Tmp2.tmp

cellstar21cellstar21
edited April 2005 in Spyware & Virus Removal
I have a file in my temp folder, under my user name, and it will not go away. i have gone in safe mode, ersaed it, and it keeps coming back. I check for spyware every other day with ADAWARE SE, EMCO malaware bouncer, and spybots search and destroy, and they cannot get rid of this. even my trend micro PCCILLIN wont help. then i get popups, and it seems to have a mind of its own. i cannot do a single thing to get rid of this. when i click on the file itself, it dissapears, and like 3 more files pop up out of no where, and then they go away, and the tmp2.tmp file comes back. i opened the file and got this,,

http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=1|720|300|0|50||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=2|739|300|0|50||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=3|700|500|0|50||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=4|750|350|0|50||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=5|700|500|0|50||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=3|700|500|0|17180||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=3|700|500|0|17280||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=3|700|500|0|17280||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=3|700|500|0|17280||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=1|720|300|0|17180||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=2|739|300|0|50||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=3|700|500|0|50||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=4|750|350|0|50||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=5|700|500|0|50||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=3|700|500|0|17180||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=3|700|500|0|17280||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=3|700|500|0|17280||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=3|700|500|0|17280||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=1|720|300|0|17180||||
http://ads1.searchmiracle.com/ads/ad.php?country=1&pos=2|739|300|0|50||||

I was reffered here by HAWK of Icrontic Forums.

Comments

  • DexterDexter Vancouver, BC Canada
    edited April 2005
    Definitely Adware. This post will be moved to our Spyware/Virus/Trojan Discussion Forum for assistance there. Look for your post there. In the meantime, follow These Instructions to run a program called Hijack This, and post your log file from that program into this thread.

    Dexter...
  • profdlpprofdlp The Holy City Of Westlake, Ohio
    edited April 2005
    Moved. :)

    You're in good hands here, cellstar21. I'm sure Dexter can help you get your problem(s) solved. :thumbsup:
  • cellstar21cellstar21
    edited April 2005
    sorry about posting in the wrong place, and i forgot to introduce myself, im Jon, mostly go to Icrontic Forums for info and such. I just came back to check the status on my post, and I read the banner in red at the top of the page, and was like "oh man, better change that to its right place." sorry, ill post what happens when I run hijack this. Thanks SO very much by the way :D
  • profdlpprofdlp The Holy City Of Westlake, Ohio
    edited April 2005
    No sweat. If I had the problem you've described I'd consider it an emergency too. :D

    The experts in this sort of thing will be sure and find the thread here and get you straightened out. :)
  • cellstar21cellstar21
    edited April 2005
    Ran Highjack this, here's the stuff I got,

    Logfile of HijackThis v1.99.1
    Scan saved at 1:47:32 AM, on 4/18/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\program files\support.com\bin\tgcmd.exe
    C:\WINDOWS\system32\applek.exe
    D:\Program Files\iTunes\iTunesHelper.exe
    D:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SBC\Connection Manager\CManager.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Highjack This (Do Not Erase, JONATHAN)\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AppleK2] C:\WINDOWS\system32\applek.exe s
    O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteryx32.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O4 - Global Startup: CoreCenter.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{02A6A415-A3F5-400D-9948-7686BEF5D50F}: NameServer = 151.164.17.201 151.164.11.201
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
    O4 - HKLM\..\Run: [AppleK2] C:\WINDOWS\system32\applek.exe s
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteryx32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


    Reboot your computer into Safe Mode

    Then delete these files or directories (Do not be concerned if they do not exist):

    C:\WINDOWS\system32\applek.exe
    C:\windows\system32\eliteryx32.exe


    Reboot your computer to go back to normal mode.



    Please run at least two of these online scans.
    Make sure they are set to clean automatically:

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    http://www.bitdefender.com/scan/licence.php

    http://housecall.trendmicro.com/housecall/start_corp.asp

    There will be files that these scans will not remove. Please include that information in your next post.


    Reboot and post a new hijackthis log.
  • cellstar21cellstar21
    edited April 2005
    I'll do that but the applek is a process of a program I downloaded called apple keyboard which makes some keyboard keys function properly. But thank you very much, I'm about to do the things instructed.
  • cellstar21cellstar21
    edited April 2005
    I did what I was instructed to do. I ran One online scan, I got No Problems. Then I ran the other. I got 4 viruses, 7 infected files, they got deleted, they were from an old AIM.EXE program. I still see the Haunting file, and popups are coming up as I type :( . I can easily block them with the IE popup blocker but the file is still there in TEMP, tmp1.tmp is still there and I cannot cannot DELETE this FILE. Please help. Thank You So Much. seems to have renamed itself to tmp1 instead of tmp2.
  • cellstar21cellstar21
    edited April 2005
    Under my user in the documents and settings folder, i see a file called NTUSER.dat, and its size is changing from 20kb to 1kb, and it wont let me open it, says its being used by notepad. is this anything bad? it is literally changing in size by looking at it, 20,1 , 20 , 1 ,20kb. I have no idea.
  • cellstar21cellstar21
    edited April 2005
    sorry for all these replies. the tmp2 and tmp1.tmp files cannot be accesed while I am connected to the internet. So, while I disconnected, I opened the files in wordpad, there were 3 now, and erased the links they had in text, ad links, and saved the empy files, then I set their attributes to read only, then I encrypted the files and said I had no acces to do so, But I clicked ignore, and encrypted them, with xp's method, and now they seem to be laying there lifeless, maybe this will temporarily disable them until you or I can find a solution, you guys probably will though, I'm counting on it, but I'm trying my best too, thank you for your time and help in advance.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Please post a new hijackthis log.
  • cellstar21cellstar21
    edited April 2005
    Logfile of HijackThis v1.99.1
    Scan saved at 3:36:21 PM, on 4/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\program files\support.com\bin\tgcmd.exe
    C:\WINDOWS\system32\applek.exe
    D:\Program Files\iTunes\iTunesHelper.exe
    D:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SBC\Connection Manager\CManager.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\Highjack This (Do Not Erase, JONATHAN)\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AppleK2] C:\WINDOWS\system32\applek.exe s
    O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteryx32.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O4 - Global Startup: CoreCenter.lnk.disabled
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{02A6A415-A3F5-400D-9948-7686BEF5D50F}: NameServer = 151.164.17.201 151.164.11.201
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
  • cellstar21cellstar21
    edited April 2005
    Thank you very much. Problem solved. It was Elixery32.exe. It's my fault because I tried to look for it in Normal Mode. I went back again and did the search for the file in Safe Mode, found it, now everything is solved. Thank You again, every one invlolved. No Temp1.tmp or Tmp2.tmp or popups. Hope nothing comes back.
This discussion has been closed.