Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lg4fao.exe, And Other Random Exe's


  • Please log in to reply
6 replies to this topic

#1 jerryc

jerryc

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 09 May 2008 - 05:23 PM

I have several machines with XP pro and Server 2003. I know a few things but not all by any means. So, both xp and server show in task manager at various times but not always, a process, usually one at a time, that has a random name like in the title, LG4FAO.exe, and other similar names. Similar in that they are all 6 characters long I think. There is no application connected to this/them apparently, and google shows nothing for any that I've tried. Right now, task manager shows this one with 2596 k mem usage and 00 to 01 cpu. 'end process' ends them with no apparent issue. A local network super said something like he thinks it's a Windows thing and not to worry about it, but he really didn't have any info.
Any clue???
Thanks

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:56 PM

Posted 09 May 2008 - 05:35 PM

everytime i see a random named process in task manager I have been infected

it might be broken infection

I assume you have run all the scans and they come up clean?
Chewy

No. Try not. Do... or do not. There is no try.

#3 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 10 May 2008 - 03:18 AM

THis had a link to their site which gave info that says that remote desktop acts like 'not-a-virus' and to be careful. I do have remote desktop configured, so.... is that it?
The part about the Open CD iso being infected confuses me also. That was a download that I haven't used yet. So...???
thanks!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 10, 2008 1:09:02 AM
Operating System: Microsoft Windows Server 2003, Standard Edition, Service Pack 2 (Build 3790)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/05/2008
Kaspersky Anti-Virus database records: 750724
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 28310
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 02:01:28

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
E:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20080509.log Object is locked skipped
E:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
E:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
E:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\default Object is locked skipped
E:\WINDOWS\system32\config\default.LOG Object is locked skipped
E:\WINDOWS\system32\config\SAM Object is locked skipped
E:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
E:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\SECURITY Object is locked skipped
E:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
E:\WINDOWS\system32\config\software Object is locked skipped
E:\WINDOWS\system32\config\software.LOG Object is locked skipped
E:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\system Object is locked skipped
E:\WINDOWS\system32\config\system.LOG Object is locked skipped
E:\WINDOWS\system32\h323log.txt Object is locked skipped
E:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
E:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
E:\WINDOWS\Tasks\SchedLgU.Txt Object is locked skipped
E:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\Data\Very important stuff\Documents\Downloads\TheOpenCD_SFD2007_Edition_2.iso/programs/tightvnc/setup.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 skipped
F:\Data\Very important stuff\Documents\Downloads\TheOpenCD_SFD2007_Edition_2.iso/programs/tightvnc/setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 skipped
F:\Data\Very important stuff\Documents\Downloads\TheOpenCD_SFD2007_Edition_2.iso ISOimage: infected - 2 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:56 PM

Posted 10 May 2008 - 07:14 AM

===== Locked Objects =====

Number of items = 46

C:\System Volume Information\MountPointManagerRemoteDatabase
E:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
E:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20080509.log
E:\WINDOWS\system32\MsDtc\MSDTC.LOG
E:\WINDOWS\system32\MsDtc\Trace\dtctrace.log
E:\WINDOWS\Tasks\SchedLgU.Txt
F:\System Volume Information\MountPointManagerRemoteDatabase

===== Infected Objects =====


===== Details =====

Number of items = 3
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0

F:\Data\Very important stuff\Documents\Downloads\TheOpenCD_SFD2007_Edition_2.iso/programs/tightvnc/setup.exe/data0006 --> RemoteAdmin.Win32.WinVNC.1370
F:\Data\Very important stuff\Documents\Downloads\TheOpenCD_SFD2007_Edition_2.iso/programs/tightvnc/setup.exe --> RemoteAdmin.Win32.WinVNC.1370


that should be safe if you got it from soundforge, they are strong with the force, unfortunately malware is too, so a lot of programs raise a red flag, and in the wrong hands can do a lot of damage

If I wanted total control over your machine I would want you to install something like that

Edited by DaChew, 10 May 2008 - 07:15 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#5 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 13 May 2008 - 12:37 AM

I had some stuff going on, sorry to not be back sooner.
I rebooted the computer and had 'performance' CPU in task manager at 100%, with 2 instances of msiexec.exe running. So I sent the Open CD to the recycle bin. CPU stat went down immediately. I opened recycle bin and looked at properties of the open cd file, and it said it was created 3 days ago. ???
I've now completely deleted it and performance is now 1 to 5 %.
I don't recall where I had DL'd it from, but am careful about this sort of thing.

Why did you copy these below? I don't know about most of them.
=====================
C:\System Volume Information\MountPointManagerRemoteDatabase
E:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
E:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20080509.log
E:\WINDOWS\system32\MsDtc\MSDTC.LOG
E:\WINDOWS\system32\MsDtc\Trace\dtctrace.log
E:\WINDOWS\Tasks\SchedLgU.Txt
F:\System Volume Information\MountPointManagerRemoteDatabase
========================
Anyhow, thanks for your comments, and any more you may make.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:56 PM

Posted 15 May 2008 - 08:03 AM

Why did you copy these below? I don't know about most of them.


===== Locked Objects =====



can merit further investigation? but not usually anything related to malware
Chewy

No. Try not. Do... or do not. There is no try.

#7 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 16 May 2008 - 02:30 AM

well; rebooted and have CPU up around 100% again. One instance of svchost.exe is at 98% or so, then goes into the 60-70% range.
I have not had time to look into those you copied yet, will be a few days. I did install 'what's running' and do not understand a lot of its output. Turned it off and cpu is down to 2%, then up and down with me not doing anything.
hmmm; back later, thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users