BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Win##.tmp.exe - Help!
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Win##.tmp.exe - Help!  
Forum Quick Jump
 
New Topic Post reply to : Win##.tmp.exe - Help! Printable version of : Win##.tmp.exe - Help!
[ << Previous Thread | Next Thread >> ]

ale_jrb
New Member


Date Joined Feb 2006
Total Posts : 1
 
   Posted 2/24/2006 2:17 PM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
Hi,
This program (win##.tmp.exe where ## is replaced by something random 2 or 3 letters or numbers long) keeps opening itself over and over. I have tried all the removal instructions in the sticky and searched for the problem, found one result and tried that as well, and still nothing. Here's the HiJack this log...

Logfile of HijackThis v1.99.1
Scan saved at 11:16:47, on 24/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\TEMP\win2A.tmp.exe
C:\WINDOWS\TEMP\win31.tmp.exe
C:\WINDOWS\TEMP\win2A.tmp.exe

C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\TEMP\win31.tmp.exe
C:\DOCUME~1\Alex\LOCALS~1\Temp\Rar$EX00.328\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {45043008-FF90-FE6D-96AE-808ADCA7FD9E} - C:\WINDOWS\system32\ggshkn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks very much :).

Post Edited (ale_jrb) : 2/24/2006 1:27:48 PM GMT

Back to Top
 

rpggamergirl
Forum Moderator




Date Joined Dec 2005
Total Posts : 1562
 
   Posted 2/25/2006 2:26 AM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
Hi,
Did you have your media player set to launch at startup?
 
Have hijackthis fix these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {45043008-FF90-FE6D-96AE-808ADCA7FD9E} - C:\WINDOWS\system32\ggshkn.dll
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll
 
 
Please download About:Buster 6.0.
http://www.malwarebytes.org/AboutBuster.zip
Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the "aboutbuster.exe" icon and then click on the "Update" button to check for new updates. If any updates exist, please install them. Don't run a scan yet.
 
Exit AboutBuster and reboot into safe mode.
Once in safe mode double-click on the "aboutbuster.exe" icon again and click on the "Begin Removal" button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved.

 
Also Please download Look2Me-Destroyer.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=7
Close all windows before continuing.
Double-click "Look2Me-Destroyer.exe" to run it.
Put a check next to "Run this program as a task".
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.

Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
 
Can you also post the About:Buster log?
 
Back to Top
 

SgtJkR1
New Member


Date Joined Feb 2006
Total Posts : 2
 
   Posted 2/25/2006 8:13 PM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
Have the same thing going on. I went an extrastep and downloaded ProcessExplorerNT and see that these are in the winlogon.exe area as well not sure if that means anything. Am going to try to do this step and will post results also. I also had noticed the Spy Falcon program was added as well and did the uninstall steps for that and it seems sucessful so far.
Back to Top
 

SgtJkR1
New Member


Date Joined Feb 2006
Total Posts : 2
 
   Posted 2/25/2006 9:28 PM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
No luck. I see that in the C:/Windows/Temp directory there are Win##.tmp files that seem to get added every 2 minutes on the dot. Not a big deal they are 0 on file size but they spawn these win##.tmp.exe files. Not sure if it the same thing the other person is seeing or not.
Back to Top
 

rpggamergirl
Forum Moderator




Date Joined Dec 2005
Total Posts : 1562
 
   Posted 2/26/2006 12:47 AM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
SgtJKr1,
Try About:Buster that I suggested on this thread.
Also post your hijackthis log(make another thread for it)

Also run these diagnostic scans and let's see what they come up with:
Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
Back to Top
 

