It's Cyber Monday - fantastic 70% discount

Buy Now

Limited time offer:

03

Days

/

00

Hrs

/

04

Min

/

04

Sec

Win##.tmp.exe - Help!

Posted 2/24/2006 11:17 AM
#28455
User avatar

ale_jrb Member

Date Joined Nov 2016
Total Posts: 1
Hi, <br/>This program (win##.tmp.exe where ## is replaced by something random 2 or 3 letters or numbers long) keeps opening itself over and over. I have tried all the removal instructions in the sticky and searched for the problem, found one result and tried that as well, and still nothing. Here's the HiJack this log... <br/> <br/>Logfile of HijackThis v1.99.1 <br/>Scan saved at 11:16:47, on 24/02/2006 <br/>Platform: Windows XP SP2 (WinNT 5.01.2600) <br/>MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) <br/> <br/>Running processes: <br/>C:\WINDOWS\System32\smss.exe <br/>C:\WINDOWS\system32\winlogon.exe <br/>C:\WINDOWS\system32\services.exe <br/>C:\WINDOWS\system32\lsass.exe <br/>C:\WINDOWS\system32\Ati2evxx.exe <br/>C:\WINDOWS\system32\svchost.exe <br/>C:\WINDOWS\System32\svchost.exe <br/>C:\Program Files\Common Files\Symantec Shared\ccProxy.exe <br/>C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe <br/>C:\Program Files\Norton Internet Security\ISSVC.exe <br/>C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe <br/>C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe <br/>C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe <br/>C:\WINDOWS\system32\spoolsv.exe <br/>C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe <br/>C:\WINDOWS\system32\CTsvcCDA.EXE <br/>C:\Program Files\ewido\security suite\ewidoctrl.exe <br/>C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe <br/>C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe <br/>C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe <br/>C:\WINDOWS\system32\HPZipm12.exe <br/>C:\WINDOWS\system32\svchost.exe <br/>C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe <br/>C:\WINDOWS\system32\Ati2evxx.exe <br/>C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe <br/>C:\WINDOWS\Explorer.EXE <br/>C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe <br/>C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe <br/>C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe <br/>C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe <br/>C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE <br/>C:\WINDOWS\system32\CTHELPER.EXE <br/>C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe <br/>C:\Program Files\Real\RealPlayer\RealPlay.exe <br/>C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe <br/>C:\Program Files\iTunes\iTunesHelper.exe <br/>C:\Program Files\QuickTime\qttask.exe <br/>C:\WINDOWS\system32\dla\tfswctrl.exe <br/>C:\Program Files\iPod\bin\iPodService.exe <br/>C:\Program Files\HP\HP Software Update\HPWuSchd2.exe <br/>C:\Program Files\ATI Technologies\ATI.ACE\cli.exe <br/>C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe <br/>C:\WINDOWS\system32\ctfmon.exe <br/>C:\Program Files\Dell Support\DSAgnt.exe <br/>C:\Program Files\MSN Messenger\msnmsgr.exe <br/>C:\Program Files\Xfire\Xfire.exe <br/>C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe <br/>C:\Program Files\ATI Technologies\ATI.ACE\cli.exe <br/>C:\Program Files\ATI Technologies\ATI.ACE\cli.exe <br/>C:\PROGRA~1\MOZILL~1\FIREFOX.EXE <br/>C:\Program Files\Common Files\Symantec Shared\ccApp.exe <br/>C:\WINDOWS\TEMP\win2A.tmp.exe <br/>C:\WINDOWS\TEMP\win31.tmp.exe <br/>C:\WINDOWS\TEMP\win2A.tmp.exe <br/>C:\Program Files\Messenger\msmsgs.exe <br/>C:\WINDOWS\TEMP\win31.tmp.exe <br/>C:\DOCUME~1\Alex\LOCALS~1\Temp\Rar$EX00.328\HijackThis.exe <br/> <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank <br/>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank <br/>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank <br/>R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch <br/>O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll <br/>O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll <br/>O2 - BHO: (no name) - {45043008-FF90-FE6D-96AE-808ADCA7FD9E} - C:\WINDOWS\system32\ggshkn.dll <br/>O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll <br/>O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll <br/>O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll <br/>O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll <br/>O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll <br/>O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll <br/>O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll <br/>O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll <br/>O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll <br/>O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll <br/>O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe <br/>O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe <br/>O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" <br/>O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe <br/>O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r <br/>O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" <br/>O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE <br/>O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" <br/>O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER <br/>O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup <br/>O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start <br/>O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" <br/>O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <br/>O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe <br/>O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer <br/>O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" <br/>O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay <br/>O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" <br/>O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" <br/>O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe <br/>O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup <br/>O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background <br/>O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background <br/>O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe <br/>O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe <br/>O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe <br/>O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe <br/>O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 <br/>O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll <br/>O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll <br/>O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll <br/>O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll <br/>O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL <br/>O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL <br/>O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll <br/>O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe <br/>O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe <br/>O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 <br/>O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab <br/>O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 <br/>O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab <br/>O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) <br/>O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll <br/>O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe <br/>O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe <br/>O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe <br/>O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe <br/>O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe <br/>O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe <br/>O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe <br/>O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe <br/>O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE <br/>O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe <br/>O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe <br/>O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe <br/>O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe <br/>O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe <br/>O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe <br/>O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe <br/>O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe <br/>O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe <br/>O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe <br/>O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe <br/>O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe <br/>O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe <br/>O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe <br/>O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe <br/> <br/>Thanks very much :).
Posted 2/24/2006 11:26 PM
#28475
User avatar

