Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is "_iu14d2n.tmp" Trouble


  • Please log in to reply
14 replies to this topic

#1 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:32 AM

Posted 11 December 2005 - 10:50 PM

The topic that started this post is here
http://www.bleepingcomputer.com/forums/t/37281/is-this-a-trojan-iu14d2ntmp/
Additionally, in the Event log I see a lot of ANONYMOUS logins (not me, not system) - is that normal?

I did more scans and they come out clean, so this one continues to be puzzling.
Here is HJT log. I just noticed O16 with Symantec url - very odd, I haven't used Norton > 1 year !!

Thanks in advance for looking at it. Oh, and your tutorial is fabulous.

Logfile of HijackThis v1.99.1
Scan saved at 10:32:40 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\userdump.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Amacom\FlipBack\HotSync.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\LogViewer\LogViewer.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [HotSync] C:\Program Files\Amacom\FlipBack\HotSync.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: LogViewer.lnk = C:\Program Files\Linksys\LogViewer\LogViewer.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133844482812
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Seapine License Server (SeapineLicenseSrv) - Unknown owner - C:\Program Files\Seapine\License Server\Seapine License Server.exe (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by tos226, 11 December 2005 - 10:54 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:32 AM

Posted 14 December 2005 - 04:56 PM

Hi there :thumbsup: I want to apologize for not getting to your log sooner, but there is quite a backlog. If you are still having problems please follow the directions found in this topic:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

When done with those steps, please post a new HJT log as a reply to this topic and I will help you.

#3 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:32 AM

Posted 14 December 2005 - 09:35 PM

Please don't apologize, looks like a flood of requests here!

I stopped cold on #3, the disk cleanup step:
there are 9 items in downloaded programs, they look needed - office update engine, windows genuine advantage (their new verification for updates), Java runtime enviromnet, MSsecurity advisor class, ICSS Scanner light class (Zone Labs). Most recent file is 7/12/2005

I ran defrag the other day and scan disk, and yesterday chkdsk /f - all ok

Now, Zone Alarm Security suite is running - should it be or do you want me to pull the plug, shut down ZA and continue?

Also I've run Ewido (2 tracking cookies) just before reading your message. No Trojans. Nothing.

I ran Ad-Aware full scan & Spybot before - no problem doing it again.

HJT_sfx seems to be the same version I already have 1.99.0.1 (2/16/2005)- right? wrong?

Iwill continue some more tonight, but probably will really get to it tomorrow or whenever I hear from you.

Please don't take this as any objections, I just need advice as the the environment. Million thanks in advance. (And I still owe you an answer about tab characters in Excel :thumbsup: couple months overdue)

Edited by tos226, 14 December 2005 - 10:42 PM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:32 AM

Posted 14 December 2005 - 10:44 PM

Do you have a firewall enabled on your computer? Is the webserver installed on your computer that comes with XP (only with pro)?

If you have no firewall, those anonymous connections may be script kiddies/worms connecting to your computer (randomly) and trying to expploit/.

#5 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:32 AM

Posted 15 December 2005 - 11:20 PM

Yes, I do have firewall, ALWAYS. Zone Alarm. The only time it's off is when I install/reinstall it, and then the Windows job runs.
No, not a webserver.

Re: ANONYMOUS - digression - that occured in the past several days. Nobody here but me using this computer, and only in the evenings. Guest account disabled, all others under password. Must be worms or something.

Scan after scan they all come clean. HJT ends up as in this thread all the time. 1-2 tracking cookies, that's all. I can't read, or rather understand the implications of HJT explanations. There are few puzzling items in it, can you see those? like unknown program and thing like that.

But I haven't yet followed all your instructions, and some things (last post) not sure HOW to do.
In any case, I'm continuing. Don't close this thread, please.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:32 AM

Posted 16 December 2005 - 02:39 PM

Well when worms scan large ranges of ip's they will connect anonymously. I am surprised that zone alarm would be allowing those connections. Whatexactly is it saying in the event viewer entries.

#7 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:32 AM

Posted 17 December 2005 - 06:02 PM

Whatexactly is it saying in the event viewer entries.

Grinler, thanks again. I'm lost.

