?
Solved

hijack this log help

Posted on 2005-03-15
31
Medium Priority
?
251 Views
Last Modified: 2010-04-14
Here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 11:18:23 AM, on 3/15/2005
Platform: Windows 2000  (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\mnmsrvc.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\Directory Synchronization\msdss.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\ro.exe
C:\Documents and Settings\dlum.000\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ro Personal Firewall] ro.exe
O4 - HKLM\..\RunServices: [ro Personal Firewall] ro.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxx.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{57F75BC6-12E5-492F-BA2C-8BD1E979E474}: NameServer = 192.168.1.2,192.168.1.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxx.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xxx.local
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe


I had a question with a particular entry.  The "ro.exe" file....does anyone know what that is?  I analyzed the log file and removed all the nasty stuff.  The analyzer said that was an unknown object.  So, I attempted to delete it.  However it keeps reappearing.  I tried to manually delete it out of the registry and it does the same thing.  I tried booting into safe mode and deleting it, and it comes back.  Also, it says the the location of the file is C:\winnt\system32\ro.exe.  However, I cannot find it there.  I can't find it anywhere on the system.  This makes me think its fishy.  Please help me identify what this is! Thanks...
0
Comment
Question by:cbsevenzero
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 11
  • 7
31 Comments
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13548172
Looks like it may be:   Firefox.
Do you have that Browser installed?

Carrzkiss
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13548196
I am wronge on that last post here.
Let me do some more checking.

Also.
  Can you go to:
C:\WINNT\System32\ro.exe
And [Right Click] on the file.
Go To [Properties]
And see if their is any information on it?

Thank You
Carrzkiss
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13548223
Enable [Show Hidden Files & Folders]
See if the file will show up then?

Tools | Folder options | [View] Tab.
[Show Hidden Files & Folders]
[Apply] then  [OK]
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:cbsevenzero
ID: 13548239
yes i do.  Is that really what ro.exe is? Im not sure that its really firefox though, because the registry entries are in the run and run services folder.  Why would firefox need to run on windows startup?  Any other ideas?
0
 

Author Comment

by:cbsevenzero
ID: 13548258
I am already viewing hidden files.  It still does not appear.  
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13548314
I am finding allot of information on the   ro.exe
But nothing is telling me what it is exactly?

Do a search through your Registry for it
And see what all it comes up with?
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13548389
Do you have anything on your computer by the name of:   Red Orchestra   ?
0
 
LVL 3

Expert Comment

by:arausch
ID: 13548422
It isn't necessarily in your system32 folder.  If you look at the registry entry it just says ro.exe so it could be somewhere in your path statement.
By default that includes C:\WINNT (or C:\WINDOWS) and C:\WINNT\SYSTEM32 (or WINDOWS) but many programs add to your path settings.  Go to a command prompt and type PATH to see your current path.  Look for RO.EXE in all of the directories that it lists.  The program could be set to copy itself to the system32 directory, start that copy and then remove that copy (in order to hide it's origin so it's trickier to remove).

If that doesn't work try this from a command prompt:
DIR %WINDIR%\RO.* /S /P /A:H

Hopefully that will find it, otherwise try:
DIR %SYSTEMDRIVE%\RO.* /S /P /A:H

That might take a while, but it'll look through your whole hard drive for it.

When you kill the process for "C:\WINNT\System32\ro.exe" does it restart itself?

Thanks,
Andrew
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13548493
Along with finding out what you might have on your computer.
Red Orchestra
(or)
Street Ro

These are games, that both have the    ro.exe   file.

Let me know if either of these 2 games are installed?
If either are, then that is where you are getting the file from.

And if you are able to find it on your Drive, going to Properties on the file.
And checking the [Version] Tab, (If there is a [Version] Tab)
This should let you know what program that the file is associated with.

Carrzkiss
0
 
LVL 3

Expert Comment

by:arausch
ID: 13548512
I have some doubts that this is a legitimate file for either game.  
If it where why would it show as running from C:\winnt\system32 instead of from whatever directory the game was installed in?
And why would it put itself in the RUN and RUNSERVICES keys?
And why would it disguise itself as [ro Personal Firewall]?

The thing smells like spyware or a virus to me......just my 2 cents.

Thanks,
Andrew
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13548566
The file has something to do with Gaming.
If you are a gammer, and have them installed on your PC.
Then that is most likely where the file is coming from.

It is a "Patch File" Which download information from the Gamming Server
To add (or) Patch possible new features into the game.

