Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
 

I got a virus a while ago (months ago) and ever since my Freedom telus antivirus helped remove the virus i keep on getting the rb4.tmp files in my recycle bin, rb26.tmp, rb4f.tmp and many more different types. I think there might also be more hidden viruses on my computer but i cant find a way to find and delete them. I have been told not to use system restore or there may be a chance of letting the virus run loose again. The one thing i used after i got the virus was SDFix.exe in safe mode to delete some part of the virus i totally forgot what though. Please help me, i really don't want to reformat everything. Everytime i delete the rb4.tmp files and other rb.tmp files they keep on reappearing in the recycle bin where i first deleted them and ever since the virus my graphics card seems to be working exremely slow.

Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
 

i downloaded the hijackthis version 2.0.0.2 but i'm not completely sure on how to use it.

Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:13 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS\TELUS eProtect\RPS.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\mom.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\gcc.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS eProtect\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: tcpsvcs.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 5332 bytes

Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
 

Hi, you need to remove this:
C:\WINDOWS\system32\tcpsvcs.dll
It is already running, started at boot by this key :O20 - AppInit_DLLs: tcpsvcs.dll ... If you cannot manually delete the file in normal mode you will not be able to do it in safe mode either, because it is loaded and running before you get to log on,so you will need to unlock it first. This tool should do the job...
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
So try it and post another log.

Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
 

i cant find a tcpsvcs.dll file i can only find a tcpsvcs.exe file in my C:\WINDOWS\system32\

Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
 

i also ran a AVG anti-spyware scan which found a Trojan.Inject.fm but i cant save the report this was before you replied to my post.

Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
 

Okay, that one [tcpsvs.exe] is legitimate, so leave it there. Let's remove that key though...
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O20 - AppInit_DLLs: tcpsvcs.dll
..and that is all. Those rb.tmp and rb4.tmp I think may be associated with your AV/AS service, Telus. If you wish to test that go offline, disable TELUS andthen delete them. If they stay gone then that is the reason, they are files used by Telus..... Don't foget to reactivate Telus before you connect again. It will regenerate them.
AVG should have saved a report if it found something.. check under the Reports tab...?

Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
 

I found that file in the hijackthis and clicked on fix this after i ticked it. Its not in the report anymore or i dont think it is. For the AVG there is nothing under the report tab but it says 4 files are currently quarantined. I see them under the infections tab but i cant get a report of them to show you.

Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
 

do you recognise the entries in the quarantine? You could list them here.. but if they are merely cookies you could just empty the bin safely.

Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
 

these are basically copy pasted and one of them or 2 of them are in the system voume folder and when i clicked on apply all to quarantine and delete everything a popup came up and asked me if i wanted to quarantine the entire system volume folder or file and i clicked yes so this is what shows up in my quarantine tab (i had to manually type them all from the tab) the *** are what im typing in for what the file is infected with:
C:\System Volume Information\_restore{EBCB510F-B2E2-4905-9575-7F04221D52A4}\RP403\A0131478.exe ***This one is infected with Adware.180Solutions***

HKU\S-1-5-21-436374069-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} ***This one is infected with Adware.Generic***

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave ***This one is infected with Adware.SaveNow***

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BKR0LWOQ\m2_18_09_07_1[1].exe ***This one is infected with Trojan.Inject.fm***