Persistent problem continued.... :(

V

Vince

New member
Hello to the moderators of this area :)

I was recently under the guidance of Juliet, and was advised to post in here linking back to the other thread...
http://forums.spybot.info/showthread.php?71569-Persistant-problem-(

Im sure you will see in there what problems I have been having, but the basics of it are:

Im a regular gamer and administrator. I recently noticed regular packets being dropped and suspected something was wrong.

I was infected with a Trojan.... the day I found it was the day my paypal was robbed.

I scan in safe mode and I use Spybot and Malwarebytes.
Spybot found a load of tracking cookies, but nothing other than that. I scanned after with Malwarebytes and found the Trojan.

Since then the lag in game has stayed and I have noticed a large amount of temp files always being created and not being able to delete some of them.

About 10 days of not being able to shift the lag I reported a problem on these forums. Juliet identified evilhook on my PC, but this was a tool that was temporarily was used in the administration of the call of duty servers that I administer. (it has an inbuilt cheat detector). But it never worked with my pc after I installed w7. I tried over 6 months ago, but it never visibly did anything.
Malware or not, evilhook was removed by Juliet and... yes... the lag in game has gone :)

My concern now is the amount of temp files that are created when getting to the desktop... and a frustration with my IE11 tabs... I cannot drag a tab to a new window anymore :(

Anyway.. have a read and let me know what you think.

All the best

Vince
 
I cannot drag a tab to a new window anymore :(
Click to expand...
What happens if you press Ctrl + N?If you have a tab open,that should open a new window with the contents in the tab in the new window,from the looks of things when I tried it in IE. :)

Your temp files should be located at C:\Windows\Temp and C:\Users\(your user name)\AppData\Local\Temp.If you go to those locations,do any of the large amounts of temp files indicate to you where they might be coming from in their names?
 
Last edited:
Hello Zenobia :)

I tried the Ctrl + n, and yes, it opens a new window with the same URL.

I looked in the locations you said. I was able to locate about 150 files. I have attached some screen shots of those two folders.

wTemp.jpg lTemp.jpg lTemp1.jpg

I have no idea what the MEI folders are about or the {2C1334AC-28AF-4CBA-867C-F4B2741A9BD4} to be honest there are a few files there I have no idea about :(
 
Hi. :)

The _MEI files may be from Google drive:
https://productforums.google.com/forum/#!topic/drive/pjPc-4hYrtA

I have the temp folders with the numbers in curly brackets,too.I'm not sure what they are either,but they should be okay.They might possibly be related to something with windows update,though that isn't for certain.

I searched a couple more of the files I saw in your C:\Users\(user name)\AppData\Local\Temp folder.
This should be what the fla.*tmp files are:
https://forums.adobe.com/thread/190160?tstart=0

This should explain the cvrafe.tmp.cvr file:
http://www.file-extensions.org/cvr-file-extension

This may explain the .od file extension in your temp folder:
http://answers.microsoft.com/en-us/...xtension/5f50d147-e477-4b5f-b726-13901cf103a1

FXSAPIDebugLogFile.txt should have something to do with fax or a printer(I have that one,too,appears to be legit.)

What I haven't been able to find anything about what might create them are these sets of files in your temp folder:
The browserview*****.tmp files,~DF*************.TMP files and the INS_**********.TMP files.That doesn't mean they're necessarily from something bad,though.

What you could try for some of the unidentified ones is to delete the contents of your C:\Users\(user name)\AppData\Local\Temp folder.If the files are in use,then you should get a message that the file couldn't be deleted because it's Open in some program,etc,and that might help identify what is generating them,since if large amounts of temp files are being generated quickly it's likely they will be in use.
If you'd like to try that,go to C:\Users\(user name)\AppData\Local\Temp,click Edit,then Select All,then rightclick and select delete.Make a note of which files/folders will not delete,and which location or program Windows says it is open in,then press Skip.For groups of similar files that will not delete,there's no need to note where it is Open for each one,for example,if the INS_*<randomnumber>*.TMP files are in use,note where they are in use at,then you can zone out a bit,then pay attention when it gets to the ~DF*************.TMP files,and note where it says they are in use.Hope that makes sense,it's difficult to explain. :)

For you not being able to drag a tab to a new window,I think that might possibly be related to Permissions,but I haven't completely found that yet,so I'll look further for that later on.
 
Thanks for the directions :)

I deleted all in the tempfolder, and identified programs as you said.

I stoped the application from running and then removed the files.

Im now left with

lTemp2.jpg

Ill try in safe mode and see what remains and post back
 
I got so safe mode and these were the files there
lTemp3.png

I deleted all of them but was left with
FXSAPIDebugLogFile.txt (in use by another program)

on reboot back to normal mode these were back
lTemp4.jpg

Guess I must be over paranoid?
 
I think I may have found the problem...

You may have noticed the xampp running... I have a webserver and mail server running on this machine... im in the process of setting up a new business and wanted to get some experience with servers.

