 |  |  |  |  |  |  |  |
Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
Thread Solved |
Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
0
#1 Jan 31st, 2008
I got a virus a while ago (months ago) and ever since my Freedom telus antivirus helped remove the virus i keep on getting the rb4.tmp files in my recycle bin, rb26.tmp, rb4f.tmp and many more different types. I think there might also be more hidden viruses on my computer but i cant find a way to find and delete them. I have been told not to use system restore or there may be a chance of letting the virus run loose again. The one thing i used after i got the virus was SDFix.exe in safe mode to delete some part of the virus i totally forgot what though. Please help me, i really don't want to reformat everything. Everytime i delete the rb4.tmp files and other rb.tmp files they keep on reappearing in the recycle bin where i first deleted them and ever since the virus my graphics card seems to be working exremely slow.
Last edited by cynikal; Jan 31st, 2008 at 10:01 pm. Reason: more information
Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
0
#2 Jan 31st, 2008
i downloaded the hijackthis version 2.0.0.2 but i'm not completely sure on how to use it.
Last edited by cynikal; Jan 31st, 2008 at 10:04 pm.
Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
0
#3 Jan 31st, 2008
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:13 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS\TELUS eProtect\RPS.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\mom.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\gcc.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS eProtect\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: tcpsvcs.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
--
End of file - 5332 bytes
Scan saved at 7:36:13 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS\TELUS eProtect\RPS.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\mom.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\gcc.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS eProtect\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: tcpsvcs.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
--
End of file - 5332 bytes
•
•
Join Date: May 2005
Posts: 3,204
Reputation: 
Solved Threads: 188
Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
1
#4 Feb 1st, 2008
Hi, you need to remove this:
C:\WINDOWS\system32\tcpsvcs.dll
It is already running, started at boot by this key :O20 - AppInit_DLLs: tcpsvcs.dll ... If you cannot manually delete the file in normal mode you will not be able to do it in safe mode either, because it is loaded and running before you get to log on,so you will need to unlock it first. This tool should do the job...
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
So try it and post another log.
C:\WINDOWS\system32\tcpsvcs.dll
It is already running, started at boot by this key :O20 - AppInit_DLLs: tcpsvcs.dll ... If you cannot manually delete the file in normal mode you will not be able to do it in safe mode either, because it is loaded and running before you get to log on,so you will need to unlock it first. This tool should do the job...
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
So try it and post another log.
Deep, deep in the woods, but walking about.
Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
0
#5 Feb 1st, 2008
i cant find a tcpsvcs.dll file i can only find a tcpsvcs.exe file in my C:\WINDOWS\system32\
Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
0
#6 Feb 1st, 2008
i also ran a AVG anti-spyware scan which found a Trojan.Inject.fm but i cant save the report this was before you replied to my post.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
0
#7 Feb 1st, 2008
Okay, that one [tcpsvs.exe] is legitimate, so leave it there. Let's remove that key though...
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O20 - AppInit_DLLs: tcpsvcs.dll
..and that is all. Those rb.tmp and rb4.tmp I think may be associated with your AV/AS service, Telus. If you wish to test that go offline, disable TELUS andthen delete them. If they stay gone then that is the reason, they are files used by Telus..... Don't foget to reactivate Telus before you connect again. It will regenerate them.
AVG should have saved a report if it found something.. check under the Reports tab...?
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O20 - AppInit_DLLs: tcpsvcs.dll
..and that is all. Those rb.tmp and rb4.tmp I think may be associated with your AV/AS service, Telus. If you wish to test that go offline, disable TELUS andthen delete them. If they stay gone then that is the reason, they are files used by Telus..... Don't foget to reactivate Telus before you connect again. It will regenerate them.
AVG should have saved a report if it found something.. check under the Reports tab...?
Last edited by gerbil; Feb 1st, 2008 at 12:54 am.
Deep, deep in the woods, but walking about.
Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
0
#8 Feb 1st, 2008
I found that file in the hijackthis and clicked on fix this after i ticked it. Its not in the report anymore or i dont think it is. For the AVG there is nothing under the report tab but it says 4 files are currently quarantined. I see them under the infections tab but i cant get a report of them to show you.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
0
#9 Feb 1st, 2008
do you recognise the entries in the quarantine? You could list them here.. but if they are merely cookies you could just empty the bin safely.
Last edited by gerbil; Feb 1st, 2008 at 1:05 am.
Deep, deep in the woods, but walking about.
Re: Please Help! i got rb4.tmp and many other rb.tmp files in my RecycleBin & cant del em
0
#10 Feb 1st, 2008
these are basically copy pasted and one of them or 2 of them are in the system voume folder and when i clicked on apply all to quarantine and delete everything a popup came up and asked me if i wanted to quarantine the entire system volume folder or file and i clicked yes so this is what shows up in my quarantine tab (i had to manually type them all from the tab) the *** are what im typing in for what the file is infected with:
C:\System Volume Information\_restore{EBCB510F-B2E2-4905-9575-7F04221D52A4}\RP403\A0131478.exe ***This one is infected with Adware.180Solutions***
HKU\S-1-5-21-436374069-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} ***This one is infected with Adware.Generic***
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave ***This one is infected with Adware.SaveNow***
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BKR0LWOQ\m2_18_09_07_1[1].exe ***This one is infected with Trojan.Inject.fm***
C:\System Volume Information\_restore{EBCB510F-B2E2-4905-9575-7F04221D52A4}\RP403\A0131478.exe ***This one is infected with Adware.180Solutions***
HKU\S-1-5-21-436374069-1284227242-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} ***This one is infected with Adware.Generic***
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave ***This one is infected with Adware.SaveNow***
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BKR0LWOQ\m2_18_09_07_1[1].exe ***This one is infected with Trojan.Inject.fm***
 |
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Computer really messed up please help
- Next Thread: Win32 Service Error
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit fake fancheckvirus gaming gtaiv gumblar halloween hijack hosting internet iphone kaspersky legal mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile parents patch phishing police policeprovirusmba-mblockedinternetaccess president pro problem redirect reliability report research risk rogueantivirus samhain sans school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war windows worm yahoo zeroday
