Need Help! Virus or Other Problem

[thekat]

My system info:

McAfee Anti-Virus

Dell Dimension 4100 Series
Pentium III at 933 MHz
128 SDRAM at 133 MHz
20.4 GB 7200 rpm Hard-drive
Windows ME
Word 2000 SR-1

Problem:
My Temp Folder is filled recently with over 100 temp files that I cannot delete, with the following properties:
--Temp files
--Listed as opening with Paint Shop Pro
--Date created is listed as when I turn on the computer
--0 bytes
--Files names like: CSFF7938C1-6544-4536-BA7C-00F9FD34CA6
--Attributes: Hidden, Archive

When I try to delete any of the files, the following message appears:
Cannot delete (file name): Access is denied. The source file may be in use.

I tried to delete them by changing the attributes, then tried in Safe Mode, without success. The first attempt in Safe Mode showed that I deleted about twenty similar files, but when I restarted in normal mode, all of the files were back in the Temp Folder.

I've run the following scans:
McAfee Anti-Virus
CWS Shredder
Spybot
Ad-Aware
Spy Sweeper

The following message appears sometimes after closing other applications:
Mcupdate (McAfee Antivirus Update) has caused an error in Kernel 32.DLL.
Mcupdate will now close.

Thank you for your help!

 

[Byteman]

sounds like something is actively using those files. Post a HijackThis log so we can rule out malware.

 

[thekat]

Please Review: HijackThis Log

Thank you Byteman.
Here is the HijackThis Log:

Logfile of HijackThis v1.98.2
Scan saved at 8:48:15 AM, on 9/7/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O15 - Trusted Zone: http://www.cavaliergalleries.com
O15 - Trusted Zone: http://www.bostontango.org
O15 - Trusted Zone: http://*.ccae.org
O15 - Trusted Zone: http://*.csfineart.com
O15 - Trusted Zone: http://*.sculpturehouse.com
O15 - Trusted Zone: http://www.arcadiafinearts.com
O15 - Trusted Zone: http://www.lagunaartworkshops.com
O15 - Trusted Zone: http://www.hiltonheadartleague.org
O15 - Trusted Zone: http://www.addresses.com
O15 - Trusted Zone: http://peoplesearch.addresses.com
O15 - Trusted Zone: http://find.intelius.com
O15 - Trusted Zone: http://*.bostonfr.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://www.pcclub.com
O15 - Trusted Zone: http://www.computing.net
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://www.target.com
O15 - Trusted Zone: http://security.symantec.com
O15 - Trusted Zone: http://*.spywareinfo.com
O15 - Trusted Zone: http://*.about
O15 - Trusted Zone: http://*.eegallery.com
O15 - Trusted Zone: http://*.roycroftdesign.com
O15 - Trusted Zone: http://www.mclarryfineart.com
O15 - Trusted Zone: http://us.mcafee.com
O15 - Trusted Zone: http://*.albuquerquemuseum.com
O15 - Trusted Zone: http://art.shawguides.com
O15 - Trusted Zone: http://www.epson.com
O15 - Trusted Zone: http://www.paypal.com
O15 - Trusted Zone: http://*.errolgraphics.com
O15 - Trusted Zone: http://*.ups.com
O15 - Trusted Zone: http://www.delta.com
O15 - Trusted Zone: http://www.cheaptickets.com
O15 - Trusted Zone: http://*.danielgerhartz.com
O15 - Trusted Zone: http://www.arthaven.com
O15 - Trusted Zone: http://*.utrecht.com
O15 - Trusted Zone: http://*.fedex.com
O15 - Trusted Zone: http://*.amazing-visions.com
O15 - Trusted Zone: http://www.mediaoutfit.com
O15 - Trusted Zone: http://www.wgbh.org
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab

 

[Byteman]

your using a old version of Hijackthis. Please follow the instructions in the sticky (current download link is included in the sticky as well), and post a fresh log..

 

[thekat]

Here's a HijackThis Logfile with the newer version of HijackThis.
Thank you for your help.

