Jump to content


Photo

Temp files won't delete


  • This topic is locked This topic is locked
8 replies to this topic

#1 mattyl

mattyl

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 06 October 2004 - 12:15 PM

I've been having a problem with two files (~DF6D1.tmp and ~DFF54D.tmp) that I can't delete from the temp folder (%temp%). I get the error message "Cannot Delete 'file': It is being used by another person or program." when I attempt to delete them. However, in safe mode I do not get this message and am successful in deleting the files. Upon reboot though they reappear in the %temp% folder. This happens everytime after I delete them in safe mode and reboot.

I have CCleaner which I've run and it is able to delete everything but these two files as well. Both files are 16KB. I submitted them to kaspersky virus scan and it came up clean. Although they are most likely not harmful, I'm just confused as to why they come back and what program could be using them? (I'm the only person on the computer). Though it may seem a bit extreme and paranoid, it really bothers me that these files keep coming back for no apparent reason. Any ideas or suggestion would be appreciated. Thanks a lot...

Matt

#2 Bobbi Flekman

Bobbi Flekman

    The computer whisperer.

  • Expert
  • PipPipPipPipPip
  • 1,357 posts

Posted 06 October 2004 - 12:27 PM

Can it be that they are just valid .tmp files? If you are really concerned about these files, download HijackThis.
http://209.133.47.12.../HijackThis.exe
http://www.mjc1.com/mirror/hjt/
http://downloads.net.../HijackThis.exe
http://www.computerc...s-file-328.html

Unzip to a folder other than your Desktop or the Temp folder. Then, doubleclick HijackThis.exe, and click "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that and copy and paste its contents in this thread. When you post, I will ask a mod/admin to move this thread to Malware Removal.

Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.

#3 mattyl

mattyl

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 06 October 2004 - 12:54 PM

Thanks for the response. I'm not sure if they are valid temp files? I believe valid temp files are deletable though because every other file put in the temp file I've been able to delete. I'll post a hijackthis log below. Thanks for your help.

Logfile of HijackThis v1.98.2
Scan saved at 1:43:01 PM, on 10/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PREVX\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Panasonic\SD-JukeboxV3\sdjbmgr.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PREVX\Prevx Home\SAGUI.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\T40 USER\Desktop\New Folder (3)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\RunOnce: [IndexWipe] C:\Program Files\iISystem Wiper\IndexWipe.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Shortcut to tfswctrl.lnk = C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Prevx Home.lnk = C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com...rt/IbmEgath.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: Domain = union.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: NameServer = 149.106.160.3,149.106.160.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BE52E60-8109-4CA0-8363-6E5B20F28D5A}: NameServer = 149.106.160.3,149.106.160.14

Matt

***I've placed the restrictions on IE.

Edited by mattyl, 06 October 2004 - 01:07 PM.


#4 Bobbi Flekman

Bobbi Flekman

    The computer whisperer.

  • Expert
  • PipPipPipPipPip
  • 1,357 posts

Posted 06 October 2004 - 03:26 PM

Hi mattyl,

I believe valid temp files are deletable though because every other file put in the temp file I've been able to delete.

They would be, unless they're in use. When you open a program like Microsoft Word you'll automatically have a few temp files. These should be gone when Word closes though.

As far as I can see your log is clean. I think that the temp files are harmless...
When you've restarted your computer, can you delete the contents of the directory?

If not, can you post a HijackThis log from when you've safe booted. Maybe we can find a difference in what is actually started...

#5 mattyl

mattyl

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 October 2004 - 11:57 AM

Hey Bobbi,

It does make sense that if a program is in use I can't delete the files. However, I have tried to delete the files when the computer is first booted and have had no luck so I'm guessing itís not a program that I start myself after boot up. It must be one of the programs that are set to automatically start up... good thinking! I'll go into safe mode and make a scan and then post the results. Hopefully we can find a difference and figure out which program is using these temp files. Thanks a lot for the help! I'll post back shortly with the safe mode scan.

mattyl

#6 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 07 October 2004 - 12:03 PM

Those temp files may have been generated by Spyware Guard. It generates temp files (and doesn't clean up after itself). Try temporarily shutting down Spyware Guard and see if those undeletable temp files will delete.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#7 mattyl

mattyl

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 October 2004 - 12:11 PM

LB,

Absolutely correct! Wow... thanks a lot. Thatís been bugging me for a while now. Do you think I should still have Spyware Guard if I'm now running prevx?

Bobbi, never got to make the safe mode scan because vashondude posted right after my post. Thanks for the help though. I'm glad I've finally found out where those temp files belonged.

Thanks again,

mattyl

#8 Bobbi Flekman

Bobbi Flekman

    The computer whisperer.

  • Expert
  • PipPipPipPipPip
  • 1,357 posts

Posted 07 October 2004 - 12:18 PM

LB,

Absolutely correct! Wow... thanks a lot. That's been bugging me for a while now. Do you think I should still have Spyware Guard if I'm now running prevx?

Bobbi, never got to make the safe mode scan because vashondude posted right after my post. Thanks for the help though. I'm glad I've finally found out where those temp files belonged.

Thanks again,

mattyl

View Post

You're welcome. I don't use Spyware Guard so I wouldn't have thought of it anyway... The safe mode scan would have shown that Spyware Guard wasn't running, so eventually we would have drawn the same conclusion.

As for running prevx and Spyware Guard, I don't think it would hurt. If there are no objections, let them run together... I run a lot of protection software together too. :D

Thanks, LB!

#9 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 07 October 2004 - 12:43 PM

You're welcome. Glad to help.

Posted Image

-- LB
Want to help in the fight against malware? Join the SWI boot camp.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button