cbsevenzero
asked on
hijack this log help
Here is my log.
Logfile of HijackThis v1.99.1
Scan saved at 11:18:23 AM, on 3/15/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\msdtc.ex
C:\WINNT\system32\Dfssvc.e
C:\WINNT\System32\svchost.
C:\WINNT\System32\ismserv.
C:\WINNT\System32\llssrv.e
C:\WINNT\System32\mnmsrvc.
C:\WINNT\system32\ntfrs.ex
C:\WINNT\system32\regsvc.e
C:\WINNT\System32\locator.
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\
C:\WINNT\System32\Director
C:\WINNT\System32\svchost.
C:\WINNT\Explorer.exe
C:\WINNT\System32\NWTRAY.E
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\ro.exe
C:\Documents and Settings\dlum.000\Desktop\
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ro Personal Firewall] ro.exe
O4 - HKLM\..\RunServices: [ro Personal Firewall] ro.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.
I had a question with a particular entry. The "ro.exe" file....does anyone know what that is? I analyzed the log file and removed all the nasty stuff. The analyzer said that was an unknown object. So, I attempted to delete it. However it keeps reappearing. I tried to manually delete it out of the registry and it does the same thing. I tried booting into safe mode and deleting it, and it comes back. Also, it says the the location of the file is C:\winnt\system32\ro.exe. However, I cannot find it there. I can't find it anywhere on the system. This makes me think its fishy. Please help me identify what this is! Thanks...
Logfile of HijackThis v1.99.1
Scan saved at 11:18:23 AM, on 3/15/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\msdtc.ex
C:\WINNT\system32\Dfssvc.e
C:\WINNT\System32\svchost.
C:\WINNT\System32\ismserv.
C:\WINNT\System32\llssrv.e
C:\WINNT\System32\mnmsrvc.
C:\WINNT\system32\ntfrs.ex
C:\WINNT\system32\regsvc.e
C:\WINNT\System32\locator.
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\WBEM\Win
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\
C:\WINNT\System32\Director
C:\WINNT\System32\svchost.
C:\WINNT\Explorer.exe
C:\WINNT\System32\NWTRAY.E
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\ro.exe
C:\Documents and Settings\dlum.000\Desktop\
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ro Personal Firewall] ro.exe
O4 - HKLM\..\RunServices: [ro Personal Firewall] ro.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.
I had a question with a particular entry. The "ro.exe" file....does anyone know what that is? I analyzed the log file and removed all the nasty stuff. The analyzer said that was an unknown object. So, I attempted to delete it. However it keeps reappearing. I tried to manually delete it out of the registry and it does the same thing. I tried booting into safe mode and deleting it, and it comes back. Also, it says the the location of the file is C:\winnt\system32\ro.exe. However, I cannot find it there. I can't find it anywhere on the system. This makes me think its fishy. Please help me identify what this is! Thanks...
I am wronge on that last post here.
Let me do some more checking.
Also.
Can you go to:
C:\WINNT\System32\ro.exe
And [Right Click] on the file.
Go To [Properties]
And see if their is any information on it?
Thank You
Carrzkiss
Let me do some more checking.
Also.
Can you go to:
C:\WINNT\System32\ro.exe
And [Right Click] on the file.
Go To [Properties]
And see if their is any information on it?
Thank You
Carrzkiss
Enable [Show Hidden Files & Folders]
See if the file will show up then?
Tools | Folder options | [View] Tab.
[Show Hidden Files & Folders]
[Apply] then [OK]
See if the file will show up then?
Tools | Folder options | [View] Tab.
[Show Hidden Files & Folders]
[Apply] then [OK]
ASKER
yes i do. Is that really what ro.exe is? Im not sure that its really firefox though, because the registry entries are in the run and run services folder. Why would firefox need to run on windows startup? Any other ideas?
ASKER
I am already viewing hidden files. It still does not appear.
I am finding allot of information on the ro.exe
But nothing is telling me what it is exactly?
