Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Undeletable temp files, and some strange behavior


  • This topic is locked This topic is locked
12 replies to this topic

#1 Damiac

Damiac

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 15 February 2013 - 11:23 AM

Hi,

 

I noticed my laptop going a bit slow recently, and I figured something was wrong. 

 

I'm running windows Vista Home Premium, Service Pack 2.  Windows is up to date according to windows updater.

I have Eset Nod32 Antivirus 4 which starts up automatically.

I also occastionally run Malwarebytes, which hasn't found anything.

 

I tried to empty my windows/temp folder, and could not delete 3 files:

GNserv.dat

hlktmp

spserv.dat

 

I did some searching on these forums and elsewhere, and saw recommendations for others with some of those files to try a scan with SuperAntiSpyware

 

I ran a complete scan in safe mode, which came up with a few things:

 

Adware.CouponBar
Trojan.Agent/Gen-FakeAlert[Local]
Trojan.Agent/Gen-MultiFraud
Adware.IEPlugin

 

I removed those, and a second scan shows up all clean.

However, I am still unable to delete those temp files outside of safe mode.

If I delete them on safe mode, they're back on the next system restart.

 

When I look at task manager, I see a lot of disk activity.  It does stop sometimes, but it's still a bit concerning.  I was hoping someone could help me diagnose what's going on here.

 

I appreciate any help you are able to offer,

Thanks



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:59 AM

Posted 15 February 2013 - 11:45 AM

Welcome..  Lets run these and see how it is.

 

ADW Cleaner

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

 

 

 

>>>>

Junkware Removal Tool
thisisujrt.gif  Please download Junkware Removal Tool to your desktop.


  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

>>>>


TFC
Please download TFC[/b] (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link

  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the [b]Start
  • button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • [b]Important!
  • If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.


Edited by boopme, 15 February 2013 - 11:46 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 15 February 2013 - 12:12 PM

ADW Cleaner Log:

# AdwCleaner v2.112 - Logfile created 02/15/2013 at 12:01:56
# Updated 10/02/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Danian - DAMIAN-LAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Danian\Desktop\AdwCleaner.exe
# Option [Search]


***** [Services] *****

Found : Partner Service

***** [Files / Folders] *****

Folder Found : C:\ProgramData\Partner
Folder Found : C:\Users\Danian\Documents\Software

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Found : HKCU\Software\Viewpoint
Key Found : HKLM\SOFTWARE\Classes\AppID\{28A88B70-D874-4F73-BBBA-9B2B222FB7D6}
Key Found : HKLM\SOFTWARE\Classes\AppID\kt_bho_dll.dll
Key Found : HKLM\SOFTWARE\Classes\CLSID\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Found : HKLM\SOFTWARE\Classes\kt_bho.KettleBho
Key Found : HKLM\SOFTWARE\Classes\kt_bho.KettleBho.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{86676E13-D6D8-4652-9FCF-F2047F1FB000}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Found : HKLM\Software\Viewpoint

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16464

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [1476 octets] - [15/02/2013 12:01:56]

########## EOF - C:\AdwCleaner[R1].txt - [1536 octets] ##########

 

JRT Log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.6.3 (02.12.2013:1)
OS: Windows Vista ™ Home Premium x86
Ran by Danian on Fri 02/15/2013 at 12:04:12.32
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 


~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\kt_bho_dll.dll
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\kt_bho.kettlebho
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\kt_bho.kettlebho.1
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\partner"
Successfully deleted: [Folder] "C:\Program Files\coupons"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 02/15/2013 at 12:09:01.70
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

It looks like I won't get a log from TFC, so I'll just run that after posting this.

I see JRT deleted a couple things, and it looks like ADW might have found a few things, although I didn't click delete, just seach, so I assume those are still there?

 

Thanks for your quick reply and assistance.



#4 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 15 February 2013 - 12:24 PM

I ran TFC, it did not prompt for a restart, but I did so anyway.

Those three files are still in the windows temp folder, and still undeletable.

 

Thanks for you help, it looks like we already got rid of a couple things from those logs.  I'm shocked at what is on this computer, I keep up with updates and regularly scan it, but I guess stuff still manages to get through...



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:59 AM

Posted 15 February 2013 - 12:52 PM

Yes,delete the ADW findings.. It is amazing what still geys thru.

 

Looks like an MBR (Master Boot record) rootkit..

 

Please download aswMBR ( 4.5MB ) to your desktop.


  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the  save log button, save it to your desktop, then copy and paste it in your next reply.

