iis6.log in XP-Home & "returned from France" message

Discussion in 'malware problems & news' started by HandsOff, Mar 15, 2005.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    First of all I have run current antivirus and antitrojan and spyware programs.
    I am starting to think I might have a trojan anyways though do to some things that don't seem right to me. Maybe the most overt sign of something wrong is...

    - That I have an iis6.log in the first place. i read that that was a 2003 server log, not an xp log.

    - That the text in the log seems bizaar and stupid (even for microsoft). an excerpt:

    " [3/6/2005 19:54:45] returned from France fix with locale 409 "

    at the end of this post i zoomed out so you could see a little more of the log.
    I put it at the end so it would not make the rest of my post harder to read.

    This may have started a long time ago. the iis6 log goes back to January.

    some of the other stuff that seems odd have to do with COM+ services contradictions in the services.msc display. ones that are running supposedly dependent on the other which is not. one in autostart mode but not running, then the actually program executable for the service appears to be missing (if I am understanding correctly) specifically: From double clicking the service, COM+ Applications, in services.msc it gives,
    Windows\system 32\dllhost.exe/{02D4B3F1-FD88-11D1-960D-00805FC79235}, for the name for the executable.

    however, if i search for {02D4B3F1-FD88-11D1-960D-00805FC79235} on my C:\windows it is just not there, except for a log which complains that it is not found.

    I lied, there is this:

    {02D4B3F1-FD88-11D1-960D-00805FC79235}.{3FDE72A3-B485-4872-B760-B00FB6F871AF}.crmlog

    which is in the c:\windows\registration. i am not familiar with the .crmlog extension(?) (six letter extension?) However it is not a textfile, that is for sure.


    another CLSID which corrosponds to yet another windows service. This time it is missing.

    {9F605DBA-321C-4BA3-B8AA-129702927D53} that is not found.
    The "ms shadow copy provider service".


    Anyways, that is what seems not right to me, maybe I am wrong but it seems to me that the iis6.log is server related. It also looks like something was attempting to contact France unless that is just some sort of off the wall computer techie talk. Any Ideaso_O

    - HandsOff


    As promised, more of the iis6.log:

    [3/5/2005 15:53:26] OC_INIT_COMPONENT:Old InetPub='C:\Inetpub'. Does not exist. we'll use the default. WARNING.
    [3/5/2005 15:53:26] OC_INIT_COMPONENT:Old InetPub='C:\Inetpub'. Does not exist. we'll use the default. WARNING.
    [3/5/2005 15:53:59] OC_CLEANUP:Final Check:LogFile Close.
    [3/6/2005 19:54:44] LogFile Open. [***** Search on FAIL/MessageBox keywords for failures *****].
    [3/6/2005 19:54:45] Initial thread locale=409
    [3/6/2005 19:54:45] returned from France fix with locale 409
    [3/6/2005 19:54:45] OC_PREINITIALIZE:[iis] End. Return=1 (OCFLAG_UNICODE)
    [3/6/2005 19:54:45] OC_INIT_COMPONENT:[iis,(null)] Start.
    [3/6/2005 19:54:45] OC_INIT_COMPONENT:1/3/2005 20:41:31 ________ 6.0.2600.1106: 6.0.2600.1106 (xpsp1.020828-1920): x86: C:\WINDOWS\System32\Setup\iis.dll
    [3/6/2005 19:54:45] OC_INIT_COMPONENT:Set UnAttendFlag:OFF (File='')
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi HandsOff,

    Did some detective work and found iis6.log files on my three XP systems. All looked similar to yours including the timestamped returned from France fix with locale 409 string. All three logged activity on or around the same dates. It finally occured to me that the dates corresponded to the releases of Microsoft's monthly security bulletins. When I opened Add/Remove Programs and checked the Hotfix install dates, the dates matched the dates in the logs. The first dates in the iis6.log files also correspond to the day I installed XP and ran Windows Update for the first time.

    Nick

    Edit: should have mentioned I do a manual Windows Update a day or two after security bulletins are released.
     
    Last edited: Mar 16, 2005
  3. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi Nick, appreciate the update,

    Your tone would seem to be one of reassurance. I had my suspicions about the updates coinciding with my installs. I decided that what I would do was to sort files by date and see what coincided. What actually occurred was that the first things I was seeing were more windows logs. and in general there seemed to be a lot of "not finding" being reported.

    Its reassuring that it is beginning to look as though it is not a trojan causing my problems, but it is a bit unsettling that a lot of odd behavior involving COM+ and iis and RPC seems to coincide with my aborted attempts to install sp2.

    It would be interesting to see what messages are generated when you attempt to "download and install" an update without having your settings in order. Since you have supplied all the answers i think i will run a quick test, and see if my computer "returns from France". I will soon update this with the results.


    - HandsOff


    Why do we need BITS for updates?
     
  4. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    As far as I know, running Windows Update manually only requires Automatic Updates set to automatic (temporarily) and BITS set to manual start (even though it never starts here). If you disable BITS, Windows Update will not work.

    Nick
     
  5. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    ah, that's how it work's! I don't really like to have a service that has to do with transfering files over the internet in manual, because then I dont know if I need it or not. I do have quite a few manual settings, but over time I would like to more automatics and disableds.

    I realize one has to be careful what they disable, but I have to shake my head when I see services running and no dependencies listed.

    Anyway, if I recall from the windows update page you have to have EventLogs service running too. In services it say's that Event Log cannot be stopped. That being the case, why (a) Do they mention it, and (b) do they put the service in services.msc instead of msconfig?

    At any rate, I intent to leave that one running!



    - HandsOff
     
Loading...
Thread Status:
Not open for further replies.