rpggamergirl Advanced member

Date Joined Nov 2016
Total Posts: 938
Hi, <br/> <br/>Did you have your media player set to launch at startup? <br/> <br/> <br/> <br/>Have hijackthis fix these entries: <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank <br/>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank <br/>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank <br/>O2 - BHO: (no name) - {45043008-FF90-FE6D-96AE-808ADCA7FD9E} - C:\WINDOWS\system32\ggshkn.dll <br/>O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll <br/> <br/> <br/> <br/> <br/> <br/>Please download About:Buster 6.0. <br/>http://www.malwarebytes.org/AboutBuster.zip <br/> <br/>Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the "aboutbuster.exe" icon and then click on the "Update" button to check for new updates. If any updates exist, please install them. Don't run a scan yet. <br/> <br/> <br/> <br/>Exit AboutBuster and reboot into safe mode. <br/>Once in safe mode double-click on the "aboutbuster.exe" icon again and click on the "Begin Removal" button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved. <br/> <br/> <br/> <br/> <br/>Also Please download Look2Me-Destroyer.exe to your desktop. <br/>http://www.atribune.org/ccount/click.php?id=7 <br/>Close all windows before continuing. <br/>Double-click "Look2Me-Destroyer.exe" to run it. <br/>Put a check next to "Run this program as a task". <br/>You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK <br/>When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. <br/>Once it's done scanning, click the Remove L2M button. <br/>You will receive a Done Scanning message, click OK. <br/>When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. <br/>Your computer will then shutdown. <br/>Turn your computer back on. <br/> <br/> <br/>Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. <br/> <br/> <br/>If you receive a message from your firewall about this program accessing the internet please allow it. <br/> <br/>If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. <br/>http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX <br/> <br/> <br/> <br/>Can you also post the About:Buster log?
* You may pm me if you're still waiting for my follow-up post.
Posted 2/25/2006 5:13 PM
#28494
User avatar

SgtJkR1 Member

Date Joined Nov 2016
Total Posts: 2
Have the same thing going on. I went an extrastep and downloaded ProcessExplorerNT and see that these are in the winlogon.exe area as well not sure if that means anything. Am going to try to do this step and will post results also. I also had noticed the Spy Falcon program was added as well and did the uninstall steps for that and it seems sucessful so far.
Posted 2/25/2006 6:28 PM
#28498
User avatar

SgtJkR1 Member

Date Joined Nov 2016
Total Posts: 2
No luck. I see that in the C:/Windows/Temp directory there are Win##.tmp files that seem to get added every 2 minutes on the dot. Not a big deal they are 0 on file size but they spawn these win##.tmp.exe files. Not sure if it the same thing the other person is seeing or not.
Posted 2/25/2006 9:47 PM
#28505
User avatar

rpggamergirl Advanced member

Date Joined Nov 2016
Total Posts: 938
SgtJKr1, <br/>Try About:Buster that I suggested on this thread. <br/>Also post your hijackthis log(make another thread for it) <br/> <br/>Also run these diagnostic scans and let's see what they come up with: <br/>Please download Silent Runners. <br/>http://www.silentrunners.org/Silent%20Runners.vbs <br/>* Save it to the desktop. <br/>* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop. <br/>* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!) <br/>* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/ <br/>then at the bottom left corner click "paste" <br/>Copy the address/url and post it here: <br/> <br/>*NOTE* If you receive any warning message about scripts, please choose to allow the script to run. <br/> <br/>Download and save blacklight to your desktop. <br/>http://www.f-secure.com/blacklight/try.shtml <br/>Doubleclick blbeta.exe, accept the agreement, click scan > next. <br/> <br/>You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
* You may pm me if you're still waiting for my follow-up post.
Posted 2/26/2006 10:56 PM
#28565
User avatar

