Hello to the moderators of this area :)

I was recently under the guidance of Juliet, and was advised to post in here linking back to the other thread...
http://forums.spybot.info/showthread.php?71569-Persistant-problem-(

Im sure you will see in there what problems I have been having, but the basics of it are:

Im a regular gamer and administrator. I recently noticed regular packets being dropped and suspected something was wrong.

I was infected with a Trojan.... the day I found it was the day my paypal was robbed.

I scan in safe mode and I use Spybot and Malwarebytes.
Spybot found a load of tracking cookies, but nothing other than that. I scanned after with Malwarebytes and found the Trojan.

Since then the lag in game has stayed and I have noticed a large amount of temp files always being created and not being able to delete some of them.

About 10 days of not being able to shift the lag I reported a problem on these forums. Juliet identified evilhook on my PC, but this was a tool that was temporarily was used in the administration of the call of duty servers that I administer. (it has an inbuilt cheat detector). But it never worked with my pc after I installed w7. I tried over 6 months ago, but it never visibly did anything.
Malware or not, evilhook was removed by Juliet and... yes... the lag in game has gone :)

My concern now is the amount of temp files that are created when getting to the desktop... and a frustration with my IE11 tabs... I cannot drag a tab to a new window anymore :(

Anyway.. have a read and let me know what you think.

All the best

Vince

I cannot drag a tab to a new window anymore :(
What happens if you press Ctrl + N?If you have a tab open,that should open a new window with the contents in the tab in the new window,from the looks of things when I tried it in IE. :)

Your temp files should be located at C:\Windows\Temp and C:\Users\(your user name)\AppData\Local\Temp.If you go to those locations,do any of the large amounts of temp files indicate to you where they might be coming from in their names?

Hello Zenobia :)

I tried the Ctrl + n, and yes, it opens a new window with the same URL.

I looked in the locations you said. I was able to locate about 150 files. I have attached some screen shots of those two folders.

11904 11905 11906

I have no idea what the MEI folders are about or the {2C1334AC-28AF-4CBA-867C-F4B2741A9BD4} to be honest there are a few files there I have no idea about :(

Hi. :)

The _MEI files may be from Google drive:
https://productforums.google.com/forum/#!topic/drive/pjPc-4hYrtA

I have the temp folders with the numbers in curly brackets,too.I'm not sure what they are either,but they should be okay.They might possibly be related to something with windows update,though that isn't for certain.

I searched a couple more of the files I saw in your C:\Users\(user name)\AppData\Local\Temp folder.
This should be what the fla.*tmp files are:
https://forums.adobe.com/thread/190160?tstart=0

This should explain the cvrafe.tmp.cvr file:
http://www.file-extensions.org/cvr-file-extension

This may explain the .od file extension in your temp folder:
http://answers.microsoft.com/en-us/office/forum/office_2007-word/what-is-od-file-extension/5f50d147-e477-4b5f-b726-13901cf103a1

FXSAPIDebugLogFile.txt should have something to do with fax or a printer(I have that one,too,appears to be legit.)

What I haven't been able to find anything about what might create them are these sets of files in your temp folder:
The browserview*****.tmp files,~DF*************.TMP files and the INS_**********.TMP files.That doesn't mean they're necessarily from something bad,though.

What you could try for some of the unidentified ones is to delete the contents of your C:\Users\(user name)\AppData\Local\Temp folder.If the files are in use,then you should get a message that the file couldn't be deleted because it's Open in some program,etc,and that might help identify what is generating them,since if large amounts of temp files are being generated quickly it's likely they will be in use.
If you'd like to try that,go to C:\Users\(user name)\AppData\Local\Temp,click Edit,then Select All,then rightclick and select delete.Make a note of which files/folders will not delete,and which location or program Windows says it is open in,then press Skip.For groups of similar files that will not delete,there's no need to note where it is Open for each one,for example,if the INS_*<randomnumber>*.TMP files are in use,note where they are in use at,then you can zone out a bit,then pay attention when it gets to the ~DF*************.TMP files,and note where it says they are in use.Hope that makes sense,it's difficult to explain. :)

For you not being able to drag a tab to a new window,I think that might possibly be related to Permissions,but I haven't completely found that yet,so I'll look further for that later on.