This is for what I have gathered on the ro.exe  file.

But if you do not have Games loaded on your system then??
What is it doing their?
0
 

Author Comment

by:cbsevenzero
ID: 13548602
carrzkiss..

nothing by the name of red orchestra


arausch...

tried searching for it using the second method you described(DIR %SYSTEMDRIVE%\RO.* /S /P /A:H). It finally found it and it shows it is in C:\winnt\system32\ .  But I still cant locate it via windows explorer.  Also, when i try to kill the process, it wont let me.  It says access is denied.  But, I am logged on as the admin.
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13548610
arausch ;
  has a point their.

  Are you using a Software Firewall?
If so, then what is the name of the Firewall?

If you are not using a Software Firewall, then it could be something pretty bad.

arausch;
   The gaming deal is just what I have found on the   ro.exe   on the net.
Not my personal opinion on what it might be, but what information that I am able to provide.

0
 

Author Comment

by:cbsevenzero
ID: 13548648
carrzkiss,

there are no games.  It is a win 2k domain controller. There aren't  too many programs installed on here.  Just the bare necessities....
0
 

Author Comment

by:cbsevenzero
ID: 13548653
no software firewall either...
0
 
LVL 3

Accepted Solution

by:
arausch earned 2000 total points
ID: 13548655
I apologize CBsevenzero, since this obviously isn't a terribly useful comment, but I've got to respond to Carrzkiss.

Carrzkiss,
Why would a game file list itself in the registry as 'ro Personal Firewall', that just doesn't make sense.
If it were to patch new features into a game it would only need to be run once, and it shouldn't try to disguise itself.



CB70,

From a command prompt try typing:
ATTRIB C:\WINNT\SYSTEM32\RO.EXE -R -A -S -H
then
REN C:\WINNT\SYSTEM32\RO.EXE RO.DEL
then reboot and you should be able to delete the RO.DEL file (it might give you an error after reboot that it can't find RO.EXE)

If that doesn't do it, try using PSKILL (one of the free PSTOOLS collection from here: http://www.sysinternals.com/ntw2k/freeware/pstools.shtml)
from the command prompt type:
PSKILL RO.EXE
then
DEL C:\WINNT\SYSTEM32\RO.EXE

Thanks,
Andrew
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13548774
as mentioned above, I listed what information that I could find on it.
Everything pointed to a Game.
Why is it were it is? Why is it listed under a different name?
I do not have the answer for that.
I just simply provided some information for him.
And as I wrote above:
[Quote Carrzkiss]
But if you do not have Games loaded on your system then??
What is it doing their?
[End Quote]

I was not stating that is simply was a game, I was suppling information to game knowledge
Of what it may be, and if it is not, then lets find out what it is. So that is what we are here to do right?
0
 

Author Comment

by:cbsevenzero
ID: 13548838
arausch,

the pskill tool did it! its finally gone! rebooted a few times to see if it would come back, and it hasnt.  Registry entries havent reappeared either.  Thanks alot!

0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13548893
Trying going into the following location, Delete all files out of it.

C:\Documents & Settings\User Profile\Local Settings\Temp
[Delete] All files out of this location
(You might have to Reboot in order to do it, before Lauching IE)

Sometimes files that are in this location that are Spyware/Adaware
Will generate itself into the C:\WinNT\System32 & C:\WinNT\System & C:\WinNT
Folders.

So give that a shot.
Then run IE, and keep an eye on the /Temp  folder
To see if anything throws itself back in there.

Then Run HighjackThis  again, and see what comes up.

Carrzkiss
0
 

Author Comment

by:cbsevenzero
ID: 13550576
actually...i was too quick to celebrate.  The ro.exe file came back after a couple hours.  And it also rewrote itself into the registry in the same place (run and run services folders).  any other suggestionson killing it?

I am now convinced it is a malicious file.  Because everytime it is running, it screws up the connectivity of the domain controller.....
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13551933
No offense.
But you always wait for at least a 24hr time period before celebrating and awarding points.
Especially on Possible Spyware issue. But do not worry, we have all done it a time or 2.
Maybe not over the same issue.

Check this out.
Go to the end of the page.

http://computercops.biz/postp60804.html

Carrzkiss
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13551975
Also a suggested software to download as well.

Microsoft AntiSpyware
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Download and Install it, Run the LIVEUpdate, have it set to grab Updates on its own.
And have it set to run daily scans of your system.
(I set all my systems up to run at about 3:00AM)

You can let it see if it can detect the ro.exe file, and what ever else.
our systems are completly bug free.
The program is the best one out their, That is the reason Microsoft Bought it from the Giant Software Company.