Hugh Jorgan Member

Date Joined Nov 2016
Total Posts: 1
I am having the same problem here. Multiple win??.tmp files that are blank being created in the c:\windows\temp folder. I say multiple, but its actually around 3,000 of them. Then the random win???.tmp.exe files load in the process viewer. If you kill the process, another will load in exactly 2 minutes. If left untouched, it will continue to keep loading random win???.tmp.exe files until there are a total of 5 or 6 running. It will not load any more after that. But each one will attempt to connect to something, I simply deny the connection as that is all I can do for now. From my research, it apparently has infected the winlogon.exe or the dll's associated with it. Mine shows that the file named winrge32.dll is infected, which is not a file name that I recognize. I have followed all of the advice on here, but to no avail. I have just completed the silent runner program, here is my link to the log file created: http://www.rafb.net/paste/results/6KdsXk51.html . Any help with getting this annoying thing removed would be incredible. The only thing annoying about it, is that everytime it loads one of the random files, it takes the focus away from whatever your doing. So if your playing a game fullscreen, it will take the focus away, minimize it and it appears to become corrupted. (ie: can't Alt-Tab back to game). Oh and one more thing, all these files apparently generate from a file named universa.exe. I have never seen this file on my system before, but when you do a properties on one of the random exe files in windows\temp, that is the information supplied. Hope this helps someone get rid of this thing. If anyone does, please post a fix. Thanks everyone.
Post attachments:
crap.gif
Posted 2/27/2006 12:15 AM
#28569
User avatar

Andrei Ionescu Advanced member

Date Joined Nov 2016
Total Posts: 43
HI, <br/> <br/> <br/> <br/> <br/> <br/>If you keep on interfering with new logs in someone else's thread, thus NOT respecting in any way the forum rules, [color=blue][4]http://www.bullguard.com/forum/5/FORUM-RULES-PLEASE-READ-BEFORE_20312.html[/4][/color], you will leave me no choice but to delete all your posts and leave the problems unresolved. <br/> <br/> <br/> <br/>The rules were created for our and your benefit, and [color=red][5]WILL[/5][/color] be respected. :jumpin: The first consequence will be that you will not receive specific assistance for each of your problems. <br/> <br/> <br/> <br/>Therefore, please access this related thread for more information regarding this new mutant variant of the Nimda virus: <br/> <br/> <br/> <br/>[color=blue][3]http://www.bullguard.com/forum/5/Help-to-ID-and-remove-unknown-_28547.html[/3][/color] <br/> <br/> <br/> <br/>Once you have established the culprit .dll file responsable for the infection, personalize the instructions in the removal steps and carry them out. <br/> <br/> <br/> <br/>Get back to us with the outcome of the recommended instructions.

<?xml:namespace prefix = v /><?xml:namespace prefix = w />User image



















Andrei Cristian Ionescu<?xml:namespace prefix = o />

QA Team Member

BullGuard Software Ltd.

Cell phone: +40 724.276.719

[3] [/3]
[color=red>[/b]

Do not PM me with logfiles. They will be deleted
Posted 2/28/2006 9:34 PM
#28631
User avatar

Paul.f Member

Date Joined Nov 2016
Total Posts: 3
Hi guys, I have the same problem and I have also noticed that in my internet connections list there are 2 more connections that have been created some how, im guessing its because of this win##.tmp.exe problem. <br/> <br/> <br/>I have ran the programs that are suggested in this forum and they seem to have stopped the win##.tmp.exe programs from being created but not the win##.tmp files although it has stopped them from creating every 2 minutes. <br/> <br/> <br/> <br/>also I've downloaded a program called Empty Temp Folder which has helped in deleting the temp folders that are'nt being used. <br/> <br/>But every time I start my pc there are still 4 files that get created
Posted 3/1/2006 12:57 AM
#28635
User avatar

gary balkam Member

Date Joined Nov 2016
Total Posts: 1
SOLUTION TO win##.tmp.exe <br/>first.. copy down the location of the files it should be.. <br/>c:/windows/temp <br/>next restart your computer, pressing f8 to boot into boot options menu. <br/>select 'safemode with command prompt' this loads safe mode, cmd prompt, and nothing else. <br/>next type cd.. enter and cd.. enter again, to change to the C director <br/>next type cd windows (enter) then cd temp (enter) then type del win*.* <br/>when finished, type dir (directory list) and delete any files remaining, this is safe, no files in the temp folder are necessary to running windows, just a storage box for things like images etc. <br/>exit cmd and ctrl+ald+del to pull up task manager, select restart from the drop down menus. <br/>this is with windows xp home, should work with all versions using the same principal, <br/>hope this helps <br/>gary balkam <br/>Oh, and get Xoftspy to remove the spyfalcon problem (if you have this as well, as i did)
Posted 3/1/2006 12:01 PM
#28642
User avatar

Paul.f Member

Date Joined Nov 2016
Total Posts: 3
I have just gave that ago but when I get to the point to type in cd temp it says the location cannot be specified <br/> <br/> <br/>I am running windows xp home <br/> <br/> <br/> <br/>Please help
Posted 3/1/2006 7:39 PM
#28648
User avatar

