Jump to content


Photo

I'm very worried, please help me.


  • Please log in to reply
2 replies to this topic

#1 Need help.

Need help.

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 25 April 2006 - 05:24 PM

Hi, and thanks for creating Ad-Aware.

1) There is a type of file in my windows temp folder that's undeletable, and it keeps generating; the size of the file is always the same (144kb) and it changes it's name (~DFB25C.tmp, etc.).

2) The WhoLockMe software says those files are being locked by the Winlogon process.

3) I have tried almost all antiviruses (Trendmicro's housecall, Panda Activescan, Norton Internet Security, AVG, BitDefender), and some of the greatest anti-spyware software (Ad-Aware and Spybot S&D), but none of detects what software is creating those undeletable temp files.
I'm most worried because I know that when a file is locked and it keeps generating, it's sure it is a virus or spyware; I formatted Windows two times, and the virus or spyware keeps infecting my PC.

4) I have Ad-Aware and HijackThis logs:
4.1) Ad-Aware:

Ad-Aware SE Build 1.06r1
Logfile Created on:Martes, 25 de Abril de 2006 12:16:41
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R104 21.04.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


25-04-2006 12:16:41 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]

#:2 [csrss.exe]

#:3 [winlogon.exe]

#:4 [services.exe]

#:5 [lsass.exe]

#:6 [svchost.exe]

#:7 [svchost.exe]

#:8 [svchost.exe]

#:9 [explorer.exe]

#:10 [nvsvc32.exe]

#:11 [notepad.exe]

#:12 [msmpeng.exe]

#:13 [wholockme.exe]

#:14 [maxthon.exe]

#:15 [ad-aware.exe]

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 0


12:18:46 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:05.579
Objects scanned:82283
Objects identified:0
Objects ignored:0
New critical objects:0

4.2) HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 11:46:09, on 25-04-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nvidia.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1145942387281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBCA6A46-F5C9-4FC7-866E-45BC4B042C62}: NameServer = 200.50.96.90
O20 - Winlogon Notify: WBSrv - C:\ARCHIV~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Archivos de programa\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

If you know something about what is infecting my system please tell me, I would be very grateful, thanks.

***Update: WindowBlinds was creating those files. I don't know if that's normal or not.

#2 ChrisF

ChrisF

    LS Former employee

  • Members
  • PipPipPip
  • 49 posts

Posted 26 April 2006 - 12:41 PM

Hi Need help.,

***Update: WindowBlinds was creating those files. I don't know if that's normal or not.


Have you resolved the problem, sounds like you've figured out what was courseing the file... yes it would be perfectly normal for applications such as WindowBlinds to create and use temporary files whilst it is running, if you want to be on the safe side, reboot your computer into safe mode and try deleteing them from that...

Thanks Chris Fry
www.lavasoft.de

#3 LS SteveJ (former LS employee)

LS SteveJ (former LS employee)

    Newbie

  • Members
  • Pip
  • 0 posts

Posted 27 April 2006 - 11:08 PM

The process attached to Winlogon is Stardock for changing the taskbar... was this an intentional install? if it was, then you have nothing to worry about here....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users