Solved

tmphp32.inf fills hard drive

Posted on 2006-11-15
14
2,283 Views
Last Modified: 2008-01-09
On 2 computers I have a tmphp32.inf file in the /windows/inf/tmphp32.inf fills the hard drive. To the order or 22-30 GBs

OK some specks on the systems;

Both are windows xp sp2
Hard Drives 30, 40 GB
Ram 512 MB
AV Symantec Corp 8 with all updates; real time protection was disabled on one computer but not the other.
Network has 8 workstations & 1 server 2k

Work done so far:

Boot into safemode and rename the file; reboot into regular mode.  The file recreates it self and fills any hard drive space left. Deleted the remaned file to make space on the drive; the new inf does not grow past its orginal size of 935 MB

HiJackThis nothing out of the ordanary just standard stuff (I use it every day on hundreds of systems)

Housecall found nothing

Done in safemode
Stinger found nothing

CCleaner found regestry programs that were uninstalled but nothing looking wrong

Dr. Web found nothing

Icesword did not find anything that should not be running

Will update on tasks done; any thoughts let me know.
0
Comment
Question by:Hacking_For_Christ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 27

Expert Comment

by:David-Howard
ID: 17951962
After all that you have done, this sounds like a tough one.
Have you tried going in to Safe Mode and then starting MSCONFIG.
I wonder if this thing is hanging out in the Startup menu.
David
0
 
LVL 6

Expert Comment

by:Mnf
ID: 17954264
Go to www.sysinternals.com and grap the filemon utility. Set a filter for your "tmphp32.inf " file and let it run. This shows you what process has a file activity on your file.
0
 
LVL 1

Author Comment

by:Hacking_For_Christ
ID: 17956010
Yea I tried these with no luck thanks; I found it in the registry under search assisant. I deleted all the keys with it and removed the file but it comes back.  Also it the file turns it self off and deletes itself  when I do a AV scan with Symantec.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:Hacking_For_Christ
ID: 17956472
I use FileMon with one computer off and filtered the tmphp32.inf.  Nothing was going on untill i started the other computer then the virus was turned on.  The process used was the svchost.exe.  I turned off the other computer and the process keep filling the drive.  Once i killed the process (it was also using 100% cpu) it went dorment. Then i can delete the file. Below is what FileMon log.

1      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      Options: Open  Access: Read      
2      10:08:17 AM      explorer.exe:1784      QUERY INFORMATION      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      FileStreamInformation      
3      10:08:17 AM      explorer.exe:1784      QUERY INFORMATION      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      FileBasicInformation      
4      10:08:17 AM      explorer.exe:1784      READ       C:\WINDOWS\INF\tmphp32.inf      SUCCESS      Offset: 0 Length: 24      
5      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf:Raec25ph4sudbf0hAaq5ehw3Nf:$DATA      NOT FOUND      Options: Open  Access: Read      
6      10:08:17 AM      explorer.exe:1784      CLOSE      C:\WINDOWS\INF\tmphp32.inf      SUCCESS            
7      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      Options: Open  Access: Read      
8      10:08:17 AM      explorer.exe:1784      QUERY INFORMATION      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      FileStreamInformation      
9      10:08:17 AM      explorer.exe:1784      QUERY INFORMATION      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      FileBasicInformation      
10      10:08:17 AM      explorer.exe:1784      READ       C:\WINDOWS\INF\tmphp32.inf      SUCCESS      Offset: 0 Length: 24      
11      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf:Raec25ph4sudbf0hAaq5ehw3Nf:$DATA      NOT FOUND      Options: Open  Access: Read      
12      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA      NOT FOUND      Options: Open  Access: Read      
13      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
14      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
15      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
16      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
17      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
18      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
19      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
20      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
21      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
22      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
23      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
24      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
25      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
26      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
27      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:DocumentSummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
28      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_DocumentSummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
29      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:DocumentSummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
30      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_DocumentSummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
31      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
32      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
33      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
34      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
35      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
36      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
37      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
38      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
39      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SebiesnrMkudrfcoIaamtykdDa:$DATA      NOT FOUND      Options: Open  Access: Read      
40      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SebiesnrMkudrfcoIaamtykdDa:$DATA      NOT FOUND      Options: Open  Access: Read      
41      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SebiesnrMkudrfcoIaamtykdDa:$DATA      NOT FOUND      Options: Open  Access: Read      
42      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SebiesnrMkudrfcoIaamtykdDa:$DATA      NOT FOUND      Options: Open  Access: Read      
43      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
44      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
45      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
46      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
47      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
48      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
49      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
0
 
LVL 1

Author Comment

by:Hacking_For_Christ
ID: 17956876
I have ran MSconfig and nothing bad running. I found a refference to a Yahoo page but not answer http://answers.yahoo.com/question/index?qid=20061104122640AAOOM2P
0
 
LVL 6

Expert Comment

by:Mnf
ID: 17956933
ok
do you have this file in you inf folder "syshost.exe"
and would you please try HijackThis
http://download.hijackthis.eu/hijackthis_199.zip
and past here your log file...
0
 
