Solved

tmphp32.inf fills hard drive

Posted on 2006-11-15
14
2,268 Views
Last Modified: 2008-01-09
On 2 computers I have a tmphp32.inf file in the /windows/inf/tmphp32.inf fills the hard drive. To the order or 22-30 GBs

OK some specks on the systems;

Both are windows xp sp2
Hard Drives 30, 40 GB
Ram 512 MB
AV Symantec Corp 8 with all updates; real time protection was disabled on one computer but not the other.
Network has 8 workstations & 1 server 2k

Work done so far:

Boot into safemode and rename the file; reboot into regular mode.  The file recreates it self and fills any hard drive space left. Deleted the remaned file to make space on the drive; the new inf does not grow past its orginal size of 935 MB

HiJackThis nothing out of the ordanary just standard stuff (I use it every day on hundreds of systems)

Housecall found nothing

Done in safemode
Stinger found nothing

CCleaner found regestry programs that were uninstalled but nothing looking wrong

Dr. Web found nothing

Icesword did not find anything that should not be running

Will update on tasks done; any thoughts let me know.
0
Comment
Question by:Hacking_For_Christ
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 27

Expert Comment

by:David-Howard
ID: 17951962
After all that you have done, this sounds like a tough one.
Have you tried going in to Safe Mode and then starting MSCONFIG.
I wonder if this thing is hanging out in the Startup menu.
David
0
 
LVL 6

Expert Comment

by:Mnf
ID: 17954264
Go to www.sysinternals.com and grap the filemon utility. Set a filter for your "tmphp32.inf " file and let it run. This shows you what process has a file activity on your file.
0
 
LVL 1

Author Comment

by:Hacking_For_Christ
ID: 17956010
Yea I tried these with no luck thanks; I found it in the registry under search assisant. I deleted all the keys with it and removed the file but it comes back.  Also it the file turns it self off and deletes itself  when I do a AV scan with Symantec.
0
 
LVL 1

Author Comment

by:Hacking_For_Christ
ID: 17956472
I use FileMon with one computer off and filtered the tmphp32.inf.  Nothing was going on untill i started the other computer then the virus was turned on.  The process used was the svchost.exe.  I turned off the other computer and the process keep filling the drive.  Once i killed the process (it was also using 100% cpu) it went dorment. Then i can delete the file. Below is what FileMon log.

1      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      Options: Open  Access: Read      
2      10:08:17 AM      explorer.exe:1784      QUERY INFORMATION      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      FileStreamInformation      
3      10:08:17 AM      explorer.exe:1784      QUERY INFORMATION      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      FileBasicInformation      
4      10:08:17 AM      explorer.exe:1784      READ       C:\WINDOWS\INF\tmphp32.inf      SUCCESS      Offset: 0 Length: 24      
5      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf:Raec25ph4sudbf0hAaq5ehw3Nf:$DATA      NOT FOUND      Options: Open  Access: Read      
6      10:08:17 AM      explorer.exe:1784      CLOSE      C:\WINDOWS\INF\tmphp32.inf      SUCCESS            
7      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      Options: Open  Access: Read      
8      10:08:17 AM      explorer.exe:1784      QUERY INFORMATION      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      FileStreamInformation      
9      10:08:17 AM      explorer.exe:1784      QUERY INFORMATION      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      FileBasicInformation      
10      10:08:17 AM      explorer.exe:1784      READ       C:\WINDOWS\INF\tmphp32.inf      SUCCESS      Offset: 0 Length: 24      
11      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf:Raec25ph4sudbf0hAaq5ehw3Nf:$DATA      NOT FOUND      Options: Open  Access: Read      
12      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA      NOT FOUND      Options: Open  Access: Read      
13      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
14      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
15      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
16      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
17      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
18      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
19      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
20      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
21      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
22      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
23      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
24      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
25      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
26      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
27      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:DocumentSummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
28      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_DocumentSummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
29      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:DocumentSummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
30      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_DocumentSummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
31      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
32      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
33      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
34      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
35      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
36      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
37      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
38      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
39      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SebiesnrMkudrfcoIaamtykdDa:$DATA      NOT FOUND      Options: Open  Access: Read      
40      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SebiesnrMkudrfcoIaamtykdDa:$DATA      NOT FOUND      Options: Open  Access: Read      
41      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SebiesnrMkudrfcoIaamtykdDa:$DATA      NOT FOUND      Options: Open  Access: Read      
42      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SebiesnrMkudrfcoIaamtykdDa:$DATA      NOT FOUND      Options: Open  Access: Read      
43      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
44      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
45      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
46      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
47      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
48      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
49      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
0
 
LVL 1

Author Comment

by:Hacking_For_Christ
ID: 17956876
I have ran MSconfig and nothing bad running. I found a refference to a Yahoo page but not answer http://answers.yahoo.com/question/index?qid=20061104122640AAOOM2P
0
 