Do a search through your Registry for it
And see what all it comes up with?
But nothing is telling me what it is exactly?
Do a search through your Registry for it
And see what all it comes up with?
Do you have anything on your computer by the name of: Red Orchestra ?
It isn't necessarily in your system32 folder. If you look at the registry entry it just says ro.exe so it could be somewhere in your path statement.
By default that includes C:\WINNT (or C:\WINDOWS) and C:\WINNT\SYSTEM32 (or WINDOWS) but many programs add to your path settings. Go to a command prompt and type PATH to see your current path. Look for RO.EXE in all of the directories that it lists. The program could be set to copy itself to the system32 directory, start that copy and then remove that copy (in order to hide it's origin so it's trickier to remove).
If that doesn't work try this from a command prompt:
DIR %WINDIR%\RO.* /S /P /A:H
Hopefully that will find it, otherwise try:
DIR %SYSTEMDRIVE%\RO.* /S /P /A:H
That might take a while, but it'll look through your whole hard drive for it.
When you kill the process for "C:\WINNT\System32\ro.exe"
Thanks,
Andrew
By default that includes C:\WINNT (or C:\WINDOWS) and C:\WINNT\SYSTEM32 (or WINDOWS) but many programs add to your path settings. Go to a command prompt and type PATH to see your current path. Look for RO.EXE in all of the directories that it lists. The program could be set to copy itself to the system32 directory, start that copy and then remove that copy (in order to hide it's origin so it's trickier to remove).
If that doesn't work try this from a command prompt:
DIR %WINDIR%\RO.* /S /P /A:H
Hopefully that will find it, otherwise try:
DIR %SYSTEMDRIVE%\RO.* /S /P /A:H
That might take a while, but it'll look through your whole hard drive for it.
When you kill the process for "C:\WINNT\System32\ro.exe"
Thanks,
Andrew
Along with finding out what you might have on your computer.
Red Orchestra
(or)
Street Ro
These are games, that both have the ro.exe file.
Let me know if either of these 2 games are installed?
If either are, then that is where you are getting the file from.
And if you are able to find it on your Drive, going to Properties on the file.
And checking the [Version] Tab, (If there is a [Version] Tab)
This should let you know what program that the file is associated with.
Carrzkiss
Red Orchestra
(or)
Street Ro
These are games, that both have the ro.exe file.
Let me know if either of these 2 games are installed?
If either are, then that is where you are getting the file from.
And if you are able to find it on your Drive, going to Properties on the file.
And checking the [Version] Tab, (If there is a [Version] Tab)
This should let you know what program that the file is associated with.
Carrzkiss
I have some doubts that this is a legitimate file for either game.
If it where why would it show as running from C:\winnt\system32 instead of from whatever directory the game was installed in?
And why would it put itself in the RUN and RUNSERVICES keys?
And why would it disguise itself as [ro Personal Firewall]?
The thing smells like spyware or a virus to me......just my 2 cents.
Thanks,
Andrew
If it where why would it show as running from C:\winnt\system32 instead of from whatever directory the game was installed in?
And why would it put itself in the RUN and RUNSERVICES keys?
And why would it disguise itself as [ro Personal Firewall]?
The thing smells like spyware or a virus to me......just my 2 cents.
Thanks,
Andrew
The file has something to do with Gaming.
If you are a gammer, and have them installed on your PC.
Then that is most likely where the file is coming from.
It is a "Patch File" Which download information from the Gamming Server
To add (or) Patch possible new features into the game.
This is for what I have gathered on the ro.exe file.
But if you do not have Games loaded on your system then??
What is it doing their?
If you are a gammer, and have them installed on your PC.
Then that is most likely where the file is coming from.
It is a "Patch File" Which download information from the Gamming Server
To add (or) Patch possible new features into the game.
This is for what I have gathered on the ro.exe file.
But if you do not have Games loaded on your system then??
What is it doing their?
