Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2301
  • Last Modified:

tmphp32.inf fills hard drive

On 2 computers I have a tmphp32.inf file in the /windows/inf/tmphp32.inf fills the hard drive. To the order or 22-30 GBs

OK some specks on the systems;

Both are windows xp sp2
Hard Drives 30, 40 GB
Ram 512 MB
AV Symantec Corp 8 with all updates; real time protection was disabled on one computer but not the other.
Network has 8 workstations & 1 server 2k

Work done so far:

Boot into safemode and rename the file; reboot into regular mode.  The file recreates it self and fills any hard drive space left. Deleted the remaned file to make space on the drive; the new inf does not grow past its orginal size of 935 MB

HiJackThis nothing out of the ordanary just standard stuff (I use it every day on hundreds of systems)

Housecall found nothing

Done in safemode
Stinger found nothing

CCleaner found regestry programs that were uninstalled but nothing looking wrong

Dr. Web found nothing

Icesword did not find anything that should not be running

Will update on tasks done; any thoughts let me know.
0
Hacking_For_Christ
Asked:
Hacking_For_Christ
  • 6
  • 4
  • 2
  • +2
1 Solution
 
David-HowardCommented:
After all that you have done, this sounds like a tough one.
Have you tried going in to Safe Mode and then starting MSCONFIG.
I wonder if this thing is hanging out in the Startup menu.
David
0
 
MnfCommented:
Go to www.sysinternals.com and grap the filemon utility. Set a filter for your "tmphp32.inf " file and let it run. This shows you what process has a file activity on your file.
0
 
Hacking_For_ChristAuthor Commented:
Yea I tried these with no luck thanks; I found it in the registry under search assisant. I deleted all the keys with it and removed the file but it comes back.  Also it the file turns it self off and deletes itself  when I do a AV scan with Symantec.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Hacking_For_ChristAuthor Commented:
I use FileMon with one computer off and filtered the tmphp32.inf.  Nothing was going on untill i started the other computer then the virus was turned on.  The process used was the svchost.exe.  I turned off the other computer and the process keep filling the drive.  Once i killed the process (it was also using 100% cpu) it went dorment. Then i can delete the file. Below is what FileMon log.

1      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      Options: Open  Access: Read      
2      10:08:17 AM      explorer.exe:1784      QUERY INFORMATION      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      FileStreamInformation      
3      10:08:17 AM      explorer.exe:1784      QUERY INFORMATION      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      FileBasicInformation      
4      10:08:17 AM      explorer.exe:1784      READ       C:\WINDOWS\INF\tmphp32.inf      SUCCESS      Offset: 0 Length: 24      
5      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf:Raec25ph4sudbf0hAaq5ehw3Nf:$DATA      NOT FOUND      Options: Open  Access: Read      
6      10:08:17 AM      explorer.exe:1784      CLOSE      C:\WINDOWS\INF\tmphp32.inf      SUCCESS            
7      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      Options: Open  Access: Read      
8      10:08:17 AM      explorer.exe:1784      QUERY INFORMATION      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      FileStreamInformation      
9      10:08:17 AM      explorer.exe:1784      QUERY INFORMATION      C:\WINDOWS\INF\tmphp32.inf      SUCCESS      FileBasicInformation      
10      10:08:17 AM      explorer.exe:1784      READ       C:\WINDOWS\INF\tmphp32.inf      SUCCESS      Offset: 0 Length: 24      
11      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf:Raec25ph4sudbf0hAaq5ehw3Nf:$DATA      NOT FOUND      Options: Open  Access: Read      
12      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA      NOT FOUND      Options: Open  Access: Read      
13      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
14      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
15      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
16      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
17      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
18      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
19      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
20      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
21      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
22      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
23      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
24      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
25      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
26      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
27      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:DocumentSummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
28      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_DocumentSummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
29      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:DocumentSummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
30      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_DocumentSummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
31      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
32      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
33      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
34      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
35      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
36      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
37      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
38      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SummaryInformation:$DATA      NOT FOUND      Options: Open  Access: Read      
39      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SebiesnrMkudrfcoIaamtykdDa:$DATA      NOT FOUND      Options: Open  Access: Read      
40      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SebiesnrMkudrfcoIaamtykdDa:$DATA      NOT FOUND      Options: Open  Access: Read      
41      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:SebiesnrMkudrfcoIaamtykdDa:$DATA      NOT FOUND      Options: Open  Access: Read      
42      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_SebiesnrMkudrfcoIaamtykdDa:$DATA      NOT FOUND      Options: Open  Access: Read      
43      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
44      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
45      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
46      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
47      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
48      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:Docf_OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
49      10:08:17 AM      explorer.exe:1784      OPEN      C:\WINDOWS\INF\tmphp32.inf\:OzngklrtOwudrp0bAayojd1qWh:$DATA      NOT FOUND      Options: Open  Access: Read      
0
 
