Apologies for the long message - Help wanted please
OS - Windows XP SP2
Internet security, firewall - Present and up to date but i guess the problem has crept in during the unfortunate one week that I took to renew the subscription.

Of late, after I updated my Java (and also probably after I installed two new hardware and their associated software - Winpower for my UPS and Macrokey manager along with OfficeInk, FreeNotes and PowerPresenter for my Genius Gpen Tablet) I have been noticing that both my Eraser programs that I run at the end of every day have been reporting that some folders in C:\Windows\Temp cannot be deleted. Interestingly I notice that every day, the number of folders in the Temp directory are increasing; what started off as two folders has now increased to 15 folders with names like AMMRQCOALFCPBKKUB, BXRAKIBBMKDBVHECU etc, (interesting, because every day a new folder is created with the name starting with the next letter of the English alphabet but not always in sequence A, B, D, E, F, G, h, I, J, ... - with only one of the folders with a more propername - hsperfdata_SYSTEM and additionally, all the files in all these folders are of the same size - 64KB).

All these folders have one or two 64 KB files with the filenames - 156 , 3484 (all only numbers) with the type of file reading 'File' - no File type mentioned and 'Access' to these files is denied. I just am unable to access, read or delete these files / folders. My suspicion is that this is some sort of a Trojan / malware / spyware. I read up about hsperfdata and tried killing the java processes in the task manager and this particular folder gets deleted but reappears on restarting the computer. The other folders, of course cannot be deleted, by various programs that I have been reading about on various websites and after several attempts of trying the various things, it has been like encountering a :brick

Obviously there is something running in the background which is denying access to these folders / files. Can some one please help in removing the malware, deleting these folders?
Thanks,
sriadverts@yahoo.co.uk

Download HijackThis(Link at the bottom of my message).


Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from a Zip file or from Temporary folders because the backups will be deleted. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!


1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.

3. SCAN with HJT

4. POST the new log in this thread using 'Add Reply'

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO YOUR COMPUTER'S HEALTH

Thank you for your mail. Here is the log report of the HJT scan. I've changed the log file's name from hijackthis.log to hijackthislog.txt since a .log file cannot be uploaded here.

Logfile of HijackThis v1.99.1
Scan saved at 12:49:39 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\UpsPilot\monitor.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\UpsPilot\Winpower.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Privacy Mantra 2.02\privacymantra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\PROGRA~1\WEBSHOTS\WEBSHOTS.SCR
C:\PROGRA~1\UpsPilot\wpRMI.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\psimreal.exe
C:\DOCUME~1\DELLOW~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Program Files\Webshots\WSToolbar4IE.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [EPSON Stylus C45 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P32 "EPSON Stylus C45 Series (Copy 1)" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [com.codeode.privacymantra] "C:\Program Files\Privacy Mantra 2.02\privacymantra.exe" -minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VoipRaider] "C:\Program Files\VoipRaider.com\VoipRaider\VoipRaider.exe" -nosplash -minimized
O4 - HKCU\..\Run: [FreeCall] "C:\Program Files\FreeCall.com\FreeCall\FreeCall.exe" -nosplash -minimized
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Internet TV by Endicosoft.com - {1D958E09-3112-7f0e-9723-5C1321C57B27} - C:\Program Files\Internet TV 2050\InternetTV.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
O23 - Service: Winpowermanager - Macrovision - C:\PROGRA~1\UpsPilot\manager.exe
O23 - Service: Winpowermonitor - Macrovision - C:\PROGRA~1\UpsPilot\monitor.exe
O23 - Service: WinpowerRMI - Macrovision - C:\PROGRA~1\UpsPilot\wpRMI.exe


All help is appreciated.

Thanks,
sriadverts@yahoo.co.uk

Your log looks ok, Not sure about this one

O4 - HKCU\..\Run: [VoipRaider] "C:\Program Files\VoipRaider.com\VoipRaider\VoipRaider.exe" -nosplash -minimized

If you know what it is its probably ok. If not remove it with HijackThis by placing a check next to it.