ASKER
carrzkiss..
nothing by the name of red orchestra
arausch...
tried searching for it using the second method you described(DIR %SYSTEMDRIVE%\RO.* /S /P /A:H). It finally found it and it shows it is in C:\winnt\system32\ . But I still cant locate it via windows explorer. Also, when i try to kill the process, it wont let me. It says access is denied. But, I am logged on as the admin.
nothing by the name of red orchestra
arausch...
tried searching for it using the second method you described(DIR %SYSTEMDRIVE%\RO.* /S /P /A:H). It finally found it and it shows it is in C:\winnt\system32\ . But I still cant locate it via windows explorer. Also, when i try to kill the process, it wont let me. It says access is denied. But, I am logged on as the admin.
arausch ;
has a point their.
Are you using a Software Firewall?
If so, then what is the name of the Firewall?
If you are not using a Software Firewall, then it could be something pretty bad.
arausch;
The gaming deal is just what I have found on the ro.exe on the net.
Not my personal opinion on what it might be, but what information that I am able to provide.
has a point their.
Are you using a Software Firewall?
If so, then what is the name of the Firewall?
If you are not using a Software Firewall, then it could be something pretty bad.
arausch;
The gaming deal is just what I have found on the ro.exe on the net.
Not my personal opinion on what it might be, but what information that I am able to provide.
ASKER
carrzkiss,
there are no games. It is a win 2k domain controller. There aren't too many programs installed on here. Just the bare necessities....
there are no games. It is a win 2k domain controller. There aren't too many programs installed on here. Just the bare necessities....
ASKER
no software firewall either...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
as mentioned above, I listed what information that I could find on it.
Everything pointed to a Game.
Why is it were it is? Why is it listed under a different name?
I do not have the answer for that.
I just simply provided some information for him.
And as I wrote above:
[Quote Carrzkiss]
But if you do not have Games loaded on your system then??
What is it doing their?
[End Quote]
I was not stating that is simply was a game, I was suppling information to game knowledge
Of what it may be, and if it is not, then lets find out what it is. So that is what we are here to do right?
Everything pointed to a Game.
Why is it were it is? Why is it listed under a different name?
I do not have the answer for that.
I just simply provided some information for him.
And as I wrote above:
[Quote Carrzkiss]
But if you do not have Games loaded on your system then??
What is it doing their?
[End Quote]
I was not stating that is simply was a game, I was suppling information to game knowledge
Of what it may be, and if it is not, then lets find out what it is. So that is what we are here to do right?
ASKER
arausch,
the pskill tool did it! its finally gone! rebooted a few times to see if it would come back, and it hasnt. Registry entries havent reappeared either. Thanks alot!
the pskill tool did it! its finally gone! rebooted a few times to see if it would come back, and it hasnt. Registry entries havent reappeared either. Thanks alot!
Trying going into the following location, Delete all files out of it.
C:\Documents & Settings\User Profile\Local Settings\Temp
[Delete] All files out of this location
(You might have to Reboot in order to do it, before Lauching IE)
Sometimes files that are in this location that are Spyware/Adaware
Will generate itself into the C:\WinNT\System32 & C:\WinNT\System & C:\WinNT
Folders.
So give that a shot.
Then run IE, and keep an eye on the /Temp folder
To see if anything throws itself back in there.
Then Run HighjackThis again, and see what comes up.
Carrzkiss
C:\Documents & Settings\User Profile\Local Settings\Temp
[Delete] All files out of this location
(You might have to Reboot in order to do it, before Lauching IE)
Sometimes files that are in this location that are Spyware/Adaware
Will generate itself into the C:\WinNT\System32 & C:\WinNT\System & C:\WinNT
Folders.
So give that a shot.
Then run IE, and keep an eye on the /Temp folder
To see if anything throws itself back in there.
Then Run HighjackThis again, and see what comes up.
Carrzkiss
ASKER
actually...i was too quick to celebrate. The ro.exe file came back after a couple hours. And it also rewrote itself into the registry in the same place (run and run services folders). any other suggestionson killing it?