Edited by boopme, 15 February 2013 - 12:53 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 15 February 2013 - 01:19 PM

I'm running the aswMBR scan now, It's been sitting on once file for about 10 minutes,

C:\users\danian\appdata\local\citrix\plugins\92\npappdetector.dll

 

EDIT - Nevermind, it moved on finally. Sorry, I'm being impatient...

 

Once it's done, should i Fix? Or just post the log? I won't do anything more until you give me the go ahead.

 

Thanks


Edited by Damiac, 15 February 2013 - 01:27 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:59 AM

Posted 15 February 2013 - 01:42 PM

Fix and then post


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 15 February 2013 - 02:02 PM

OK, scan finished.

After scanning, the scan and fix button are both grey.  Do I restart the program, then hit fix? The FixMBR button is available, do I hit that?

 

Here is the log:

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-15 13:00:09
-----------------------------
13:00:09.686    OS Version: Windows 6.0.6002 Service Pack 2
13:00:09.686    Number of processors: 2 586 0x301
13:00:09.686    ComputerName: DAMIAN-LAPTOP  UserName: Danian
13:00:53.709    Initialize success
13:02:03.558    AVAST engine defs: 13021500
13:03:12.557    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:03:12.573    Disk 0 Vendor: TOSHIBA_MK1652GSX LV010M Size: 152627MB BusType: 3
13:03:12.588    Disk 0 MBR read successfully
13:03:12.588    Disk 0 MBR scan
13:03:12.620    Disk 0 Windows VISTA default MBR code
13:03:12.635    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS         1500 MB offset 2048
13:03:12.666    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       145086 MB offset 3074048
13:03:12.698    Disk 0 Partition 3 00     17 Hidd HPFS/NTFS NTFS         6040 MB offset 300210176
13:03:12.713    Disk 0 scanning sectors +312580096
13:03:12.776    Disk 0 scanning C:\Windows\system32\drivers
13:03:31.090    Service scanning
13:04:21.166    Modules scanning
13:04:34.863    Disk 0 trace - called modules:
13:04:34.941    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys
13:04:34.941    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84f9c348]
13:04:34.941    3 CLASSPNP.SYS[877128b3] -> nt!IofCallDriver -> [0x84f55918]
13:04:34.941    5 acpi.sys[806096bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84f51b98]
13:04:36.594    AVAST engine scan C:\Windows
13:04:44.706    AVAST engine scan C:\Windows\system32
13:10:35.192    AVAST engine scan C:\Windows\system32\drivers
13:10:55.924    AVAST engine scan C:\Users\Danian
13:47:28.754    AVAST engine scan C:\ProgramData
14:00:07.647    Scan finished successfully
14:01:25.974    Disk 0 MBR has been saved successfully to "C:\Users\Danian\Desktop\MBR.dat"
14:01:25.974    The log file has been saved successfully to "C:\Users\Danian\Desktop\aswMBR.txt"

 

Thanks


Edited by Damiac, 15 February 2013 - 02:03 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:59 AM

Posted 15 February 2013 - 02:44 PM

Hit the FixMBR and then reboot. check the Temp folder after.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 15 February 2013 - 02:53 PM

Ok, I hit fixmbr, it said successful, then I restarted.

Upon restart, all three temp files are still there, and still cannot be deleted.

Are those a definate sign of something wrong?

 

EDIT: While I was waiting on your reply, I ran another scan of ADWCleaner, to see if anything came back after the reboots.

It came up clean this time, hopefully that's a good sign.

 

Thanks for your help


Edited by Damiac, 15 February 2013 - 03:24 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:59 AM

Posted 15 February 2013 - 03:25 PM

These are usually Rootkit files.. We can get them but you need to make a new topic about them with a DDS log from the guide below.

 I think we should get a deeper look. Please follow this Preparation Guide and post in a new topic.

Let me know if all went well.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Damiac

Damiac
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 15 February 2013 - 03:34 PM

Ok, will do.

 

Should I post the topic in this same forum, or somewhere else?

EDIT: Nevermind, reading the guide you linked shows I should post it on the malware removal forum, so that's what I've done.

Here's a link to that thread: http://www.bleepingcomputer.com/forums/t/485514/possible-rootkit-infection-undeletable-temp-files/

 

 

Thank you very much for you assistance


Edited by Damiac, 15 February 2013 - 04:15 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:59 AM

Posted 15 February 2013 - 04:42 PM

thumbup2.gif One of our treainedDDS experts will review and post back to you.. YOu're welcome!!

 

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 2 days and ALL logs are answered.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users