LVL 1

Author Comment

by:Hacking_For_Christ
ID: 17957141
Yes it is svchost.exe is in the /windows/inf/svchost.exe

Logfile of HijackThis v1.99.1
Scan saved at 11:22:13 AM, on 11/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
c:\windows\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgw.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\ACT\ACT for Win 7\Act7.exe
F:\Spyware & Virus\HijackThis.exe
C:\WINDOWS\inf\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://online.wsj.com/page/lexis.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: PersonalWebBHO - {D35980CB-66DF-477B-BF63-64EB8F48CB3A} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1108.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04110BC2-B8B9-4CDD-8923-8C7C90F8B6A0} - http://monsterclient.tickle.com/download/client/Monster%20Companion%20Installer.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://secure.mybroadline.com/CFIDE/classes/CFJava.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/cfweb_activex.camfrogweb.com-advanced_instmodule.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = floridalegalsearch.local
O17 - HKLM\Software\..\Telephony: DomainName = floridalegalsearch.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D90F23D-2BE3-4E7E-A40F-F5E232E4C00C}: NameServer = 192.168.30.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = floridalegalsearch.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D90F23D-2BE3-4E7E-A40F-F5E232E4C00C}: NameServer = 192.168.30.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = floridalegalsearch.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{4D90F23D-2BE3-4E7E-A40F-F5E232E4C00C}: NameServer = 192.168.30.5
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - c:\windows\system32\r_server.exe" /service (file missing)

0
 
LVL 1

Author Comment

by:Hacking_For_Christ
ID: 17957246
The virus restarts it self after a random amout of time when i kill the svchost.exe process using 100%
I scanned one of the computer hard drive as a secondary drive and it found nothing but a corrupt archive
\windows\csc\d7\80000096
this may not have anything to do with it but just wanted to put in in.
0
 
LVL 6

Accepted Solution

by:
Mnf earned 500 total points
ID: 17957340
ok sorry for delay,
we have W32.Francette.Worm on your system
follow this to eleminated the virus
http://www.symantec.com/security_response/writeup.jsp?docid=2003-111806-5041-99&tabid=3
please unplug your pc from the network, and scan the other pc's on your local network for this virus

please go here, and you will find an analysis for you hijackthis report, seek any nasty in you hijackthis program and fix it,
http://www.hijackthis.de/logfiles/ad3e79cb353013f6a0493886a3023c85.html
0
 
LVL 6

Expert Comment

by:Mnf
ID: 17957468
after you do the above, scan your pc with an online antivirus scanner, I don't know why you antivirus didn't catch the virus (maybe it is corrupted), so we have to make sure that you don't have any other bugs on you system,
i like to use KasperSky try this onlin
http://usa.kaspersky.com/services/free-virus-scanner.php

try this free/valuable utility to scan your pc locally from spyware (after you scan your pc with other antivirus than you have) SpyBot
www.safer-networking.org/en/download/ - 23k
0
 
LVL 1

Author Comment

by:Hacking_For_Christ
ID: 17958049
I looked at the symantec site and it did not apply with the processes and reg. but the HiJackthis log analysis was GREAT.  The file was svchost.exe was the issue. I killed the process and renamed the file and all is good now.  If anyone wants I can email them a present all you have to do is double click it. :)
Thanks for all the Great help.
0
 
LVL 3

Expert Comment

by:StephenJaffe
ID: 17980688
Are you guys sure that this is the solution for this particular problem?  I have two computers in our network that are showing signs of the TMPHP32.inf growth, but no SVCHOST.EXE short of the two in SYSTEM32 and the service pack directory...

I'm going now to see if one of the two has the same problem, maybe it's just that.

Thanks for the help

Stephen
0
 
LVL 3

Expert Comment

by:StephenJaffe
ID: 17983457
actually after some more looking into this particular one... there is an SVCHOST.EXE.INI in the windows\inf directory.  I deleted it in Safe Mode and we seemed to have stopped at least for the moment.  Does anybody know of a virus checker that will actually catch this one?

Thanks

Stephen
0
 

Expert Comment

by:rdgit
ID: 17988305
This is the solution to your problem.  Please delete the file below if you find them on your PC.  Also make sure you remove the following registry key.
You may have to use processXP to terminate the Svchost.exe
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

There is a Service that it registered itself under which is not a valid windows service.
"Windows Management Licence Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSLService


C:\WINDOWS\inf\svchost.exe   <---- This is not a valid windows file (the valid svchost.exe file is in C:\Windows\system32\svchost.exe)
C:\WINDOWS\inf\tmphp32.inf    <----- This is the file it would create and keep writing to until it used up all hard drive space.
C:\WINDOWS\readmelog.inf    <------ Also created this file with a bunch of adware websites listed within it.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Full list of ransomwares to date 6 149
automated malware analysis of a file 3 62
Help Fixing Zeus Virus Mess 11 71
Symantec EndPoint Cloud Uninstall 7 28
PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question