Hugh Jorgan
New Member


Date Joined Feb 2006
Total Posts : 1
 
   Posted 2/27/2006 1:56 AM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
I am having the same problem here.  Multiple win??.tmp files that are blank being created in the c:\windows\temp folder.  I say multiple, but its actually around 3,000 of them.  Then the random win???.tmp.exe files load in the process viewer.  If you kill the process, another will load in exactly 2 minutes.  If left untouched, it will continue to keep loading random win???.tmp.exe files until there are a total of 5 or 6 running.  It will not load any more after that.  But each one will attempt to connect to something, I simply deny the connection as that is all I can do for now.  From my research, it apparently has infected the winlogon.exe or the dll's associated with it.  Mine shows that the file named winrge32.dll is infected, which is not a file name that I recognize.  I have followed all of the advice on here, but to no avail.  I have just completed the silent runner program, here is my link to the log file created: http://www.rafb.net/paste/results/6KdsXk51.html .  Any help with getting this annoying thing removed would be incredible.  The only thing annoying about it, is that everytime it loads one of the random files, it takes the focus away from whatever your doing.  So if your playing a game fullscreen, it will take the focus away, minimize it and it appears to become corrupted. (ie: can't Alt-Tab back to game).  Oh and one more thing, all these files apparently generate from a file named universa.exe.  I have never seen this file on my system before, but when you do a properties on one of the random exe files in windows\temp, that is the information supplied.  Hope this helps someone get rid of this thing.  If anyone does, please post a fix.  Thanks everyone.

Image Attachment :
Image Preview
crap.gif
  63KB (image/gif)
This image has been viewed 502 time(s).
Back to Top
 

Andrei Ionescu
Junior Member




Date Joined Dec 2005
Total Posts : 58
 
   Posted 2/27/2006 3:15 AM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
HI,
 
 
If you keep on interfering with new logs in someone else's thread, thus NOT respecting in any way the forum rules, http://www.bullguard.com/forum/5/FORUM-RULES-PLEASE-READ-BEFORE_20312.html, you will leave me no choice but to delete all your posts and leave the problems unresolved.
 
The rules were created for our and your benefit, and WILL be respected. jumpin  The first consequence will be that you will not receive specific assistance for each of your problems.
 
Therefore, please access this related thread for more information regarding this new mutant variant of the Nimda virus:
 
 
Once you have established the culprit .dll file responsable for the infection, personalize the instructions in the removal steps and carry them out.
 
Get back to us with the outcome of the recommended instructions.


 
 
 
 
 
 
 
 
 
 
Andrei Cristian Ionescu
Support Team Member
BullGuard Software Ltd.
Cell phone: +40 724.276.719
YM!: ionescu1982 ; Skype: ionesan
 
 
BullGuard specialises in best-of-breed security solutions for home users and
small businesses, emphasising technical excellence, ease-of-use and customer-care.
BullGuard is a Microsoft Gold Certified Partner with competencies in Security Solutions
and ISV Software Solutions: www.microsoft.com/security/partners/antivirus.asp
 
Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.
Do not PM me with logfiles. They will be deleted

Back to Top
 

Paul.f
New Member


Date Joined Mar 2006
Total Posts : 3
 
   Posted 3/1/2006 12:34 AM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
Hi guys, I have the same problem and I have also noticed that in my internet connections list there are 2 more connections that have been created some how, im guessing its because of this win##.tmp.exe problem.
 
I have ran the programs that are suggested in this forum and they seem to have stopped the win##.tmp.exe programs from being created but not the win##.tmp files although it has stopped them from creating every 2 minutes.
 
also I've downloaded a program called Empty Temp Folder which has helped in deleting the temp folders that are'nt being used.
But every time I start my pc there are still 4 files that get created
Back to Top
 

gary balkam
New Member


Date Joined Mar 2006
Total Posts : 1
 
   Posted 3/1/2006 3:57 AM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
SOLUTION TO win##.tmp.exe
first.. copy down the location of the files it should be..
c:/windows/temp
next restart your computer, pressing f8 to boot into boot options menu.
select 'safemode with command prompt' this loads safe mode, cmd prompt, and nothing else.
next type cd.. enter and cd.. enter again, to change to the C director
next type cd windows (enter) then cd temp (enter) then type del win*.*
when finished, type dir (directory list) and delete any files remaining, this is safe, no files in the temp folder are necessary to running windows, just a storage box for things like images etc.
exit cmd and ctrl+ald+del to pull up task manager, select restart from the drop down menus.
this is with windows xp home, should work with all versions using the same principal,
hope this helps
gary balkam
Oh, and get Xoftspy to remove the spyfalcon problem (if you have this as well, as i did)
Back to Top
 

