
[2007/09/24 17:19:36:101](08D0): Log Size = 73113
[2007/09/24 17:19:36:101](08D0): Send Log Data ...
[2007/09/24 17:19:36:226](08D0): <!> (Set_X_Log) WinSocket Error(10054:WSAECONRESET: Connection reset by peer.): (Send Error(Connection Reset By Peer)). Retry Again...(1)
[2007/09/24 17:19:36:226](08D0): Excute Command: DisconnectWithServer.
continue
etc.....

Shaba
2007-09-26, 09:43
Hi

"cant download the online scanner it seem that company firewall or proxy server block it"

Then you might want to contact your company IT service for that issue.

jao_madn
2007-09-27, 03:16
thanks for the reply...

by the way is there no other way around to know this problem..
im just a begginer of this kind of job im a freshman of this company.. is there any other way to to solve this problem with out consulting the IT department..

thanks by the way..

Shaba
2007-09-27, 08:26
Hi

I'm sorry but I think that's the easiest way to handle it.

We can try if you can download and install this:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download MWav (http://www.spywareinfo.dk/download/mwav.exe):

Unzip it to its predetermined directory (C:\Kaspersky)
Locate kavupd.exe in the new folder and double-click to Update.
If your firewall gives any messages about this program accessing to internet, allow it.
If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
When you see Updates Downloaded Successfully, hit Enter to continue.
Restart onto Safe Mode (http://www.pchell.com/support/safemode.shtml) and locate the Kaspersky folder.
Locate mwavscan.com and double-click on it to launch the MWAV Scanner.Now lets do the settings:
Leave the Default Settings checked.
Add a check to Drives
This will light up All Drives
Add a check to Scan all Files
Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.
Please be sure it has finished before proceeding.
Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).Reboot into normal Windows and post the results here along with a fresh HijackThis log.

Shaba
2007-10-04, 15:35
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.