Text 3416, 181 rader
Skriven 2005-04-05 11:47:40 av Gary Britt (1:379/45)
Ärende: Re: Have You Seen This Happen?
======================================
From: "Gary Britt" <zotu@nospamforme.com>
This is a multi-part message in MIME format.
------=_NextPart_000_0078_01C539D5.463BAB20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I downloaded and ran the latest version of rootkit revealer. It = reported no
discrepencies found, so given the lack of virus, ad aware, = spybot, and
rootkit revealer hits, I feel it must be a file created by = one of those two
trialware programs I've been using for a few days. I = got nervous because
around the same time I started using those programs = I happen to hit a website
that tried to download a trojan onto my = computer. Norton Antivirus stopped
it, but then I started seeing this = file and got paranoid.
Gary
"Gary Britt" <zotu@nospamforme.com> wrote in message =
news:42529c53$1@w3.nls.net...
OK, thanks for the ideas. So far I think its either something along =
the lines of what you are speaking about or it might be some key that is =
generated by one of two pieces of trialware I started demoing a few days = ago.
I'll try the sysinternals.com rootkit revealer thingy. I don't = run NTFS on
my computers since I don't personally need that kind of = security, and I like
being able to boot Win98 and access the drives with = all my familiar gui and
dos tools. I haven't noticed any new processes = but will look again.
Gary
"Geo" <georger@nls.net> wrote in message =
news:4252657d$1@w3.nls.net...
My first thought was a keylogger, go to www.sysinternals.com and =
download rootkit revealer, see if there is a hidden process running. If = not
then look in task manager process tab for any new processes.
If you are using NTFS, you could set the file permissions to =
everyone no access and see if that generates an error message.
Geo.
"Gary Britt" <zotu@nospamforme.com> wrote in message =
news:42517864@w3.nls.net...
Something on my Win2K Pro laptop has started creating a file named =
os142886.bin in the root directory of my system drive. It may be = created at
shutdown (maybe not). If I delete it or move it to another = directory nothing
seems to break. I can't find anything on this file = name. I have no idea
what program is creating this file. It will = re-create on shutdown most
likely if moved or deleted. If moved or = deleted nothing seems to break.
Based upon what the file looks like = when viewed in a file viewer, it seems
encrypted in some way.
Any ideas? I've run all the ad aware, spy stuff, and virus stuff. =
It doesn't register as anything bad. I'm not noticing any system or =
program abnormalities. It just bugs me that I don't know what is = creating
this file. Maybe its a copy protection scheme on something = I've started
running?
Gary
------=_NextPart_000_0078_01C539D5.463BAB20
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1491" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#f7f7fa>
<DIV><FONT face=3DArial size=3D2>I downloaded and ran the latest version =
of rootkit=20
revealer. It reported no discrepencies found, so given the lack of =
virus,=20
ad aware, spybot, and rootkit revealer hits, I feel it must be a file = created
by=20
one of those two trialware programs I've been using for a few = days. I
got=20
nervous because around the same time I started using those programs I = happen
to=20
hit a website that tried to download a trojan onto my computer. =
Norton=20
Antivirus stopped it, but then I started seeing this file and got=20
paranoid.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Gary</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Gary Britt" <<A=20
href=3D"mailto:zotu@nospamforme.com">zotu@nospamforme.com</A>> =
wrote in=20
message <A=20
=
href=3D"news:42529c53$1@w3.nls.net">news:42529c53$1@w3.nls.net</A>...</DI=
V>
<DIV><FONT face=3DArial size=3D2>OK, thanks for the ideas. So =
far I think=20
its either something along the lines of what you are speaking about or =
it=20
might be some key that is generated by one of two pieces of trialware =
I=20
started demoing a few days ago. I'll try the sysinternals.com =
rootkit=20
revealer thingy. I don't run NTFS on my computers since I don't=20
personally need that kind of security, and I like being able to boot =
Win98 and=20
access the drives with all my familiar gui and dos tools. I =
haven't=20
noticed any new processes but will look again.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Gary</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Geo" <<A =
href=3D"mailto:georger@nls.net">georger@nls.net</A>>=20
wrote in message <A=20
=
href=3D"news:4252657d$1@w3.nls.net">news:4252657d$1@w3.nls.net</A>...</DI=
V>
<DIV><FONT face=3DArial size=3D2>My first thought was a keylogger, =
go to <A=20
href=3D"http://www.sysinternals.com">www.sysinternals.com</A> and =
download=20
rootkit revealer, see if there is a hidden process running. If not =
then look=20
in task manager process tab for any new processes.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>If you are using NTFS, you could =
set the file=20
permissions to everyone no access and see if that generates an error =
message.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Geo.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Gary Britt" <<A=20
href=3D"mailto:zotu@nospamforme.com">zotu@nospamforme.com</A>> =
wrote in=20
message <A=20
=
href=3D"news:42517864@w3.nls.net">news:42517864@w3.nls.net</A>...</DIV>
<DIV><FONT face=3DArial size=3D2>Something on my Win2K Pro laptop =
has started=20
creating a file named os142886.bin in the root directory of my =
system=20
drive. It may be created at shutdown (maybe not). If I =
delete=20
it or move it to another directory nothing seems to break. I =
can't=20
find anything on this file name. I have no idea what program =
is=20
creating this file. It will re-create on shutdown most =
likely if=20
moved or deleted. If moved or deleted nothing seems to =
break. =20
Based upon what the file looks like when viewed in a file viewer, =
it seems=20
encrypted in some way.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Any ideas? I've run all the =
ad aware,=20
spy stuff, and virus stuff. It doesn't register as anything=20
bad. I'm not noticing any system or program =
abnormalities. It=20
just bugs me that I don't know what is creating this file. =
Maybe its=20
a copy protection scheme on something I've started =
running?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial=20
size=3D2>Gary</FONT></DIV></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY><=
/HTML>
------=_NextPart_000_0078_01C539D5.463BAB20--
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|