Tech Support banner

Status
Not open for further replies.
1 - 2 of 2 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter #1
Noticed that there are several files generated dynamically on the system with the name BIT*.tmp each of size 20 to 30MB and they keep increasing in number sequentially untill the hardisk is filled. All but the most recent of them can be deleted. When trying to delete the most recent it gives a message that its in use but occassionally it can be deleted. After a few minutes these files reappear independent of of having a net connection.

Please advice next course of action.

PASSMA was detected and cleaned by stinger, i've run ewido, cwsweeper, ad-aware, spy bot and finally HKT log enclosed...
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:53:24 PM, on 9/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
d:\antispyware\ewido\security suite\ewidoctrl.exe
d:\antispyware\ewido\security suite\ewidoguard.exe
C:\WINDOWS\myCIO\VScan\McShield.exe
C:\WINDOWS\myCIO\Agent\myAgtSvc.Exe
C:\WINDOWS\myCIO\Agent\myAgtTry.Exe
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe
C:\Program Files\PLANEX\bRoad Lanner Wave\N11BCFG.exe
D:\Program Files\WordWeb\wweb32.exe
d:\antispyware\Spybot-Search&Destroy\TeaTimer.exe
D:\Antispyware\HijackThis.exe
C:\WINDOWS\system32\HPBPRO.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.168.182.199:21;gopher=192.168.182.199:6588;http=192.168.182.199:6588;https=192.168.182.199:6588;socks=192.168.182.199:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.182.*;<local>
O1 - Hosts: '67.19.156.130 axxonet.com
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\antispyware\Spybot-Search&Destroy\SDHelper.dll
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myAgtTry.Exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.hwd /autorun
O4 - HKCU\..\Run: [RediffAlerter] C:\Program Files\rediff.com\Alerter\alerter.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\antispyware\Spybot-Search&Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Planex GW-NS11X utility.lnk = C:\Program Files\PLANEX\bRoad Lanner Wave\N11BCFG.exe
O4 - Global Startup: WordWeb.lnk = D:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Download with &DAP - .\dapextie.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - https://ksa.accessredbox.net/inc/kaxRemote.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02E1A4A8-6076-4A5B-9ACB-4E95D190F2E9}: NameServer = 192.168.182.1,202.56.250.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DF005C0-889A-43C6-924E-D7D3C15EA46E}: NameServer = 192.168.182.141,61.1.96.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{B78AD143-C6AF-4362-8A32-5C46D75EB19F}: NameServer = 202.144.95.4,202.144.66.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFDB818C-6F69-4D82-BDB1-48FE7F5E69E8}: NameServer = 202.88.156.6,202.56.250.5,203.145.184.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{02E1A4A8-6076-4A5B-9ACB-4E95D190F2E9}: NameServer = 192.168.182.1,202.56.250.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{02E1A4A8-6076-4A5B-9ACB-4E95D190F2E9}: NameServer = 192.168.182.1,202.56.250.5
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINDOWS\myCIO\Agent\myRmProt2.7.1.248.dll
O23 - Service: ANTS Load distributed test service (ANTSLoad) - Unknown owner - D:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
O23 - Service: AXMail Server (AXMail) - Unknown owner - C:\Program Files\Axxonet Solutions\AxMail ver 1.0\bin\AXMail.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - d:\antispyware\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\antispyware\ewido\security suite\ewidoguard.exe
O23 - Service: McShield - Network Associates, Inc. - C:\WINDOWS\myCIO\VScan\McShield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Agent (myAgtSvc) - Network Associates, Inc. - C:\WINDOWS\myCIO\Agent\myAgtSvc.Exe
O23 - Service: MySql - Unknown owner - C:/apache/mysql/bin/mysqld-nt.exe
O23 - Service: SVNService - Unknown owner - D:\Subversion\bin\SVNService.exe (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Xdrive Service (XdriveService) - Unknown owner - C:\Program Files\XdriveNT\xdService.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
Premium Member
Joined
·
14,311 Posts
One of your programs might be creating those BIT*.tmp files. Can you upload one or two of them to http://virusscan.jotti.org and see what it reports back?
 
1 - 2 of 2 Posts
Status
Not open for further replies.
Top