I am now convinced it is a malicious file. Because everytime it is running, it screws up the connectivity of the domain controller.....
I am now convinced it is a malicious file. Because everytime it is running, it screws up the connectivity of the domain controller.....
No offense.
But you always wait for at least a 24hr time period before celebrating and awarding points.
Especially on Possible Spyware issue. But do not worry, we have all done it a time or 2.
Maybe not over the same issue.
Check this out.
Go to the end of the page.
http://computercops.biz/postp60804.html
Carrzkiss
But you always wait for at least a 24hr time period before celebrating and awarding points.
Especially on Possible Spyware issue. But do not worry, we have all done it a time or 2.
Maybe not over the same issue.
Check this out.
Go to the end of the page.
http://computercops.biz/postp60804.html
Carrzkiss
Also a suggested software to download as well.
Microsoft AntiSpyware
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Download and Install it, Run the LIVEUpdate, have it set to grab Updates on its own.
And have it set to run daily scans of your system.
(I set all my systems up to run at about 3:00AM)
You can let it see if it can detect the ro.exe file, and what ever else.
our systems are completly bug free.
The program is the best one out their, That is the reason Microsoft Bought it from the Giant Software Company.
Good Luck
Carrzkiss
Microsoft AntiSpyware
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Download and Install it, Run the LIVEUpdate, have it set to grab Updates on its own.
And have it set to run daily scans of your system.
(I set all my systems up to run at about 3:00AM)
You can let it see if it can detect the ro.exe file, and what ever else.
our systems are completly bug free.
The program is the best one out their, That is the reason Microsoft Bought it from the Giant Software Company.
Good Luck
Carrzkiss
Hmmm that sucks.
I'd suggest using pskill to stop the process, then delete the file. Then run hijackthis and pull out anything suspicious (especially if you have any hosts file entries or BHOs), then run Spybot S&D (http://www.safer-networking.org) then create a text file in c:\winnt\system32 and rename it to RO.EXE and set the rights to read-only and system also remove all permissions from the file except for your account.
Now if whatever installed it comes back (my guess is it's coming from IE somewhere) it shouldn't be able to install the file because there will already be a RO.EXE that it doesn't have rights to remove.
What type of virus scanner do you have running?
Thanks,
Andrew
I'd suggest using pskill to stop the process, then delete the file. Then run hijackthis and pull out anything suspicious (especially if you have any hosts file entries or BHOs), then run Spybot S&D (http://www.safer-networking.org) then create a text file in c:\winnt\system32 and rename it to RO.EXE and set the rights to read-only and system also remove all permissions from the file except for your account.
Now if whatever installed it comes back (my guess is it's coming from IE somewhere) it shouldn't be able to install the file because there will already be a RO.EXE that it doesn't have rights to remove.
What type of virus scanner do you have running?
Thanks,
Andrew
ASKER
carrzkiss,
I saw that link last week. His suggestion is to delete ro.exe. Well, thats easier said than done in my case. As for the microsoft antispyware, is that really the best program out there? I run spybot and ad aware, and they seem to take care of alot of the stuff. I guess Ill just have to dl it, try it out and see for myself.
arausch,
I'm trying what you suggested. So far, it seems to be working. Im not gonna jump for joy just yet this time though. Ill let you know how it pans out. As for virus scanner...were runnin norton...
Both of you,
thanks for the continued assistance.
I saw that link last week. His suggestion is to delete ro.exe. Well, thats easier said than done in my case. As for the microsoft antispyware, is that really the best program out there? I run spybot and ad aware, and they seem to take care of alot of the stuff. I guess Ill just have to dl it, try it out and see for myself.
arausch,
I'm trying what you suggested. So far, it seems to be working. Im not gonna jump for joy just yet this time though. Ill let you know how it pans out. As for virus scanner...were runnin norton...
Both of you,
thanks for the continued assistance.
Interesting. There are plenty of mentions of RO.EXE on spyware/adware sites, and everyone seems to agree that it is bad, but no one has defined what it is or where it comes from.