Logfile of HijackThis v1.99.1
Scan saved at 10:46:43 PM, on 9/7/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\MCAFEE.COM\SHARED\MCAPPINS.EXE /v=3 /cleanup
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O15 - Trusted Zone: http://www.cavaliergalleries.com
O15 - Trusted Zone: http://www.bostontango.org
O15 - Trusted Zone: http://*.ccae.org
O15 - Trusted Zone: http://*.csfineart.com
O15 - Trusted Zone: http://*.sculpturehouse.com
O15 - Trusted Zone: http://www.arcadiafinearts.com
O15 - Trusted Zone: http://www.lagunaartworkshops.com
O15 - Trusted Zone: http://www.hiltonheadartleague.org
O15 - Trusted Zone: http://www.addresses.com
O15 - Trusted Zone: http://peoplesearch.addresses.com
O15 - Trusted Zone: http://find.intelius.com
O15 - Trusted Zone: http://*.bostonfr.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://www.pcclub.com
O15 - Trusted Zone: http://www.computing.net
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://www.target.com
O15 - Trusted Zone: http://security.symantec.com
O15 - Trusted Zone: http://*.spywareinfo.com
O15 - Trusted Zone: http://*.about
O15 - Trusted Zone: http://*.eegallery.com
O15 - Trusted Zone: http://*.roycroftdesign.com
O15 - Trusted Zone: http://www.mclarryfineart.com
O15 - Trusted Zone: http://us.mcafee.com
O15 - Trusted Zone: http://*.albuquerquemuseum.com
O15 - Trusted Zone: http://art.shawguides.com
O15 - Trusted Zone: http://www.epson.com
O15 - Trusted Zone: http://www.paypal.com
O15 - Trusted Zone: http://*.errolgraphics.com
O15 - Trusted Zone: http://*.ups.com
O15 - Trusted Zone: http://www.delta.com
O15 - Trusted Zone: http://www.cheaptickets.com
O15 - Trusted Zone: http://*.danielgerhartz.com
O15 - Trusted Zone: http://www.arthaven.com
O15 - Trusted Zone: http://*.utrecht.com
O15 - Trusted Zone: http://*.fedex.com
O15 - Trusted Zone: http://*.amazing-visions.com
O15 - Trusted Zone: http://www.mediaoutfit.com
O15 - Trusted Zone: http://www.wgbh.org
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab

 

[Byteman]

Your log is indeed clean, no malware causing it. Try using CCleaner , use it in safe mode and see how that does. Also, if these files are in use and there is no malware, it is probably a legitimate program using them when it runs. McAfee gives you the error, you may also try disconnecting from the Internet, shutting down McAfee, and then try. (however if it is McAfee use the files and you delete them, I don't know what effects would come of it).

 

[thekat]

Thank you for reviewing my logfile, Byteman.
I'll try using CCleaner next.

 

[thekat]

Byteman:
I used CCleaner in Safe Mode.
Should I run the scan for Issues, too? And fix them?
It didn't remove the files.

I tried your other suggestion: disconnecting from the internet and shutting down McAfee. Apparently, the 101 temp files are associated with McAfee. I've never had them before updating to their newest version. I reinstalled McAfee and have the 101 temp files back.
Please let me know if they pose any problem. I can try emailing McAfee for their advice, too.
Thank you.

 

[Buzz1927]

Hi thekat.

Don't use the "issues" tab in Ccleaner, it's known to delete legit items.

 

[Byteman]

They don't pose any problem, and are obviously needed for McAfee. Since they reside in a temp file, I don't think you'll have any negative effects by leaving them alone.

 

[thekat]

Grim Reaper, Byteman,
Thank you for your advice.

I posted the issue on McAfee's forum. The moderator suggested running all of the scans in Safe Mode. I did so, the scans picked up a few items and deleted them.

The error messages and 101 temp files still persist, however. The computer still operates, though seems slow at times and my Palm Desktop has problems.

I'll wait to see if the McAfee moderator has any other suggestions, and if anyone responds on the Palm Forum.

Thanks again for all of your help.

 

[Byteman]

Can't say Im not surprised, I actually see alot of problems associated with McAfee suite, and Norton Internet Security, not playing nice with other programs.