LVL 6

Expert Comment

by:Mnf
ID: 17956933
ok
do you have this file in you inf folder "syshost.exe"
and would you please try HijackThis
http://download.hijackthis.eu/hijackthis_199.zip
and past here your log file...
0
 
LVL 1

Author Comment

by:Hacking_For_Christ
ID: 17957141
Yes it is svchost.exe is in the /windows/inf/svchost.exe

Logfile of HijackThis v1.99.1
Scan saved at 11:22:13 AM, on 11/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
c:\windows\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgw.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\ACT\ACT for Win 7\Act7.exe
F:\Spyware & Virus\HijackThis.exe
C:\WINDOWS\inf\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://online.wsj.com/page/lexis.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: PersonalWebBHO - {D35980CB-66DF-477B-BF63-64EB8F48CB3A} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1108.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04110BC2-B8B9-4CDD-8923-8C7C90F8B6A0} - http://monsterclient.tickle.com/download/client/Monster%20Companion%20Installer.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://secure.mybroadline.com/CFIDE/classes/CFJava.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/cfweb_activex.camfrogweb.com-advanced_instmodule.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = floridalegalsearch.local
O17 - HKLM\Software\..\Telephony: DomainName = floridalegalsearch.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D90F23D-2BE3-4E7E-A40F-F5E232E4C00C}: NameServer = 192.168.30.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = floridalegalsearch.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D90F23D-2BE3-4E7E-A40F-F5E232E4C00C}: NameServer = 192.168.30.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = floridalegalsearch.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{4D90F23D-2BE3-4E7E-A40F-F5E232E4C00C}: NameServer = 192.168.30.5
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - c:\windows\system32\r_server.exe" /service (file missing)

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:Hacking_For_Christ
ID: 17957246
The virus restarts it self after a random amout of time when i kill the svchost.exe process using 100%
I scanned one of the computer hard drive as a secondary drive and it found nothing but a corrupt archive
\windows\csc\d7\80000096
this may not have anything to do with it but just wanted to put in in.
0
 
LVL 6

Accepted Solution

by:
Mnf earned 500 total points
ID: 17957340
ok sorry for delay,
we have W32.Francette.Worm on your system
follow this to eleminated the virus
http://www.symantec.com/security_response/writeup.jsp?docid=2003-111806-5041-99&tabid=3
please unplug your pc from the network, and scan the other pc's on your local network for this virus

please go here, and you will find an analysis for you hijackthis report, seek any nasty in you hijackthis program and fix it,
http://www.hijackthis.de/logfiles/ad3e79cb353013f6a0493886a3023c85.html
0
 
LVL 6

Expert Comment

by:Mnf
ID: 17957468
after you do the above, scan your pc with an online antivirus scanner, I don't know why you antivirus didn't catch the virus (maybe it is corrupted), so we have to make sure that you don't have any other bugs on you system,
i like to use KasperSky try this onlin
http://usa.kaspersky.com/services/free-virus-scanner.php

try this free/valuable utility to scan your pc locally from spyware (after you scan your pc with other antivirus than you have) SpyBot
www.safer-networking.org/en/download/ - 23k
0
 
LVL 1

Author Comment

by:Hacking_For_Christ
ID: 17958049
I looked at the symantec site and it did not apply with the processes and reg. but the HiJackthis log analysis was GREAT.  The file was svchost.exe was the issue. I killed the process and renamed the file and all is good now.  If anyone wants I can email them a present all you have to do is double click it. :)
Thanks for all the Great help.
0
 
LVL 3

Expert Comment

by:StephenJaffe
ID: 17980688
Are you guys sure that this is the solution for this particular problem?  I have two computers in our network that are showing signs of the TMPHP32.inf growth, but no SVCHOST.EXE short of the two in SYSTEM32 and the service pack directory...

I'm going now to see if one of the two has the same problem, maybe it's just that.

Thanks for the help

Stephen
0
 
LVL 3

Expert Comment

by:StephenJaffe
ID: 17983457
actually after some more looking into this particular one... there is an SVCHOST.EXE.INI in the windows\inf directory.  I deleted it in Safe Mode and we seemed to have stopped at least for the moment.  Does anybody know of a virus checker that will actually catch this one?

Thanks

Stephen
0
 

Expert Comment

by:rdgit
ID: 17988305
This is the solution to your problem.  Please delete the file below if you find them on your PC.  Also make sure you remove the following registry key.
You may have to use processXP to terminate the Svchost.exe
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

There is a Service that it registered itself under which is not a valid windows service.
"Windows Management Licence Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSLService


C:\WINDOWS\inf\svchost.exe   <---- This is not a valid windows file (the valid svchost.exe file is in C:\Windows\system32\svchost.exe)
C:\WINDOWS\inf\tmphp32.inf    <----- This is the file it would create and keep writing to until it used up all hard drive space.
C:\WINDOWS\readmelog.inf    <------ Also created this file with a bunch of adware websites listed within it.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
systemdown@india.com and McAfee 3 68
Spam mails from a compromised internal computer 5 29
EICAR File 5 19
VMware Black Screen 13 28
Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now