In cleaning up a really messy computer I have come across a file that I haven't noticed before and believe it to be some sort of malware. I can't find any reference to it on the web.
Everytime I start up a file appears in the temp folder that starts with JET there are 4 other letters or numbers that follow and then .tmp. Each time the JETxxxx.tmp file name is different. If I try to delete it I receive a message that it's in use and can't be deleted. However it does dissappear only to reappear if I access the temp directory again and with a different name.
I have nothing starting in msconfig but avg. There is nothing under the various runs in the registry (acept avg) and there is nothing showing in the task mgr that doesn't belong with the possible exceptions of 2 servhosts which I can't stop without the computer rebooting.
I have rerun avg antivirus, stinger, spybot, and adaware all with no reported problems.
One other problem with the computer is that it takes forever to start after choosing a username. (about 1min 45 sec) I think the two things are related.
Ran bootvis but this was no help since I suspect the delay comes after all of the things bootvis checks for.
Any help or suggestions would be greatly appreciated.
One last thing, I did all of these things under each users name. the jet file name changes with each start or change of user. AND I noticed that the operating files on this machine are all under a winnt folder and not windows although its starts up as xp home.
Below is my hijackthis file. Is there anything not right in there?
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\Christine\Desktop\HijackThis.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[New Key #1]
New Value #1 =
[OptionalComponents]
*No values found*
--------------------------------------------------
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\WINNT\System32\emesx.dll - {000000DA-0786-4633-87C6-1AA7A4429EF1}
(no name) - C:\PROGRA~1\SVAPLA~1\SVAPLA~1.DLL - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836}
(no name) - c:\program files\clientman\run\urlclia30956de.dll (file missing) - {94927A13-4AAA-476A-989D-392456427688}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
--------------------------------------------------
Enumerating Download Program Files:
[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE =
[RunExeActiveX.RunExe]
InProcServer32 = C:\WINNT\Downloaded Program Files\RunExeActiveX.ocx
CODEBASE = hcp://system/RunExeActiveX.CAB
[StartFirstControl.CheckFirst]
InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx
CODEBASE = hcp://system/StartFirstControl.CAB
[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
CODEBASE =
[WebCoachDownload Class]
InProcServer32 = C:\Program Files\Common Files\aolshare\Coach\Player\coachdm2.dll
CODEBASE =
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll
--------------------------------------------------
End of report, 4,293 bytes
Report generated in 0.047 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Everytime I start up a file appears in the temp folder that starts with JET there are 4 other letters or numbers that follow and then .tmp. Each time the JETxxxx.tmp file name is different. If I try to delete it I receive a message that it's in use and can't be deleted. However it does dissappear only to reappear if I access the temp directory again and with a different name.
I have nothing starting in msconfig but avg. There is nothing under the various runs in the registry (acept avg) and there is nothing showing in the task mgr that doesn't belong with the possible exceptions of 2 servhosts which I can't stop without the computer rebooting.
I have rerun avg antivirus, stinger, spybot, and adaware all with no reported problems.
One other problem with the computer is that it takes forever to start after choosing a username. (about 1min 45 sec) I think the two things are related.
Ran bootvis but this was no help since I suspect the delay comes after all of the things bootvis checks for.
Any help or suggestions would be greatly appreciated.
One last thing, I did all of these things under each users name. the jet file name changes with each start or change of user. AND I noticed that the operating files on this machine are all under a winnt folder and not windows although its starts up as xp home.
Below is my hijackthis file. Is there anything not right in there?
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\Christine\Desktop\HijackThis.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[New Key #1]
New Value #1 =
[OptionalComponents]
*No values found*
--------------------------------------------------
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\WINNT\System32\emesx.dll - {000000DA-0786-4633-87C6-1AA7A4429EF1}
(no name) - C:\PROGRA~1\SVAPLA~1\SVAPLA~1.DLL - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836}
(no name) - c:\program files\clientman\run\urlclia30956de.dll (file missing) - {94927A13-4AAA-476A-989D-392456427688}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
--------------------------------------------------
Enumerating Download Program Files:
[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE =
[RunExeActiveX.RunExe]
InProcServer32 = C:\WINNT\Downloaded Program Files\RunExeActiveX.ocx
CODEBASE = hcp://system/RunExeActiveX.CAB
[StartFirstControl.CheckFirst]
InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx
CODEBASE = hcp://system/StartFirstControl.CAB
[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
CODEBASE =
[WebCoachDownload Class]
InProcServer32 = C:\Program Files\Common Files\aolshare\Coach\Player\coachdm2.dll
CODEBASE =
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll
--------------------------------------------------
End of report, 4,293 bytes
Report generated in 0.047 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only