Temp files accessing the Internet?

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

MatthewHSE

Thread Starter
Joined
Jan 9, 2007
Messages
32
I bought Nod32 yesterday and was startled at something I found in a list in the program settings. Nod32 users can see the list in question by opening Nod32, going to IMON, clicking Setup, then the HTTP tab, then the Client Compatibility button.

This is apparently a list of files on my computer that have accessed the Internet. Looking through the list, I found something that I thought was kind of suspicious:

User Agent: IS Download DLL
File: is-9HEIL.tmp

I ran deep scans this morning with fully-updated copies of Spybot S&D, AdAware, and Windows Defender. They all came back clean. I also ran RootkitRevealer, which also detected nothing unusual.

Now for the part that either makes me feel a lot better or a lot worse....

This morning, the first thing I did when I turned on my computer was check Nod32 to see if that is-9HEIL.tmp file was still in that list. It was. After checking the list, I ran the scans mentioned above, updating each of the applications first.

After running the scans, I checked the list in Nod32 again. To my surprise, I found is-9HEIL.tmp still listed, but right below it was another similar file:

User Agent: IS Download DLL
File: is-JCD3A.tmp

I couldn't find this file on my computer, but I did find a prefetch file for it (which I have saved and can probably send to someone if they're interested in seeing it).

I immediately ran HijackThis, but the log looks pretty normal to me. (Pasted it below.)

So I guess my question boils down to a pretty simple one. Is there any legitimate reason for temp files to be created, access the Internet, and be deleted? If so, I can probably count on my computer being okay. If not, I may need to keep checking.

(FWIW, I consider myself a fairly small attack target. I'm behind a NAT router, all ports stealth, no port forwarding or DMZ. I use Firefox and only visit reputable websites. I'm not a downloader and I try to keep my computer clean. No filesharing goes on here, no dodgy websites, etc. So I would think my risk is pretty low.)

Anyway, here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:15:30 AM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Adobe\PhotoShop Elements\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Nod32\nod32krn.exe
D:\Adobe\PhotoShop Elements\PhotoshopElementsDeviceConnect.exe
D:\UPHClean\uphclean.exe
d:\WebDrive\wdservice.exe
C:\WINDOWS\Explorer.EXE
D:\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Nod32\nod32kui.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
D:\WebDrive\webdrive.exe
C:\WINDOWS\system32\RunDLL32.exe
D:\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
D:\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
D:\Adobe\Acrobat\Distillr\AcroTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
D:\EditPadPro6\EditPadPro.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
D:\RB_Tray\rbtray.exe
C:\WINDOWS\system32\svchost.exe
D:\Browsers\Firefox\2_0\firefox.exe
D:\Microsoft Office\Office10\OUTLOOK.EXE
D:\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\system32\wuauclt.exe
D:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\adobe\Acrobat\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "D:\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "D:\Nod32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [WebDriveTray] d:\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Creative Detector] "D:\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
O4 - Startup: EditPad Pro.lnk = D:\EditPadPro6\EditPadPro.exe
O4 - Startup: Shortcut to rbtray.lnk = D:\RB_Tray\rbtray.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165542499981
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165585692453
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55F174B6-A22E-42E4-92DA-CC3B32E98A9B}: NameServer = 64.40.75.20,64.40.72.25
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - D:\Adobe\PhotoShop Elements\PhotoshopElementsFileAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Nod32\nod32krn.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - D:\Adobe\PhotoShop Elements\PhotoshopElementsDeviceConnect.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - d:\WebDrive\wdservice.exe
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top