Thanks for the directions :)

I deleted all in the tempfolder, and identified programs as you said.

I stoped the application from running and then removed the files.

Im now left with

11907

Ill try in safe mode and see what remains and post back

I got so safe mode and these were the files there
11909

I deleted all of them but was left with
FXSAPIDebugLogFile.txt (in use by another program)

on reboot back to normal mode these were back
11910

Guess I must be over paranoid?

I think I may have found the problem...

You may have noticed the xampp running... I have a webserver and mail server running on this machine... im in the process of setting up a new business and wanted to get some experience with servers.

I think my server has been hijacked?.... a relay? idk :sad:

11911

Guess I must be over paranoid?
Nope,if I were to have a large amount of temp files in use,and also being generated quickly,I would want to investigate where they were coming from and where they were in use.If they start being generated again in large numbers,please mention them here,and if you aren't sure about the program that is generating them,you can mention that too,if you wish,and I'll try my best to look for whatever I can. :)

Please bear with me as I'm not familiar with Mercury/32,it will take me a bit to learn,and frankly,I may not exactly know what the heck I'm talking about as of yet,but I am getting the general gist I think. :)
I see from your screenshot that you have quite a few 'processing failed deliveries and generating notifiication' jobs all roughly around the same time.Is there any further info there if you expand the screen,or is there a logfile available for that anywhere?
Since you mentioned Relay,is the problem that Mercury/32 seems to be acting as an Open relay?
I see the wiki page mentions Relaying Controls:
http://en.wikipedia.org/wiki/Mercury_Mail_Transport_System#Features
Do you have those set?

Thanks again for being supportive, I am feeling very stupid at the moment... 1, for somehow getting infected with a Trojan and 2, for yes, having my email server set up as a relay :(

I have changed the settings in Mercury and it is no longer acting as a relay...... there were over 280,000 queued emails and the end to end window (top left) was non stop just like the core processes (bottom right)

I had to delete the queued items, all im getting now are the attempts from the outside asking me to pass mail on. (rejected).
11912

I had not mentioned it, certain websites have not let me in until I prove im not a bot (capatcha etc).
im guessing my IP has now been blacklisted somewhere as a spammer? Mail is not being delivered by my server now... Ill restart again and see a what comes up.

Thanks again

Vince

You're welcome.No need to feel stupid,many people get infected(including myself in the past),and it takes a bit to learn how to run anything,including an email server. :)

This is the forum for Mercury Mail Transport System:
http://community.pmail.com/forums/default.aspx?GroupID=7
The Mercury Community Support looks to be pretty helpful.

About not being able to drag tabs to a new window.Are you still able to drag tabs back and forth across internet explorer?

Yes I've lots to learn ;)

Regarding the tabs... I can move the tabs horizontally within the open window or I change the order of the tabs, but I cannot drag outside the window.

Regarding the temp files.... still creating them :(

Click Start,type gpedit.msc in the Start Search box,and then press Enter.
Go to User Configuration,Administrator Templates,Windows Components,Internet Explorer,and then Set tab process growth.Is that set to anything?Like Low,Medium,High,or Default? :)

What programs did you need to shut down in order to delete the temp files that were in use when you did it before?

I ran that, but everything looks like its not been configured ?

11914

Not sure which applications were closed

I ran that, but everything looks like its not been configured ?
Nope,doesn't look like it.Ok,good. :)
Are you familiar with regedit?

Do you know roughly how many temp files were generated again?Are a large amount of them the same type of file?i.e. a lot of them are the ~DF*************.TMP files,or the INS_**********.TMP files?

I have used regedit before :)

There are a number ~DF******** files but they go with applications like IE and the brother p-touch software I use.