This program may help with your temp folders.

Download and run CCleaner as the Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Theres also a guided tour to get familiar with the program

http://www.ccleaner.com/

Then reboot to let it clean out what it found.

Let me know the results and how its running.

for all the help so far. I do know what the VoipRaider is (I had downloaded and installed that program sometime ago) and have anyway removed it using the HJT fix option since I no longer use VoipRaider.
I did download the ccleaner and cleaned the system and rebooted the computer to let it clean further. I then checked the C:\Windows\Temp folder only to find all the folders with the files that I have mentioned in my earlier post, right there, intact and not deleted.

I have enclosed a jpeg image of the screenshot that I have taken of the Temp folder with its contents and a couple of those subfolders open with their contents alongside just for you to see. Any further thoughts?

Thanks,
Regards,
sriadverts@yahoo.co.uk

Right click the files and folders and click properties.Does it give you a name of the company? Its possible these could be files from a DVD burner or something like that. Let me get ECA in here, he may know something about these........Jim

Right clicking the file does not yield any particularly valuable information. (No offence, in fact if I had been able to get any more information like a company name, key words, author, version or any other information - have enclosed another jpeg), I would have also looked it up and would have also shared it with you instantly since I fully understand that any extra / additional info, however trivial it may be, can help in identification. As re the suspicion about the DVD burner, these folders / files were not in the Temp directory from the beginning (my Dell system has had a DVD burner right from the beginning and I did not update / reinstall the driver) and have appeared a week ago.

I (think I just used some common sense and) looked at some details of these files and have noted that the first file in the first folder is dated 19 June 2008 and so logically have looked up the System Restore Wizard to see what had been installed on my computer on or just before that date and the restoration point at that date. The only thing that comes up is something called Software Distribution Service 3.0 which seems to have been thrust down my computer's throat automatically by windows update - I'm absolutely sure I did not install this ?nonsense? and now I wonder if this is the apparent cause???

And I cannot run the system restore to an earlier point because of obvious reasons. Too many files with a lot of sensitive data have been created after that and I can't afford to go back at this point.

Any further thoughts?
Thanks,

Sriadverts

there are a few things to try...

WARNING: just to be safe, BACK UP REQUIRED DATA/PIC/MUSIC..Burn them to CD/DVD/Flash drive..
This is acting like a TIME bomb, type of virus. THAT, or its an initiated program, that shuts down AFTER its loaded.
Go to SAFE MODE with NETWORKING..
see if you can run your AV program.. If it wont run Use the online version..
http://www.pandasecurity.com/homeusers/solutions/activescan/
Or hit trendmicro.com for their version or HOUSE CALL..

If these dont pick up anything...See if you can delete any of those files, in SAFE MODE..

I posted the Warning above for a reason.. Virus can be MEAN. deleteing those files could trigger it to kill the system.

another thing to try is in SPYBOT, in advanced mode..on the RIGHT side under tools, is SECURE SHREDDER...pick up the files and drop THEM into it..

Suggestion:
OPEN and turn OFF "Start when windows Begins/turned on" ALL those programs...MSN, YAHOO, FREECALL, VOIPraider, winpower, upspilot, internet TV....and any OTHER program that DOES NOT NEED TO RUN, for windows to RUN..
you can start them AFTER windows is started, windows will load FASTER, and you arent running EXTRA programs in the background that SLOW the machine...You will gain speed on the system, and LESS will be bothering the computer.

Having background programs that PROBE/USe the web directly is ASKING for them to AUTO UPDATE or install ANYTHING they wish. Even Yahoo/MSN can send you an AUTO message, with a link(generally from a friend) that AUTO INFECTS your system... NEVER run them WHEN NOT USEING THEM...NEVER click a link, UNLESS you talk to the person that SENT IT FIRST..

i need some information..
CPU and how much RAM on the system.
HD size, and how much is left/available.