That's what I worry about. ANONYMOUS event occurs with every powerup since Dec.10. I have no idea what data to include for you to see, so here are few examples, last 3 close in timing.
---------------------------------------------------------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 12/17/2005
Time: 1:18:35 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: A75S226TOSHIBA
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x150AF)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Here are few others from last Turn-off and power up again

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 12/17/2005
Time: 4:31:20 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: A75S226TOSHIBA
Description:
Successful Network Logon:
User Name:

Domain:
Logon ID: (0x0,0x15013)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 12/17/2005
Time: 4:31:28 PM
User: NT AUTHORITY\SYSTEM
Computer: A75S226TOSHIBA
Description:
The Remote Access Connection Manager service was successfully sent a start control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 12/17/2005
Time: 4:31:28 PM
User: NT AUTHORITY\SYSTEM
Computer: A75S226TOSHIBA
Description:
The Network Location Awareness (NLA) service was successfully sent a start control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------------------------------------------------------------------------------------------------------

Other than the router, I have no network here. I used VPN a bit, but don't anymore and it's uninstalled, and the excerpts above are all done with one laptop and a router, nothing else. Should I or should I not now post HJT log again even though I haven't done everything that's supposed to be done?

I haven't had any success with the online scanners. Either pages don't load, or loop forever, or insist that I don't have java runtime, which I do and use often. I allowed some ActiveX things just for this purpose. No luck.

Besides standard ZA scan, the only one I could run was Stinger. 184013 clean files, it said.
Ad-Aware deep scan shows nothing, Spybot S&D congratulated me on clean system. :thumbsup:

Edited by tos226, 17 December 2005 - 06:05 PM.


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:32 AM

Posted 18 December 2005 - 10:47 PM

Is your computer this?

A75S226TOSHIBA

#9 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:32 AM

Posted 18 December 2005 - 10:51 PM

Yes, it is

Grinler, That file that started this whole thread might be from Inno Setup or something like that. Took a lot of googling to find it.

But I'm still worried about some trojan because a while back there was a flood out internet activity which I did not trigger. That's why that ANONYMOUS thing bothers me so.

Oh, I also ran a-square today, again, in safe mode - it says is clean. I wonder if scans have been rigged or something.

Edited by tos226, 18 December 2005 - 10:56 PM.


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:32 AM

Posted 18 December 2005 - 11:07 PM

I doubt the scans have been rigged so I would not worry about that.

All the ones from service control manager are perfectly normal and can be ignored.

As for the anonymous ones, I think they are normal too.. Not exactly sure why they are being seen as anonymous other than the fact theat they are probably being logged before a user is logged in or after a user is logged out.

Here is mine from my computer:

Event Type:	Success Audit
Event Source:	Security
Event Category:	Logon/Logoff 
Event ID:	540
Date:		12/18/2005
Time:		7:13:49 PM
User:		NT AUTHORITY\ANONYMOUS LOGON
Computer:	Forensics
Description:
Successful Network Logon:
 	User Name:	
 	Domain:		
 	Logon ID:		(0x0,0xAE6F74)
 	Logon Type:	3
 	Logon Process:	NtLmSsp 
 	Authentication Package:	NTLM
 	Workstation Name:	140G-08
 	Logon GUID:	{00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


#11 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:32 AM

Posted 18 December 2005 - 11:22 PM

Grinler, Thank you :thumbsup: :flowers:

Let's close this thread then, since this is good news.
It's difficult to know what's normal, what's not and I guess I made a bad call here, so I apoligize for wasting your time.

Just one more request - in the HJT I posted above are several "unknown" things - can I just remove'm myself or should I bother the experts here?

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:32 AM

Posted 18 December 2005 - 11:43 PM

Which are the unknown things?

#13 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:32 AM

Posted 19 December 2005 - 09:36 AM

Sort of unknowns
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

Do I have to have these? I don't do instant messaging
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

I don't have Norton it came with the computer, gone over a year
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

And no longer running this service nor the application on this computer
O23 - Service: Seapine License Server (SeapineLicenseSrv) - Unknown owner - C:\Program Files\Seapine\License Server\Seapine License Server.exe (file missing)

Finally, clearly this is Toshiba pushing upgrades so why is it unknown?
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

Thanks again for your help. Learning every day, but it's tough sledding :thumbsup:

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:32 AM

Posted 22 December 2005 - 12:29 AM

You can fix this but harmless:

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


Part of your ATI Video card:

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

Dont use it? Get rid of these:

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab


Dont use it, get rid of it:

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

You can disable this service:

O23 - Service: Seapine License Server (SeapineLicenseSrv) - Unknown owner - C:\Program Files\Seapine\License Server\Seapine License Server.exe (file missing)

Yeah its prob manufacturer trash..not problem stopping the service, but i wouldnt delete it:

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

#15 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:04:32 AM

Posted 22 December 2005 - 10:57 PM

Thank you very much.
Just cleaned it all up.
FYI, the Seapine license wasn't running as I disabled it before uninstalling the application. ANyway, did no harm.

I really appreciate you looking through the HJT log and for the sane advice about that ANONYMOUS, normal, events.

Happy holidays! :thumbsup:
And happy New Year as well :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users