I just had a look again and I think have worked it out.... and again can only apologise for the time you have invested in me....

In safe mode im able to get down to

11915

this empty file is the one that cannot be deleted. The other 300+ that are being created are in the _MEI***** folder...

11916

as I have two MEI folders I currently have 600 + temp files
11917

According to this link,the _MEI****** folder being left behind is a bug in Google drive:
https://productforums.google.com/forum/#!topic/drive/pjPc-4hYrtA
The good news is there's a workaround. :)
https://productforums.google.com/d/msg/drive/pjPc-4hYrtA/LOyfZtFWFUkJ

If you exit Google Drive by right-clicking the Google Drive icon in your Windows 7 notification area, and selecting Exit, then Google Drive shuts down properly and correctly deletes the _MEIxxx folder. Unfortunately, it leaves the folder behind if you leave Google Drive running when you log out or shut down. So, yes, it is a bug in Google Drive. It ought to terminate properly when the user logs out.

According to this link,FXSAPIDebugLogFile.txt is related to the Windows Fax and Scan service:
http://matt-3dsmax.blogspot.ca/2013/09/delete-fxsapidebuglogfiletxt-is-related.html
Mine is empty to,so I guess that's normal


I just had a look again and I think have worked it out.... and again can only apologise for the time you have invested in me....
That's no problem at all,no need to apologize. :)

I just want to check one or two things in the registry,but I'll ask you to backup the registry now,saves having to do it later,if any changes are needed:
http://pcsupport.about.com/od/windows7/ht/backup-registry-windows-7.htm
Once the registry is backed up,could you go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer,then scroll down and click on Main,and in the pane to the right,let me know if you see TabProcGrowth there.If it is there,let me know what it says under Data.
Next,go to HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer,then scroll down and click on Main.In the pane to the right,locate TabProcGrowth,and let me know what it says under Data.

Yes was totally related to google drive... I have ticked the option to not start when the computer starts and then exited google drive. Im able to delete the files.

There was no value in the registry key.
11918

Good,that should cut down on the temp files from Google Drive. :)

Bingo!(Well,hopefully.) :D:
Please go to Start,type Regedit,and say yes to the prompt from UAC.
Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,then doubleclick TabProcGrowth.Under Value Data,change it to 1,then click OK,then exit the registry.
Then open Internet Explorer,then open a tab,then try to drag it to a new window.

Awesome :)

I can now move the tabs into a new window... Thank you :)

You're welcome. :)

When you return to Juliet,would you please mention what was happening with Mercury/32?It was probably happening because the relay controls weren't set,but Juliet ought to know about it,just in case.Thanks. :)

Will do, and thanks for you help :)

I have just noticed another problem.... a problem with my recycle bin.
Each time I open the bin my hard drive goes into overdrive, the hard drive light is fixed on and im left with a blank recycle bin.

If I open the process monitor I can see that the MFT is going mad on my Z drive.... C: is my SSD and Z: is a normal drive
11919

:(

If the recycle bin appears to be full,you could try rightclicking it and selecting empty Recycle Bin(as long as there's nothing in there you might need to recover),and that way you wouldn't need to open it to empty it.

If that doesn't work,then this shows a fix if the recycle bin has become corrupted:
http://www.thewindowsclub.com/recycle-bin-is-corrupted-windows
Keep in mind,according to this(under Tweak Recycle Bin behaviour),each drive should have it's own recycle bin,so you might need to adjust the instructions for the recycle bin fix accordingly. :)
http://www.thewindowsclub.com/windows-recycle-bin-tricks-tips

Again, feeling very foolish.... I realised that the reason for the over activity was because of the 280,000+ files I had previously deleted from the email server were in the recycle bin.

I ended up right clicking the bin and deleting the bin contents from there. I left it with its over activity for about half an hour... all clear.

Im guessing were finished now, and I shall go back to Juliet.
Sincere thanks for your patience, understanding and needed support.

Vince

Good,glad it was only lots of files,and not that your recycle bin was corrupted.
You're very welcome. :)