Paul.f
New Member


Date Joined Mar 2006
Total Posts : 3
 
   Posted 3/1/2006 3:01 PM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
I have just gave that ago but when I get to the point to type in cd temp it says the location cannot be specified
 
I am running windows xp home
 
Please help 
Back to Top
 

Paul.f
New Member


Date Joined Mar 2006
Total Posts : 3
 
   Posted 3/1/2006 10:39 PM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
Hey guys, If you are still having problems with this you can download spyware doctor
I downloaded it and the problem seems to have gone 100%
Back to Top
 

merpgamer
New Member


Date Joined Mar 2006
Total Posts : 4
 
   Posted 3/16/2006 5:43 AM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
This is a real pain in the posterial cavity, and I've been spending the last 3 days since it got on my system trying to track down what is causing it. I believe I've found the answer, but here is a description of what it does, so if this is what you or anyone else reading this is seeing, then this may be the answer for you.

(and you won't need to download or install any other programs to fix it!)

The initial problem seems to be an icon on the desktop called "Access Members Area.exe" with a picture of a woman's face on it, which keeps reappearing after about 20 minutes or less even when you permanently delete it.

Additionally, popup adverts come on your screen even when you're not actually browsing, and take the focus off whatever you're doing at the time. Very annoying!

If you try CTRL+ALT+DEL to bring up the Task Manager, you'll notice a process called something like "winXX.tmp.exe", where XX is some random hex value producing for example "win2C.tmp.exe". End the process and it will reappear with a different value for the XX part after about 20 minutes.

Not only that, but if you look in your C:\Windows\Temp folder you'll see a whole load of files of zero length called winXX.tmp, again following the hex value system for the XX part of the filename and changing each time. These reappear every 2 minutes, even when you delete them all and even when you stop the above process. It will all restart again.

What the thing is actually doing is acting as a dialer program. But a very clever one. Because even if you're on broadband like me, it still has a go at connecting to the servers to self-replicate itself and bring up advertising. If you want to know who wrote these programs, check out the security certificate for the "Access All Areas.exe" file. You'll find that it's a company called Global Acces (yes, that's one 's' at the end) and they write (guess what?) dialer programs. Their website is http://www.global-acces.com

You can see from their site (look at their banners link) that they promote the idea of using these dialers to make our computers automatically disconnect then dial up premium rate numbers and connect to porn sites with "nasty XXX-rated video clips" and other porn material. They don't seem to own the porn sites, but they do write the software that takes over our computers in this way and in the background connects to sites with ActiveX scripts. In my opinion their methods are reprehensible as they provide no option to uninstall the offending item.

I even emailed them and told them my dilemma and this was their response:

"To me it sound like you have your computer infected with a unvanted program, that somehow triggers / install our dialler application.
In most cases it can be found by running a Virus scanner and installing a Firewall that monitor BOTH your incomming and your outgoing traffic, ie: if you have a program installed that is set to automaticly download / send data from your computer it is not stopped by firewalls that do not monitor your OUTGOING traffic. Example of a firewall that do not do that is Windows firewall or any kind of NATD service.
I highly recommend Sygate Personal Firewall wich is a free firewall that can be downloaded from www.tucows.com
When you have found the source for the unvanted behaviour I will be happy to assist you in removing it.
Best Regards,
Morten Due
Global Accés "

Anyway, a firewall could only be configured to stop this program getting its fingers out into the internet. It would still be running on my system and self-replicating whether I'm online or not, and I'm not happy about that.