Paul.f Member

Date Joined Nov 2016
Total Posts: 3
Hey guys, If you are still having problems with this you can download spyware doctor <br/> <br/>I downloaded it and the problem seems to have gone 100%
Posted 3/16/2006 2:43 AM
#28960
User avatar

merpgamer Member

Date Joined Nov 2016
Total Posts: 4
This is a real pain in the posterial cavity, and I've been spending the last 3 days since it got on my system trying to track down what is causing it. I believe I've found the answer, but here is a description of what it does, so if this is what you or anyone else reading this is seeing, then this may be the answer for you. <br/> <br/>(and you won't need to download or install any other programs to fix it!) <br/> <br/>The initial problem seems to be an icon on the desktop called "Access Members Area.exe" with a picture of a woman's face on it, which keeps reappearing after about 20 minutes or less even when you permanently delete it. <br/> <br/>Additionally, popup adverts come on your screen even when you're not actually browsing, and take the focus off whatever you're doing at the time. Very annoying! <br/> <br/>If you try CTRL+ALT+DEL to bring up the Task Manager, you'll notice a process called something like "winXX.tmp.exe", where XX is some random hex value producing for example "win2C.tmp.exe". End the process and it will reappear with a different value for the XX part after about 20 minutes. <br/> <br/>Not only that, but if you look in your C:\Windows\Temp folder you'll see a whole load of files of zero length called winXX.tmp, again following the hex value system for the XX part of the filename and changing each time. These reappear every 2 minutes, even when you delete them all and even when you stop the above process. It will all restart again. <br/> <br/>What the thing is actually doing is acting as a dialer program. But a very clever one. Because even if you're on broadband like me, it still has a go at connecting to the servers to self-replicate itself and bring up advertising. If you want to know who wrote these programs, check out the security certificate for the "Access All Areas.exe" file. You'll find that it's a company called Global Acces (yes, that's one 's' at the end) and they write (guess what?) dialer programs. Their website is http://www.global-acces.com <br/> <br/>You can see from their site (look at their banners link) that they promote the idea of using these dialers to make our computers automatically disconnect then dial up premium rate numbers and connect to porn sites with "nasty XXX-rated video clips" and other porn material. They don't seem to own the porn sites, but they do write the software that takes over our computers in this way and in the background connects to sites with ActiveX scripts. In my opinion their methods are reprehensible as they provide no option to uninstall the offending item. <br/> <br/>I even emailed them and told them my dilemma and this was their response: <br/> <br/>"To me it sound like you have your computer infected with a unvanted program, that somehow triggers / install our dialler application. <br/>In most cases it can be found by running a Virus scanner and installing a Firewall that monitor BOTH your incomming and your outgoing traffic, ie: if you have a program installed that is set to automaticly download / send data from your computer it is not stopped by firewalls that do not monitor your OUTGOING traffic. Example of a firewall that do not do that is Windows firewall or any kind of NATD service. <br/>I highly recommend Sygate Personal Firewall wich is a free firewall that can be downloaded from www.tucows.com <br/>When you have found the source for the unvanted behaviour I will be happy to assist you in removing it. <br/>Best Regards, <br/>Morten Due <br/>Global Accés " <br/> <br/>Anyway, a firewall could only be configured to stop this program getting its fingers out into the internet. It would still be running on my system and self-replicating whether I'm online or not, and I'm not happy about that. <br/> <br/>Since I've read about others having this problem on this forum and other ones, it appears that just deleting those files even in safe mode still didn't fix the problem, nor did downloading loads of the recommended spyware destroyers, so I set about finding all files that were created or modified about the time the problem started, and after a long time I tracked it down to a single dll file that must have crept in on the back of another program installation. <br/> <br/>The sneaky little file is called "winjcr32.dll", although it comes in variations of this but is usually of the format "win" followed by 3 letters then "32.dll", and is found in the C:\Windows\System32 folder. <br/> <br/>It also has an entry in the registry, located at: <br/> <br/>HKEY_LOCAL_MACHINE\Microsoft\Windows NT\Current Version\Winlogon\Notify\winjcr32 (or whatever your version is called) <br/> <br/>To stop it from doing anything, first of all use Task Manager (CTRL+ALT+DEL) to end the process of "winXX.tmp.exe". <br/> <br/>Next, open your C:\Windows\Temp folder and delete all the winXX.tmp.exe files and winXX.tmp files there (note that if you didn't end the process first you can't delete the tmp.exe file, so make sure the processes are ended). <br/> <br/>Then rename your offending dll file or delete it. I renamed mine to "winjcrdll.old" and it has not tried replicating since then, even when I did a restart. I will be deleting it though. <br/> <br/>Then delete its entry in your registry (shown above) using "regedit". <br/> <br/>Then clear your Temporary Internet Files so you don't go picking the file up again. To make extra certain (because Internet Explorer doesn't always do a great job of it), open up Windows Explorer at "C:\Documents and Settings\YOUR_USER_NAME\Local Settings\Temporary Internet Files\Content.IE5" and check in each of the subfolders there for a file called "wdinit64[1].exe" where the [1] could be any other number as well. Delete those files, because careful searching showed that these were the files being linked to by the dialer program. <br/> <br/>Oh yes, and you can now delete that desktop file called "Access Members Area.exe". <br/> <br/>And there you have it! <br/> <br/>My system is now free of it, and I can't say I'm glad enough. I hope this info helps anyone else who's been having the same headaches as me over this, and you don't really need to download anything for it to get rid of it. <br/> <br/>However, do make sure you get a good spyware killer anyway, because this program may have piggybacked in on some other adware or spyware program you installed, so clean your system regularly anyway. <br/> <br/>Now I can use my computer again!
Posted 4/3/2006 4:56 AM
#29457
User avatar