I think my server has been hijacked?.... a relay? idk :sad:

relay.jpg
 
Guess I must be over paranoid?
Click to expand...
Nope,if I were to have a large amount of temp files in use,and also being generated quickly,I would want to investigate where they were coming from and where they were in use.If they start being generated again in large numbers,please mention them here,and if you aren't sure about the program that is generating them,you can mention that too,if you wish,and I'll try my best to look for whatever I can. :)

Please bear with me as I'm not familiar with Mercury/32,it will take me a bit to learn,and frankly,I may not exactly know what the heck I'm talking about as of yet,but I am getting the general gist I think. :)
I see from your screenshot that you have quite a few 'processing failed deliveries and generating notifiication' jobs all roughly around the same time.Is there any further info there if you expand the screen,or is there a logfile available for that anywhere?
Since you mentioned Relay,is the problem that Mercury/32 seems to be acting as an Open relay?
I see the wiki page mentions Relaying Controls:
http://en.wikipedia.org/wiki/Mercury_Mail_Transport_System#Features
Do you have those set?
 
Thanks again for being supportive, I am feeling very stupid at the moment... 1, for somehow getting infected with a Trojan and 2, for yes, having my email server set up as a relay :(

I have changed the settings in Mercury and it is no longer acting as a relay...... there were over 280,000 queued emails and the end to end window (top left) was non stop just like the core processes (bottom right)

I had to delete the queued items, all im getting now are the attempts from the outside asking me to pass mail on. (rejected).
merc.jpg

I had not mentioned it, certain websites have not let me in until I prove im not a bot (capatcha etc).
im guessing my IP has now been blacklisted somewhere as a spammer? Mail is not being delivered by my server now... Ill restart again and see a what comes up.

Thanks again

Vince
 
You're welcome.No need to feel stupid,many people get infected(including myself in the past),and it takes a bit to learn how to run anything,including an email server. :)

This is the forum for Mercury Mail Transport System:
http://community.pmail.com/forums/default.aspx?GroupID=7
The Mercury Community Support looks to be pretty helpful.

About not being able to drag tabs to a new window.Are you still able to drag tabs back and forth across internet explorer?
 
Yes I've lots to learn ;)

Regarding the tabs... I can move the tabs horizontally within the open window or I change the order of the tabs, but I cannot drag outside the window.

Regarding the temp files.... still creating them :(
 
Click Start,type gpedit.msc in the Start Search box,and then press Enter.
Go to User Configuration,Administrator Templates,Windows Components,Internet Explorer,and then Set tab process growth.Is that set to anything?Like Low,Medium,High,or Default? :)

What programs did you need to shut down in order to delete the temp files that were in use when you did it before?
 
I ran that, but everything looks like its not been configured ?

not configured.jpg

Not sure which applications were closed
 
I ran that, but everything looks like its not been configured ?
Click to expand...
Nope,doesn't look like it.Ok,good. :)
Are you familiar with regedit?

Do you know roughly how many temp files were generated again?Are a large amount of them the same type of file?i.e. a lot of them are the ~DF*************.TMP files,or the INS_**********.TMP files?
 
I have used regedit before :)

There are a number ~DF******** files but they go with applications like IE and the brother p-touch software I use.

I just had a look again and I think have worked it out.... and again can only apologise for the time you have invested in me....

In safe mode im able to get down to

one.png

this empty file is the one that cannot be deleted. The other 300+ that are being created are in the _MEI***** folder...

prop.jpg

as I have two MEI folders I currently have 600 + temp files
tempfiles.jpg
 
According to this link,the _MEI****** folder being left behind is a bug in Google drive:
https://productforums.google.com/forum/#!topic/drive/pjPc-4hYrtA
The good news is there's a workaround. :)
https://productforums.google.com/d/msg/drive/pjPc-4hYrtA/LOyfZtFWFUkJ
Klint said:
If you exit Google Drive by right-clicking the Google Drive icon in your Windows 7 notification area, and selecting Exit, then Google Drive shuts down properly and correctly deletes the _MEIxxx folder. Unfortunately, it leaves the folder behind if you leave Google Drive running when you log out or shut down. So, yes, it is a bug in Google Drive. It ought to terminate properly when the user logs out.
Click to expand...

According to this link,FXSAPIDebugLogFile.txt is related to the Windows Fax and Scan service:
http://matt-3dsmax.blogspot.ca/2013/09/delete-fxsapidebuglogfiletxt-is-related.html
Mine is empty to,so I guess that's normal

I just had a look again and I think have worked it out.... and again can only apologise for the time you have invested in me....
Click to expand...
That's no problem at all,no need to apologize. :)

I just want to check one or two things in the registry,but I'll ask you to backup the registry now,saves having to do it later,if any changes are needed:
http://pcsupport.about.com/od/windows7/ht/backup-registry-windows-7.htm
Once the registry is backed up,could you go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer,then scroll down and click on Main,and in the pane to the right,let me know if you see TabProcGrowth there.If it is there,let me know what it says under Data.
Next,go to HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer,then scroll down and click on Main.In the pane to the right,locate TabProcGrowth,and let me know what it says under Data.
 
Yes was totally related to google drive... I have ticked the option to not start when the computer starts and then exited google drive. Im able to delete the files.

There was no value in the registry key.
tabProc.jpg
 
Good,that should cut down on the temp files from Google Drive. :)

Bingo!(Well,hopefully.) :D:
Please go to Start,type Regedit,and say yes to the prompt from UAC.
Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,then doubleclick TabProcGrowth.Under Value Data,change it to 1,then click OK,then exit the registry.
Then open Internet Explorer,then open a tab,then try to drag it to a new window.
 
You're welcome. :)

When you return to Juliet,would you please mention what was happening with Mercury/32?It was probably happening because the relay controls weren't set,but Juliet ought to know about it,just in case.Thanks. :)
 
You must log in or register to reply here.
Back
Top