Since I've read about others having this problem on this forum and other ones, it appears that just deleting those files even in safe mode still didn't fix the problem, nor did downloading loads of the recommended spyware destroyers, so I set about finding all files that were created or modified about the time the problem started, and after a long time I tracked it down to a single dll file that must have crept in on the back of another program installation.

The sneaky little file is called "winjcr32.dll", although it comes in variations of this but is usually of the format "win" followed by 3 letters then "32.dll", and is found in the C:\Windows\System32 folder.

It also has an entry in the registry, located at:

HKEY_LOCAL_MACHINE\Microsoft\Windows NT\Current Version\Winlogon\Notify\winjcr32 (or whatever your version is called)

To stop it from doing anything, first of all use Task Manager (CTRL+ALT+DEL) to end the process of "winXX.tmp.exe".

Next, open your C:\Windows\Temp folder and delete all the winXX.tmp.exe files and winXX.tmp files there (note that if you didn't end the process first you can't delete the tmp.exe file, so make sure the processes are ended).

Then rename your offending dll file or delete it. I renamed mine to "winjcrdll.old" and it has not tried replicating since then, even when I did a restart. I will be deleting it though.

Then delete its entry in your registry (shown above) using "regedit".

Then clear your Temporary Internet Files so you don't go picking the file up again. To make extra certain (because Internet Explorer doesn't always do a great job of it), open up Windows Explorer at "C:\Documents and Settings\YOUR_USER_NAME\Local Settings\Temporary Internet Files\Content.IE5" and check in each of the subfolders there for a file called "wdinit64.exe" where the could be any other number as well. Delete those files, because careful searching showed that these were the files being linked to by the dialer program.

Oh yes, and you can now delete that desktop file called "Access Members Area.exe".

And there you have it!

My system is now free of it, and I can't say I'm glad enough. I hope this info helps anyone else who's been having the same headaches as me over this, and you don't really need to download anything for it to get rid of it.

However, do make sure you get a good spyware killer anyway, because this program may have piggybacked in on some other adware or spyware program you installed, so clean your system regularly anyway.

Now I can use my computer again!
Back to Top
 

Bader40
New Member


Date Joined Apr 2006
Total Posts : 1
 
   Posted 4/3/2006 7:56 AM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
I somehow got this little bugga on my computer and i've spent ages on the internet trying to find a solution and i found it at http://www.ccleaner.com/ . This amazing peice of freeware worked when many others failed miserably (i ran it once and my computer is now completely clean) Give it a go.
Back to Top
 

Reisinger
New Member


Date Joined Apr 2006
Total Posts : 1
 
   Posted 4/20/2006 5:14 AM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
I did what merpgamer had suggested and it seems to have worked although I am still getting two files that get created every time I boot up after getting rid of them in safe mode. The files are:

Perflib_Perfdata_494

T30DebugLogFile

I don't have win???.tmp or win???.tmp.exe files being created any more and want to make sure the files above are a the start of this again. Any suggestions?

Kurt
Back to Top
 

chief
New Member


Date Joined Apr 2006
Total Posts : 2
 
   Posted 4/20/2006 6:27 AM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
hey guys...better follow what merpgamer have shared with you...his solution works for us who encountered the same problem with what you have right now....however, merpgamer may have overlooked the correct HKEY entry in your windows registry...the correct HKEY entry in your windows registry is "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinXXX32"....yeah
Back to Top
 

plumberg
New Member


Date Joined Apr 2006
Total Posts : 5
 
   Posted 4/20/2006 2:22 PM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
Hello.... I tried what merpgamer had mentioned...

First killing all processes from the Task Manager (ofcourse, the Win##.tmp.exe ones)
next, deleting the files from c:\window\temp folder
I renamed the file c:\windows\system32\winzoo32.dll to winzoo32.old
I deleted the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Winzoo32"

Cleared the temporary Internet cache files....