Good Luck
Carrzkiss
0
 
LVL 3

Expert Comment

by:arausch
ID: 13556571
Hmmm that sucks.

I'd suggest using pskill to stop the process, then delete the file.  Then run hijackthis and pull out anything suspicious (especially if you have any hosts file entries or BHOs), then run Spybot S&D (http://www.safer-networking.org) then create a text file in c:\winnt\system32 and rename it to RO.EXE and set the rights to read-only and system also remove all permissions from the file except for your account.

Now if whatever installed it comes back (my guess is it's coming from IE somewhere) it shouldn't be able to install the file because there will already be a RO.EXE that it doesn't have rights to remove.

What type of virus scanner do you have running?

Thanks,
Andrew
0
 

Author Comment

by:cbsevenzero
ID: 13558155
carrzkiss,

I saw that link last week.  His suggestion is to delete ro.exe.  Well, thats easier said than done in my case.  As for the microsoft antispyware, is that really the best program out there?  I run spybot and ad aware, and they seem to take care of alot of the stuff.  I guess Ill just have to dl it, try it out and see for myself.


arausch,

I'm trying what you suggested.  So far, it seems to be working.  Im not gonna jump for joy just yet this time though.   Ill let you know how it pans out.  As for virus scanner...were runnin norton...

Both of you,

thanks for the continued assistance.
0
 
LVL 3

Expert Comment

by:arausch
ID: 13558226
Interesting.  There are plenty of mentions of RO.EXE on spyware/adware sites, and everyone seems to agree that it is bad, but no one has defined what it is or where it comes from.

Do you (or anyone else) use that server to access the internet via Internet Explorer?  If so I'd suggest looking through the security settings for IE and the trusted site list, etc to see if anything looks out of whack.

Thanks,
Andrew
0
 

Author Comment

by:cbsevenzero
ID: 13558364
we dont really screw with this server that much.  Its been runnin good for a long time until now.  And, when I do have to access the internet on the server, we use firefox.  
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 13559202
Can you find and located the: ro.exe ?
If you are unable to find it yourself.
Then try this:

Folder Options | [View] Tab.
[Uncheck] Hide protected operating system files (Recommended)

Then browse into: C:\WinNT\System32\ro.exe

See if it is their, if it is, check the following:

Right Click on the ro.exe
[Properties]
See if their is a [Version] tab? If not.
Then see what the size of the File is?

Also, if you can. Try to ZIP the file up, and you can e-mail it to me.
So that I can better take a look at it.

Carrzkiss
0
 

Author Comment

by:cbsevenzero
ID: 13561059
arausch,

your remedy seems to be working.  Havent had issues with the domain controller all day.

okay. heres something weird. It seems the ro.exe file has spread to one of our xp workstations.  so, I attempted to locate and remove the file per your instructions suggested in the previous posts.  And once again, it found it in the C:\windows\system32\ folder.  But, as i attempted to delete it, it says it cannot delete file because file doesnt exist.  so, i figured since it says the file doesnt exist, I would try to create a fake ro.exe in the folder...which worked fine.  But, after i created it and attempted to change the attributes and permissions, it says that my access is denied, even though I am logged on as admin.  so I tried creating another file...and I had complete access to that one.  I find that really bizarre.  for some reason, somethin is restricting my access to any file named ro.exe...


0
 
LVL 3

Expert Comment

by:arausch
ID: 13561109
While you were doing this was the C:\WINNT\SYSTEM32\RO.EXE process still running?
If so it wouldn't let you do anything with the file (even if it was deleted) because it would assume the file was in use.

Thats all I can think of, because if you created a file then by default you should have full rights to it (unless it is currently in use).

Thanks,
Andrew
0
 

Author Comment

by:cbsevenzero
ID: 13561137
nope...it wasnt running. besides, if it was running and actually existed in the folder, why would it let me create a file of the same name?  
0
 
LVL 3

Expert Comment

by:arausch
ID: 13561212
What if you create a file in C:\winnt\system32 called TEMP.TXT and then change the rights on that file, and after you've finished with the rights then rename it to RO.EXE?  (Obviously you'll first need to delete that RO.EXE you created earlier, or at least rename it)

Just guessing here, since it ain't makin too much sense.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The top devops trends for 2017 are focused on improved deployment frequency, decreased lead time for change and decreased MTTR.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month11 days, 1 hour left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question