Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Corrupt file reappering

Status
Not open for further replies.
BoyBigBrain

BoyBigBrain

Technical User
Mar 26, 2005
33
US
Hey guys. I've had trouble with this for a couple of days. When i start my computer up and log onto any desktop i get an error saying C:/WINDOWS/Cursors/tenisp.ini2 is corrupt and and unreadable, and tha i need to run chkdsk. So i run shkdsk, it deletes two files relating to that file mentioned. But right after it gets deleted, it reappears even before i restart the computer, right after chkdsk is done. I've tried running chkdsk before windows starts up but it says it finds nothing wrong, but when i log on to any user desktop it tells me top run it again. I ran both adaware se and Spybot, both completely updated, and it didn't help. Can anyone figure out what it is or how i can permanently delete the file. There are these files:

tenisp.bak1 (in blue text)
tenisp.bak2
tenisp.ini
tenisp.ini2 (apparent corrupt file)
tenisp.tmp
tenisp.tmp2

What can i do?
 
Sort by date Sort by votes
You have been compromised... TROJAN is my guess...

1.) DL EWIDO: and HiJackThis from:
2.) Update your AntiVirus program...

3.) Delete all TEMP FILES (including the Temporary Internet Files), Clear all Restore Points, disable Restore...

4.) Boot into SafeMode, Run EWIDO fix everything... Then Run your AntiViral Software... Run HJT and paste LOG here for analysis or at for an online analysis...

5.) Report back here for success or a NO GO...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
Downloaded Ewido and hijack, deleted all temp files, booted in safe mode and ran Ewido, ran chkdsk and the tenisp.ini2 was still there, even after chkdsk said that it had deleted the entry. What else can i do? Oh and here is my hijack this

Logfile of HijackThis v1.99.1
Scan saved at 6:11:33 PM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Tim's Desktop\Desktop\Download\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSEvents Object - {EB1CE8AA-7F27-45D3-BA59-37AFBFB4437F} - C:\WINDOWS\Cursors\psinet.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [awTray.exe] "C:\Program Files\Intel\IDU\awtray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [Skype] "C:\Documents and Settings\Tim's Desktop\Start Menu\Programs\Skype\Skype.exe" /nosplash /minimized
O4 - Startup: Xfire.lnk = C:\Documents and Settings\Tim's Desktop\Xfire\Xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: psinet - C:\WINDOWS\Cursors\psinet.dll
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

What else can i do?
 
Upvote 0 Downvote
Check these and click fix checked and delete them.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat (file missing)


These below this I wasnt sure but they looked kind of suspicious but they may be legit as well.

O2 - BHO: MSEvents Object - {EB1CE8AA-7F27-45D3-BA59-37AFBFB4437F} - C:\WINDOWS\Cursors\psinet.dll

O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O20 - Winlogon Notify: psinet - C:\WINDOWS\Cursors\psinet.dll
 
Upvote 0 Downvote
The Free DL Manager is ok...

also should fix these using HJT...

O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat (file missing)


You may wanna try also Rootkit Revealer, to see if you have a ROOTKIT Installed there somewhere...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
O2 - BHO: MSEvents Object - {EB1CE8AA-7F27-45D3-BA59-37AFBFB4437F} - C:\WINDOWS\Cursors\psinet.dll

Can't get rid of that one, ran a scan twice and fixed it twice, as soon as it is fixed it comes right back. Used process explorer, nothing special running. Running rootkit revealer now, gotta see what it reveals.

C:/WINDOWS/Cursors/tenisp.ini2 is still giving me trouble.
 
Upvote 0 Downvote
Edit:, the C:/WINDOWS/Cursors/tenisp.ini2 file cam up in rootkit revealer. It says "Visible in Windows API, directory index, but not in MFT." What do i do with that file?
 
Upvote 0 Downvote
From the Help file.

Visible in Windows API, directory index, but not in MFT.
Visible in Windows API, but not in MFT or directory index.
Visible in Windows API, MFT, but not in directory index.
Visible in directory index, but not Windows API or MFT.
A file system scan consists of three components: the Windows API, the NTFS Master File Table (MFT), and the NTFS on-disk directory index structures. These discrepancies indicate that a file appears in only one or two of the scans. A common reason is that a file is either created or deleted during the scans. This is an example of RootkitRevealer's discrepancy report for a file created during the scanning:

C:\newfile.txt
3/1/2005 5:26 PM
8 bytes
Visible in Windows API, but not in MFT or directory index.

More information on Rootkits'



Auto Start Viewer.

This thread has some suggestion I copied from poster "Option^Explicit" which will give you an insight as to what might be happening

problems with IE and explorer
thread779-1049037

Vx2cleaner plugin for Ad-Aware.
 
Upvote 0 Downvote
Hey guys. I would like to thank you all for the help, especially porkchopexpress since they pointed me to filemon, which described to me what the tenisp.ini2 file was doing. Filemon says that
3:54:48 PM explorer.exe:1512 CREATE C:\WINDOWS\Cursors\tenisp.tmp2 ACCESS DENIED COMPUTER1\Tim's Desktop

3:54:48 PM explorer.exe:1512 OPEN C:\WINDOWS\Cursors\ SUCCESS Options: Open Directory Access: 00000000

3:54:48 PM explorer.exe:1512 OPEN C:\WINDOWS\Cursors\tenisp.tmp2 SUCCESS Options: Open Access: All

3:54:48 PM explorer.exe:1512 OPEN C:\WINDOWS\Cursors\tenisp.tmp2 SUCCESS Options: Open Access: All

3:54:48 PM explorer.exe:1512 OPEN C:\WINDOWS\Cursors\tenisp.tmp2 SUCCESS Options: Open Access: All

3:54:48 PM explorer.exe:1512 QUERY INFORMATION C:\WINDOWS\Cursors\tenisp.tmp2 SUCCESS FileAttributeTagInformation

It continue to repeat constantly from there on. None of the other applications could catch it, and now that i know what it is i don't know what to do with it. Any ideas? Anyways that i can fix the explorer.exe file?
 
Upvote 0 Downvote
Redo all your scans, but run them from Safe Mode.
 
Upvote 0 Downvote
Even if i do run it in safe mode, the error pops up there as well. I will try though.
 
Upvote 0 Downvote
You should be able to search for the file handle in process explorer, this will tell you what is running and creating the files. When you find it you can kill the process tree and delete the files.
 
Upvote 0 Downvote
It doesn't show up in Process explorer, bit it shows up in filemon and rootkit revealer.
 
Upvote 0 Downvote
I'm not sure what those files are:tenisp.bak1, tenisp.bak2
tenisp.ini, tenisp.ini2, tenisp.tmp, tenisp.tmp2, but if you don't need the files you can delete them all together during a reboot by using a small program called "DELLATER". This will at least stop any of the files recreating another file as you delete them one at a time in win xp. Hope this helps
Ockerb
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dik
  • Locked
  • Question
Deleting a file 1
Replies
13
Views
207
dik
dik
pjw001
  • Locked
  • Question
Windows 11 File Explorer Preview Pane for PDF files
Replies
2
Views
159
pjw001
pjw001
spamjim
  • Locked
  • Question
Sanitizing illegal filenames on NTFS volumes
Replies
2
Views
190
spamjim
spamjim
pjw001
  • Locked
  • Question
File Explorer New File Menu (Windows 8)
Replies
1
Views
104
pjw001
pjw001
vedamin
  • Locked
  • Question
OLE Object gets corrupt on 2nd run in VFP9 only on Windows 7
Replies
2
Views
113
Mike Lewis
Mike Lewis

Part and Inventory Search

Sponsor

Back
Top