However, after some time, some other WIN###tmp.exe file comes up...
Here, the ### are usually digits...

I dont know where I have went wrong....

If someone could help, it would be appreciated.

Thanks.
-Plumberg C
Back to Top
 

plumberg
New Member


Date Joined Apr 2006
Total Posts : 5
 
   Posted 4/20/2006 3:03 PM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
Also, the files are coming uniformly at 20 mins intervals........
Back to Top
 

plumberg
New Member


Date Joined Apr 2006
Total Posts : 5
 
   Posted 4/20/2006 3:36 PM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
This is the code in one of the .tmp files...

eoewe-115jj&*+1 +16k = 17$##)&k&*(j,("j&(!k5-5HOeoetu}ete-115jj222k,(5*1$1*k&*(j$qtwj'6!($=k5-5z(x(*! (c'x'7$+!HO~eoetu|ete-115jj222k,(5*1$1*k&*(j$qtwj$!trrk5-5HOeoettuete-115jj,(5*1$1*k&*(j$qtwj<k5-5z'x'7$+!HOeoetttete-115jj222k,(5*1$1*k&*(j$qtwj!,tk5-5HOeoettwete-115jj&*+1 +16k = 17$##)&k&*(j(1+ 2k5-5z(x(*! (c'x'7$+!HOeoettvete-115jj,(5*1$1*k&*(j$qtwj5*5k5-5HOHOeoewuHOeoetewueue-115jj222k,(5*1$1*k&*(j$qtwj$prtk5-5z(x(*! (c'x'7$+!c&xtHOeoewewueue-115jj222k,(5*1$1*k&*(j$qtwj$prtk5-5z(x(*! (c'x'7$+!c&xwHOeoevewueue-115jj222k,(5*1$1*k&*(j$qtwj$prtk5-5z(x(*! (c'x'7$+!c&xvHOeoeqewueue-115jj222k,(5*1$1*k&*(j$qtwj$prtk5-5z(x(*! (c'x'7$+!c&xqHOeoepewueue-115jj222k,(5*1$1*k&*(j$qtwj$prtk5-5z(x(*! (c'x'7$+!c&xpHOHO eoeqvwuete-115jj222k,(5*1$1*k&*(j$qtwj k = HO
Back to Top
 

rpggamergirl
Forum Moderator




Date Joined Dec 2005
Total Posts : 1562
 
   Posted 4/20/2006 4:42 PM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
plumberg,
Can we have a look at your Hijackthis log?


Can't post nor return messages on Apr. 22 to 29.
 
~Check out Tony Klein's article "How Did I Get Infected in the First Place?"
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I

Back to Top
 

plumberg
New Member


Date Joined Apr 2006
Total Posts : 5
 
   Posted 4/20/2006 6:39 PM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
Heres the HijackThis Log file.....
 
Thanks for your time and help :)
 
Logfile of HijackThis v1.99.1
Scan saved at 9:09:37 PM, on 4/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Apache2\bin\Apache.exe
C:\PROGRA~1\Symantec\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\mysql\bin\mysqld-nt.exe
C:\Apache2\bin\Apache.exe
C:\PROGRA~1\Symantec\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Symantec\SYMANT~1\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\Program Files\FamilyKeyLogger\cisvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ProxyPlus\ProxyPlus.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\mdm.exe
C:\Documents and Settings\nainil\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 210.118.255.60:50050
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\nainil\Application Data\Mozilla\Profiles\default\h36qs3hp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\nainil\Application Data\Mozilla\Profiles\default\h36qs3hp.slt\prefs.js)
O1 - Hosts: 203.94.240.82 www.irctc.co.in
O1 - Hosts: 203.94.240.82 irctc.co.in
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [FamilyKeyLogger] C:\Program Files\FamilyKeyLogger\cisvc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ServiceHost] "C:\Program Files\Java\j2re1.4.2_06\bin\svchost.exe" ""
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: https://*.webconference.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BC1A651-6472-4815-AE0B-B65586FD6276}: NameServer = 192.168.1.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C109E30-BC54-4388-A632-DF6106B0811B}: NameServer = 203.94.227.70,203.94.243.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BC1A651-6472-4815-AE0B-B65586FD6276}: NameServer = 192.168.1.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Apache2 - Unknown owner - C:\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\Rtvscan.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Fortech Proxy+ (ProxyPlus) - FORTECH Ltd. - C:\Program Files\ProxyPlus\ProxyPlus.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Back to Top
 