Bader40 Member

Date Joined Nov 2016
Total Posts: 1
I somehow got this little bugga on my computer and i've spent ages on the internet trying to find a solution and i found it at http://www.ccleaner.com/ . This amazing peice of freeware worked when many others failed miserably (i ran it once and my computer is now completely clean) Give it a go.
Posted 4/20/2006 2:14 AM
#30065
User avatar

Reisinger Member

Date Joined Nov 2016
Total Posts: 1
I did what merpgamer had suggested and it seems to have worked although I am still getting two files that get created every time I boot up after getting rid of them in safe mode. The files are: <br/> <br/>Perflib_Perfdata_494 <br/> <br/>T30DebugLogFile <br/> <br/>I don't have win???.tmp or win???.tmp.exe files being created any more and want to make sure the files above are a the start of this again. Any suggestions? <br/> <br/>Kurt
Posted 4/20/2006 3:27 AM
#30069
User avatar

chief Member

Date Joined Nov 2016
Total Posts: 2
hey guys...better follow what merpgamer have shared with you...his solution works for us who encountered the same problem with what you have right now....however, merpgamer may have overlooked the correct HKEY entry in your windows registry...the correct HKEY entry in your windows registry is "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinXXX32".... :yeah:
Posted 4/20/2006 11:22 AM
#30088
User avatar

plumberg Member

Date Joined Nov 2016
Total Posts: 5
Hello.... I tried what merpgamer had mentioned... <br/> <br/>First killing all processes from the Task Manager (ofcourse, the Win##.tmp.exe ones) <br/>next, deleting the files from c:\window\temp folder <br/>I renamed the file c:\windows\system32\winzoo32.dll to winzoo32.old <br/>I deleted the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Winzoo32" <br/> <br/>Cleared the temporary Internet cache files.... <br/> <br/>However, after some time, some other WIN###tmp.exe file comes up... <br/>Here, the ### are usually digits... <br/> <br/>I dont know where I have went wrong.... <br/> <br/>If someone could help, it would be appreciated. <br/> <br/>Thanks. <br/>-Plumberg C
Posted 4/20/2006 12:03 PM
#30092
User avatar

plumberg Member

Date Joined Nov 2016
Total Posts: 5
Also, the files are coming uniformly at 20 mins intervals........
Posted 4/20/2006 12:36 PM
#30098
User avatar

plumberg Member

Date Joined Nov 2016
Total Posts: 5
This is the code in one of the .tmp files... <br/> <br/>eoewe-115jj&*+1 +16k = 17$##)&k&*(j,("j&(!k5-5HOeoetu}ete-115jj222k,(5*1$1*k&*(j$qtwj'6!($=k5-5z(x(*! (c'x'7$+!HO~eoetu|ete-115jj222k,(5*1$1*k&*(j$qtwj$!trrk5-5HOeoettuete-115jj,(5*1$1*k&*(j$qtwj<k5-5z'x'7$+!HOeoetttete-115jj222k,(5*1$1*k&*(j$qtwj!,tk5-5HOeoettwete-115jj&*+1 +16k = 17$##)&k&*(j(1+ 2k5-5z(x(*! (c'x'7$+!HOeoettvete-115jj,(5*1$1*k&*(j$qtwj5*5k5-5HOHOeoewuHOeoetewueue-115jj222k,(5*1$1*k&*(j$qtwj$prtk5-5z(x(*! (c'x'7$+!c&xtHOeoewewueue-115jj222k,(5*1$1*k&*(j$qtwj$prtk5-5z(x(*! (c'x'7$+!c&xwHOeoevewueue-115jj222k,(5*1$1*k&*(j$qtwj$prtk5-5z(x(*! (c'x'7$+!c&xvHOeoeqewueue-115jj222k,(5*1$1*k&*(j$qtwj$prtk5-5z(x(*! (c'x'7$+!c&xqHOeoepewueue-115jj222k,(5*1$1*k&*(j$qtwj$prtk5-5z(x(*! (c'x'7$+!c&xpHOHO eoeqvwuete-115jj222k,(5*1$1*k&*(j$qtwj k = HO
Posted 4/20/2006 1:42 PM
#30110
User avatar