Hacking_For_ChristAuthor Commented:
I have ran MSconfig and nothing bad running. I found a refference to a Yahoo page but not answer http://answers.yahoo.com/question/index?qid=20061104122640AAOOM2P
0
 
MnfCommented:
ok
do you have this file in you inf folder "syshost.exe"
and would you please try HijackThis
http://download.hijackthis.eu/hijackthis_199.zip
and past here your log file...
0
 
Hacking_For_ChristAuthor Commented:
Yes it is svchost.exe is in the /windows/inf/svchost.exe

Logfile of HijackThis v1.99.1
Scan saved at 11:22:13 AM, on 11/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
c:\windows\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgw.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\ACT\ACT for Win 7\Act7.exe
F:\Spyware & Virus\HijackThis.exe
C:\WINDOWS\inf\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://online.wsj.com/page/lexis.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: PersonalWebBHO - {D35980CB-66DF-477B-BF63-64EB8F48CB3A} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1108.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04110BC2-B8B9-4CDD-8923-8C7C90F8B6A0} - http://monsterclient.tickle.com/download/client/Monster%20Companion%20Installer.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://secure.mybroadline.com/CFIDE/classes/CFJava.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/cfweb_activex.camfrogweb.com-advanced_instmodule.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = floridalegalsearch.local
O17 - HKLM\Software\..\Telephony: DomainName = floridalegalsearch.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D90F23D-2BE3-4E7E-A40F-F5E232E4C00C}: NameServer = 192.168.30.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = floridalegalsearch.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D90F23D-2BE3-4E7E-A40F-F5E232E4C00C}: NameServer = 192.168.30.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = floridalegalsearch.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{4D90F23D-2BE3-4E7E-A40F-F5E232E4C00C}: NameServer = 192.168.30.5
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - c:\windows\system32\r_server.exe" /service (file missing)

0
 
Hacking_For_ChristAuthor Commented:
The virus restarts it self after a random amout of time when i kill the svchost.exe process using 100%
I scanned one of the computer hard drive as a secondary drive and it found nothing but a corrupt archive
\windows\csc\d7\80000096
this may not have anything to do with it but just wanted to put in in.
0
 
MnfCommented:
ok sorry for delay,
we have W32.Francette.Worm on your system
follow this to eleminated the virus
http://www.symantec.com/security_response/writeup.jsp?docid=2003-111806-5041-99&tabid=3
please unplug your pc from the network, and scan the other pc's on your local network for this virus

please go here, and you will find an analysis for you hijackthis report, seek any nasty in you hijackthis program and fix it,
http://www.hijackthis.de/logfiles/ad3e79cb353013f6a0493886a3023c85.html
0
 
MnfCommented:
after you do the above, scan your pc with an online antivirus scanner, I don't know why you antivirus didn't catch the virus (maybe it is corrupted), so we have to make sure that you don't have any other bugs on you system,
i like to use KasperSky try this onlin
http://usa.kaspersky.com/services/free-virus-scanner.php

try this free/valuable utility to scan your pc locally from spyware (after you scan your pc with other antivirus than you have) SpyBot
www.safer-networking.org/en/download/ - 23k
0
 
Hacking_For_ChristAuthor Commented:
I looked at the symantec site and it did not apply with the processes and reg. but the HiJackthis log analysis was GREAT.  The file was svchost.exe was the issue. I killed the process and renamed the file and all is good now.  If anyone wants I can email them a present all you have to do is double click it. :)
Thanks for all the Great help.
0
 
StephenJaffeCommented:
Are you guys sure that this is the solution for this particular problem?  I have two computers in our network that are showing signs of the TMPHP32.inf growth, but no SVCHOST.EXE short of the two in SYSTEM32 and the service pack directory...

I'm going now to see if one of the two has the same problem, maybe it's just that.

Thanks for the help

Stephen
0
 
StephenJaffeCommented:
actually after some more looking into this particular one... there is an SVCHOST.EXE.INI in the windows\inf directory.  I deleted it in Safe Mode and we seemed to have stopped at least for the moment.  Does anybody know of a virus checker that will actually catch this one?

Thanks

Stephen
0
 
rdgitCommented:
This is the solution to your problem.  Please delete the file below if you find them on your PC.  Also make sure you remove the following registry key.
You may have to use processXP to terminate the Svchost.exe
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

There is a Service that it registered itself under which is not a valid windows service.
"Windows Management Licence Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSLService


C:\WINDOWS\inf\svchost.exe   <---- This is not a valid windows file (the valid svchost.exe file is in C:\Windows\system32\svchost.exe)
C:\WINDOWS\inf\tmphp32.inf    <----- This is the file it would create and keep writing to until it used up all hard drive space.
C:\WINDOWS\readmelog.inf    <------ Also created this file with a bunch of adware websites listed within it.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now