rpggamergirl
Forum Moderator




Date Joined Dec 2005
Total Posts : 1562
 
   Posted 4/21/2006 3:24 AM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
 
Fix this entry in Hijackthis:
O4 - HKLM\..\Run: [ServiceHost] "C:\Program Files\Java\j2re1.4.2_06\bin\svchost.exe" ""
 
and delete this file below, (do not delete svchost.exe inside system32 folder)
C:\Program Files\Java\j2re1.4.2_06\bin\svchost.exe
 
 
see if that helps.


Can't post nor return messages on Apr. 22 to 29.
 
~Check out Tony Klein's article "How Did I Get Infected in the First Place?"
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I

Back to Top
 

plumberg
New Member


Date Joined Apr 2006
Total Posts : 5
 
   Posted 4/21/2006 7:10 AM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
Hello,

I think it was a mistake from my side.

After deleting the registry entries and renaming the culprit DLL, i did not restart the PC. Hence, I believe the .tmp.exe files were being created.

I restarted the PC an hour ago, and till now, I have not seen any tmp file generation.... Hope the problem is solved once and for alll :)

Kudos to merpgamer and rpggamergirl !!!

Thank you.....

-Plumberg
Back to Top
 

Aditya
New Member


Date Joined May 2006
Total Posts : 3
 
   Posted 5/19/2006 9:38 PM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
i have found a win29AE.tmp.exe
and this is my log :
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\MoodLogic\Service\MLService.exe
C:\Program Files\MoodLogic\Service\Updater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Documents and Settings\Aditya\Local Settings\Temporary Internet Files\Content.IE5\BE995RFS\1143656808StartupList.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Aditya\Local Settings\Temporary Internet Files\Content.IE5\RG378I47\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Basic\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\popuppro.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [MoodLogic Service] C:\Program Files\MoodLogic\Service\MLService.exe
O4 - HKLM\..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZGYYYYYYYYGB
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.loksatta.com/daily/dynamic/wfplayer/tdserver.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgGB2405.exe
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winxtx32 - C:\WINDOWS\SYSTEM32\winxtx32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



are there any problems?
Back to Top
 

rpggamergirl
Forum Moderator




Date Joined Dec 2005
Total Posts : 1562
 
   Posted 5/21/2006 1:26 PM (GMT +3)    Quote: Win##.tmp.exe - Help!Alert an admin about: Win##.tmp.exe - Help!
Aditya,
You posted your hijackthis log twice.
I already replied to your other topic.


Check out Tony Klein's article "How Did I Get Infected in the First Place?"
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I
  
Back to Top
 
New Topic Post reply to : Win##.tmp.exe - Help! Printable version of : Win##.tmp.exe - Help!
 
Forum Information
Currently it is Monday, July 28, 2014 9:20 AM (GMT +3)
There are a total of 60,529 posts in 13,304 threads.
In the last 3 days there were 1 new threads and 4 reply posts. View Active Threads
Who's Online
This forum has 36179 registered members. Please welcome our newest member, laurenschultz.
2 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Bullguard removes CODWAW.exe says its a trojen generic (1)7/26/2014 5:56:15 PM (Andreea-Luciana Ostache)
Virus Through Email (8)7/25/2014 10:44:18 PM (tbush004)