rpggamergirl Advanced member

Date Joined Nov 2016
Total Posts: 938
plumberg, <br/> <br/>Can we have a look at your Hijackthis log?
* You may pm me if you're still waiting for my follow-up post.
Posted 4/20/2006 3:39 PM
#30113
User avatar

plumberg Member

Date Joined Nov 2016
Total Posts: 5
Heres the HijackThis Log file..... <br/> <br/> <br/>Thanks for your time and help :) <br/> <br/> <br/> <br/>Logfile of HijackThis v1.99.1 <br/>Scan saved at 9:09:37 PM, on 4/20/2006 <br/>Platform: Windows XP SP2 (WinNT 5.01.2600) <br/>MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) <br/> <br/>Running processes: <br/>C:\WINDOWS\System32\smss.exe <br/>C:\WINDOWS\system32\winlogon.exe <br/>C:\WINDOWS\system32\services.exe <br/>C:\WINDOWS\system32\lsass.exe <br/>C:\WINDOWS\system32\svchost.exe <br/>C:\WINDOWS\System32\svchost.exe <br/>C:\WINDOWS\system32\spoolsv.exe <br/>C:\WINDOWS\Explorer.EXE <br/>C:\Apache2\bin\Apache.exe <br/>C:\PROGRA~1\Symantec\SYMANT~1\DefWatch.exe <br/>C:\WINDOWS\system32\inetsrv\inetinfo.exe <br/>C:\mysql\bin\mysqld-nt.exe <br/>C:\Apache2\bin\Apache.exe <br/>C:\PROGRA~1\Symantec\SYMANT~1\Rtvscan.exe <br/>C:\WINDOWS\system32\hkcmd.exe <br/>C:\PROGRA~1\Symantec\SYMANT~1\vptray.exe <br/>C:\WINDOWS\SOUNDMAN.EXE <br/>C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe <br/>C:\Program Files\D-Link\Air Utility\AirCFG.exe <br/>C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe <br/>C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE <br/>C:\Program Files\FamilyKeyLogger\cisvc.exe <br/>C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe <br/>C:\Program Files\ProxyPlus\ProxyPlus.exe <br/>C:\WINDOWS\system32\ZoneLabs\vsmon.exe <br/>C:\WINDOWS\system32\fxssvc.exe <br/>C:\WINDOWS\system32\wscntfy.exe <br/>C:\WINDOWS\system32\mdm.exe <br/>C:\Documents and Settings\nainil\My Documents\hijackthis\HijackThis.exe <br/> <br/>R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 210.118.255.60:50050 <br/>N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\nainil\Application Data\Mozilla\Profiles\default\h36qs3hp.slt\prefs.js) <br/>N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\nainil\Application Data\Mozilla\Profiles\default\h36qs3hp.slt\prefs.js) <br/>O1 - Hosts: 203.94.240.82 www.irctc.co.in <br/>O1 - Hosts: 203.94.240.82 irctc.co.in <br/>O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll <br/>O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll <br/>O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll <br/>O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll <br/>O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll <br/>O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll <br/>O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll <br/>O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll <br/>O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll <br/>O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe <br/>O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe <br/>O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SYMANT~1\vptray.exe <br/>O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE <br/>O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe <br/>O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe <br/>O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe <br/>O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe <br/>O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45" <br/>O4 - HKLM\..\Run: [FamilyKeyLogger] C:\Program Files\FamilyKeyLogger\cisvc.exe <br/>O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" <br/>O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime <br/>O4 - HKLM\..\Run: [ServiceHost] "C:\Program Files\Java\j2re1.4.2_06\bin\svchost.exe" "" <br/>O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe <br/>O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe <br/>O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html <br/>O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html <br/>O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html <br/>O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html <br/>O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm <br/>O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm <br/>O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 <br/>O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html <br/>O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html <br/>O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll <br/>O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll <br/>O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL <br/>O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe <br/>O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe <br/>O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe <br/>O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe <br/>O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe <br/>O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe <br/>O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll <br/>O15 - Trusted Zone: [url=https://*.webconference.com]https://*.webconference.com[/url] <br/>O17 - HKLM\System\CCS\Services\Tcpip\..\{0BC1A651-6472-4815-AE0B-B65586FD6276}: NameServer = 192.168.1.2 <br/>O17 - HKLM\System\CCS\Services\Tcpip\..\{1C109E30-BC54-4388-A632-DF6106B0811B}: NameServer = 203.94.227.70,203.94.243.70 <br/>O17 - HKLM\System\CS1\Services\Tcpip\..\{0BC1A651-6472-4815-AE0B-B65586FD6276}: NameServer = 192.168.1.2 <br/>O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) <br/>O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll <br/>O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll <br/>O23 - Service: Apache2 - Unknown owner - C:\Apache2\bin\Apache.exe" -k runservice (file missing) <br/>O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\DefWatch.exe <br/>O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe <br/>O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe <br/>O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\Rtvscan.exe <br/>O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) <br/>O23 - Service: Fortech Proxy+ (ProxyPlus) - FORTECH Ltd. - C:\Program Files\ProxyPlus\ProxyPlus.exe <br/>O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Posted 4/21/2006 12:24 AM
#30116
User avatar