Do you (or anyone else) use that server to access the internet via Internet Explorer? If so I'd suggest looking through the security settings for IE and the trusted site list, etc to see if anything looks out of whack.
Thanks,
Andrew
Do you (or anyone else) use that server to access the internet via Internet Explorer? If so I'd suggest looking through the security settings for IE and the trusted site list, etc to see if anything looks out of whack.
Thanks,
Andrew
ASKER
we dont really screw with this server that much. Its been runnin good for a long time until now. And, when I do have to access the internet on the server, we use firefox.
Can you find and located the: ro.exe ?
If you are unable to find it yourself.
Then try this:
Folder Options | [View] Tab.
[Uncheck] Hide protected operating system files (Recommended)
Then browse into: C:\WinNT\System32\ro.exe
See if it is their, if it is, check the following:
Right Click on the ro.exe
[Properties]
See if their is a [Version] tab? If not.
Then see what the size of the File is?
Also, if you can. Try to ZIP the file up, and you can e-mail it to me.
So that I can better take a look at it.
Carrzkiss
If you are unable to find it yourself.
Then try this:
Folder Options | [View] Tab.
[Uncheck] Hide protected operating system files (Recommended)
Then browse into: C:\WinNT\System32\ro.exe
See if it is their, if it is, check the following:
Right Click on the ro.exe
[Properties]
See if their is a [Version] tab? If not.
Then see what the size of the File is?
Also, if you can. Try to ZIP the file up, and you can e-mail it to me.
So that I can better take a look at it.
Carrzkiss
ASKER
arausch,
your remedy seems to be working. Havent had issues with the domain controller all day.
okay. heres something weird. It seems the ro.exe file has spread to one of our xp workstations. so, I attempted to locate and remove the file per your instructions suggested in the previous posts. And once again, it found it in the C:\windows\system32\ folder. But, as i attempted to delete it, it says it cannot delete file because file doesnt exist. so, i figured since it says the file doesnt exist, I would try to create a fake ro.exe in the folder...which worked fine. But, after i created it and attempted to change the attributes and permissions, it says that my access is denied, even though I am logged on as admin. so I tried creating another file...and I had complete access to that one. I find that really bizarre. for some reason, somethin is restricting my access to any file named ro.exe...
your remedy seems to be working. Havent had issues with the domain controller all day.
okay. heres something weird. It seems the ro.exe file has spread to one of our xp workstations. so, I attempted to locate and remove the file per your instructions suggested in the previous posts. And once again, it found it in the C:\windows\system32\ folder. But, as i attempted to delete it, it says it cannot delete file because file doesnt exist. so, i figured since it says the file doesnt exist, I would try to create a fake ro.exe in the folder...which worked fine. But, after i created it and attempted to change the attributes and permissions, it says that my access is denied, even though I am logged on as admin. so I tried creating another file...and I had complete access to that one. I find that really bizarre. for some reason, somethin is restricting my access to any file named ro.exe...
While you were doing this was the C:\WINNT\SYSTEM32\RO.EXE process still running?
If so it wouldn't let you do anything with the file (even if it was deleted) because it would assume the file was in use.
Thats all I can think of, because if you created a file then by default you should have full rights to it (unless it is currently in use).
Thanks,
Andrew
If so it wouldn't let you do anything with the file (even if it was deleted) because it would assume the file was in use.
Thats all I can think of, because if you created a file then by default you should have full rights to it (unless it is currently in use).
Thanks,
Andrew
ASKER
nope...it wasnt running. besides, if it was running and actually existed in the folder, why would it let me create a file of the same name?
What if you create a file in C:\winnt\system32 called TEMP.TXT and then change the rights on that file, and after you've finished with the rights then rename it to RO.EXE? (Obviously you'll first need to delete that RO.EXE you created earlier, or at least rename it)
Just guessing here, since it ain't makin too much sense.
Just guessing here, since it ain't makin too much sense.
Do you have that Browser installed?
Carrzkiss