rpggamergirl Advanced member

Date Joined Nov 2016
Total Posts: 938
Fix this entry in Hijackthis: <br/>O4 - HKLM\..\Run: [ServiceHost] "C:\Program Files\Java\j2re1.4.2_06\bin\svchost.exe" "" <br/> <br/> <br/> <br/>and delete this file below, (do not delete svchost.exe inside system32 folder) <br/>C:\Program Files\Java\j2re1.4.2_06\bin\svchost.exe <br/> <br/> <br/> <br/> <br/> <br/>see if that helps.
* You may pm me if you're still waiting for my follow-up post.
Posted 4/21/2006 4:10 AM
#30122
User avatar

plumberg Member

Date Joined Nov 2016
Total Posts: 5
Hello, <br/> <br/>I think it was a mistake from my side. <br/> <br/>After deleting the registry entries and renaming the culprit DLL, i did not restart the PC. Hence, I believe the .tmp.exe files were being created. <br/> <br/>I restarted the PC an hour ago, and till now, I have not seen any tmp file generation.... Hope the problem is solved once and for alll :) <br/> <br/>Kudos to merpgamer and rpggamergirl !!! <br/> <br/>Thank you..... <br/> <br/>-Plumberg
Posted 5/19/2006 6:38 PM
#30748
User avatar

Aditya Member

Date Joined Nov 2016
Total Posts: 3
i have found a win29AE.tmp.exe <br/>and this is my log : <br/>Platform: Windows XP SP2 (WinNT 5.01.2600) <br/>MSIE: Internet Explorer v7.00 (7.00.5346.0005) <br/> <br/>Running processes: <br/>C:\WINDOWS\System32\smss.exe <br/>C:\WINDOWS\system32\winlogon.exe <br/>C:\WINDOWS\system32\services.exe <br/>C:\WINDOWS\system32\lsass.exe <br/>C:\WINDOWS\system32\svchost.exe <br/>C:\Program Files\Windows Defender\MsMpEng.exe <br/>C:\WINDOWS\System32\svchost.exe <br/>C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe <br/>C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe <br/>C:\Program Files\Common Files\Symantec Shared\ccProxy.exe <br/>C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe <br/>C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe <br/>C:\WINDOWS\system32\spoolsv.exe <br/>C:\WINDOWS\system32\CTsvcCDA.exe <br/>C:\WINDOWS\eHome\ehRecvr.exe <br/>C:\WINDOWS\eHome\ehSched.exe <br/>C:\WINDOWS\system32\inetsrv\inetinfo.exe <br/>C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe <br/>C:\WINDOWS\system32\nvsvc32.exe <br/>C:\WINDOWS\system32\svchost.exe <br/>C:\WINDOWS\system32\MsPMSPSv.exe <br/>C:\WINDOWS\system32\dllhost.exe <br/>C:\WINDOWS\ehome\ehtray.exe <br/>C:\WINDOWS\system32\carpserv.exe <br/>C:\WINDOWS\eHome\ehmsas.exe <br/>C:\WINDOWS\system32\rundll32.exe <br/>C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe <br/>C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE <br/>C:\WINDOWS\system32\CTHELPER.EXE <br/>C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe <br/>C:\Program Files\Xerox\NWWia\XrxFTPLt.exe <br/>C:\WINDOWS\system32\ezSP_Px.exe <br/>C:\Program Files\iRiver\HSeries\iHPDetect.exe <br/>C:\Program Files\MoodLogic\Service\MLService.exe <br/>C:\Program Files\MoodLogic\Service\Updater.exe <br/>C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe <br/>C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe <br/>C:\Program Files\Picasa2\PicasaMediaDetector.exe <br/>C:\Program Files\iTunes\iTunesHelper.exe <br/>C:\Program Files\QuickTime\qttask.exe <br/>C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe <br/>C:\WINDOWS\system32\RUNDLL32.EXE <br/>C:\Program Files\Common Files\Symantec Shared\ccApp.exe <br/>C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe <br/>C:\Program Files\iPod\bin\iPodService.exe <br/>C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe <br/>C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe <br/>C:\Program Files\Windows Defender\MSASCui.exe <br/>C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe <br/>C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe <br/>C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe <br/>C:\WINDOWS\system32\ctfmon.exe <br/>C:\PROGRA~1\MSNMES~1\msnmsgr.exe <br/>C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe <br/>C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe <br/>C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe <br/>C:\WINDOWS\System32\svchost.exe <br/>C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE <br/>C:\Program Files\Windows Media Player\wmplayer.exe <br/>C:\WINDOWS\system32\svchost.exe <br/>C:\WINDOWS\system32\imapi.exe <br/>C:\Program Files\Internet Explorer\iexplore.exe <br/>C:\WINDOWS\system32\WISPTIS.EXE <br/>C:\Documents and Settings\Aditya\Local Settings\Temporary Internet Files\Content.IE5\BE995RFS\1143656808StartupList[1].exe <br/>C:\WINDOWS\explorer.exe <br/>C:\Program Files\Messenger\msmsgs.exe <br/>C:\Documents and Settings\Aditya\Local Settings\Temporary Internet Files\Content.IE5\RG378I47\HijackThis[1].exe <br/> <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com <br/>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/ <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729 <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 <br/>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID} <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com <br/>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com <br/>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo <br/>R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.1 <br/>O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll <br/>O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll <br/>O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Basic\CCHelper.dll <br/>O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll <br/>O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll <br/>O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll <br/>O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll <br/>O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll <br/>O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll <br/>O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll <br/>O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\popuppro.dll <br/>O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll <br/>O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll <br/>O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll <br/>O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll <br/>O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll <br/>O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe <br/>O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode <br/>O4 - HKLM\..\Run: [CARPService] carpserv.exe <br/>O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe <br/>O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup <br/>O4 - HKLM\..\Run: [nwiz] nwiz.exe /install <br/>O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r <br/>O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE <br/>O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE <br/>O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL <br/>O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r <br/>O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe <br/>O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe <br/>O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe <br/>O4 - HKLM\..\Run: [MoodLogic Service] C:\Program Files\MoodLogic\Service\MLService.exe <br/>O4 - HKLM\..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Updater.exe <br/>O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe <br/>O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" <br/>O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <br/>O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit <br/>O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" <br/>O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe <br/>O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k <br/>O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe <br/>O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide <br/>O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe <br/>O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc <br/>O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe <br/>O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet <br/>O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe <br/>O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background <br/>O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe <br/>O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe <br/>O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe <br/>O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe <br/>O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html <br/>O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZGYYYYYYYYGB <br/>O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html <br/>O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm <br/>O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html <br/>O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html <br/>O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 <br/>O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html <br/>O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html <br/>O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html <br/>O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html <br/>O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm <br/>O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html <br/>O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html <br/>O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm <br/>O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll <br/>O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll <br/>O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll <br/>O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll <br/>O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL <br/>O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe <br/>O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe <br/>O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe <br/>O11 - Options group: [INTERNATIONAL] International* <br/>O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk <br/>O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab <br/>O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.loksatta.com/daily/dynamic/wfplayer/tdserver.cab <br/>O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab <br/>O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 <br/>O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab <br/>O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll <br/>O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab <br/>O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab <br/>O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab <br/>O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 <br/>O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab <br/>O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab <br/>O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgGB2405.exe <br/>O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab <br/>O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab <br/>O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab <br/>O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab <br/>O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab <br/>O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) <br/>O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) <br/>O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll <br/>O20 - Winlogon Notify: winxtx32 - C:\WINDOWS\SYSTEM32\winxtx32.dll <br/>O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe <br/>O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe <br/>O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe <br/>O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe <br/>O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe <br/>O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe <br/>O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe <br/>O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe <br/>O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe <br/>O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe <br/>O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE <br/>O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe <br/>O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe <br/>O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe <br/>O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe <br/>O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe <br/>O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe <br/> <br/> <br/> <br/>are there any problems?
Posted 5/21/2006 10:26 AM
#30801
User avatar

rpggamergirl Advanced member

Date Joined Nov 2016
Total Posts: 938
Aditya, <br/> <br/>You posted your hijackthis log twice. <br/> <br/>I already replied to your other topic. <br/> <br/>http://www.bullguard.com/forum/10/tmpexe_30765.html
* You may pm me if you're still waiting for my follow-up post.
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Friday, December 2, 2016, 11:23 PM (GMT +1)
There are a total of 61,157 posts in 13,447 threads.
In the last 3 days there were 1 new threads and 1 reply posts.

Who's online

This forum has 37,966 registered members. Please welcome our newest member, Don Tee.
There are currently no users on-line.