Ping - Dave Patrick

  • Thread starter David H. Lipman
  • Start date
D

David H. Lipman

Dave:

Trying to help a user with numerous files such as;
%windirr%\fffd3921_{EE4BEF57-44C4-43C7-8F9C-286B60EBE60E}.tmp

Through a series of posts and replies, Find Fast was removed from the equation and so was
MDM.EXE

The Winternals.Com utility Filemon was suggested and the user downloaded and executed. the
following was his log and reply.

Have you any ideas ?

Thanx
Dave L.
~ ~ ~

Thanks for the info. I downloaded the Filemon, I found out that the process
writing these fff*.tmp files is the dllhost. I don't know what this does,
but can I get rid of it safely. I've heard some documentation that the
Welchia virus can infect the dllhost, is this true? If so, how do I clean
it? I hope you can read the bottom entry, I copied it from the Filemon log.
it shows that dllhost.exe was opened at 1:33 PM and Opened the FFF354AD*.tmp
files. I checked my windows directory as soon as I saw these entries and
indeed, these files were now in the C:\Windows directory.

1:33:20 PM ???:FFF354AD Open C:\WINDOWS\SYSTEM\DLLHOST.EXE SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM ???:FFF354AD Open C:\WINDOWS\SYSTEM\DLLHOST.EXE SUCCESS
OPENEXISTING READONLY DENYWRITE
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{C7761974-1B72-4E2C-B873-80883C41F965}.TMP SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Delete
C:\WINDOWS\FFF354AD_{C7761974-1B72-4E2C-B873-80883C41F965}.TMP SUCCESS
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{D364BF6E-9083-4EF6-8405-3EF17202B58B}.TMP SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Delete
C:\WINDOWS\FFF354AD_{D364BF6E-9083-4EF6-8405-3EF17202B58B}.TMP SUCCESS
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{7DC2EF3B-1AAC-4774-8C4E-AA56141F774E}.TMP SUCCESS
CREATENEW READWRITE DENYWRITE
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{7DC2EF3B-1AAC-4774-8C4E-AA56141F774E}.TMP SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{DEB7634E-BCD5-461F-8421-309484CD3947}.TMP SUCCESS
CREATENEW READWRITE DENYWRITE
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{DEB7634E-BCD5-461F-8421-309484CD3947}.TMP SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Open C:\WINDOWS\SYSTEM\OLEPRO32.DLL SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Open C:\WINDOWS\SYSTEM\OLEPRO32.DLL SUCCESS
OPENEXISTING READONLY DENYWRITE
 
D

Dave Patrick

Dave,
Since the running process dllhost.exe is located in
C:\WINDOWS\SYSTEM
then it must not be W32.Welchia.Worm
(also appears OS must be Windows 9x)

It may be a legit process that has gone berserk. I believe Dllhost.exe is
used to host out-of-process COM+ applications. The op may need to stop all
applications that run at startup/logon and see if it continues. If not start
the process of elimination.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]
http://www.microsoft.com/protect.

:
| Dave:
|
| Trying to help a user with numerous files such as;
| %windirr%\fffd3921_{EE4BEF57-44C4-43C7-8F9C-286B60EBE60E}.tmp
|
| Through a series of posts and replies, Find Fast was removed from the
equation and so was
| MDM.EXE
|
| The Winternals.Com utility Filemon was suggested and the user downloaded
and executed. the
| following was his log and reply.
|
| Have you any ideas ?
|
| Thanx
| Dave L.
| ~ ~ ~
|
| Thanks for the info. I downloaded the Filemon, I found out that the
process
| writing these fff*.tmp files is the dllhost. I don't know what this does,
| but can I get rid of it safely. I've heard some documentation that the
| Welchia virus can infect the dllhost, is this true? If so, how do I clean
| it? I hope you can read the bottom entry, I copied it from the Filemon
log.
| it shows that dllhost.exe was opened at 1:33 PM and Opened the
FFF354AD*.tmp
| files. I checked my windows directory as soon as I saw these entries and
| indeed, these files were now in the C:\Windows directory.
|
| 1:33:20 PM ???:FFF354AD Open C:\WINDOWS\SYSTEM\DLLHOST.EXE SUCCESS
| OPENEXISTING READONLY DENYNONE
| 1:33:20 PM ???:FFF354AD Open C:\WINDOWS\SYSTEM\DLLHOST.EXE SUCCESS
| OPENEXISTING READONLY DENYWRITE
| 1:33:20 PM Dllhost:FFF354AD Open
| C:\WINDOWS\FFF354AD_{C7761974-1B72-4E2C-B873-80883C41F965}.TMP SUCCESS
| OPENEXISTING READONLY DENYNONE
| 1:33:20 PM Dllhost:FFF354AD Delete
| C:\WINDOWS\FFF354AD_{C7761974-1B72-4E2C-B873-80883C41F965}.TMP SUCCESS
| 1:33:20 PM Dllhost:FFF354AD Open
| C:\WINDOWS\FFF354AD_{D364BF6E-9083-4EF6-8405-3EF17202B58B}.TMP SUCCESS
| OPENEXISTING READONLY DENYNONE
| 1:33:20 PM Dllhost:FFF354AD Delete
| C:\WINDOWS\FFF354AD_{D364BF6E-9083-4EF6-8405-3EF17202B58B}.TMP SUCCESS
| 1:33:20 PM Dllhost:FFF354AD Open
| C:\WINDOWS\FFF354AD_{7DC2EF3B-1AAC-4774-8C4E-AA56141F774E}.TMP SUCCESS
| CREATENEW READWRITE DENYWRITE
| 1:33:20 PM Dllhost:FFF354AD Open
| C:\WINDOWS\FFF354AD_{7DC2EF3B-1AAC-4774-8C4E-AA56141F774E}.TMP SUCCESS
| OPENEXISTING READONLY DENYNONE
| 1:33:20 PM Dllhost:FFF354AD Open
| C:\WINDOWS\FFF354AD_{DEB7634E-BCD5-461F-8421-309484CD3947}.TMP SUCCESS
| CREATENEW READWRITE DENYWRITE
| 1:33:20 PM Dllhost:FFF354AD Open
| C:\WINDOWS\FFF354AD_{DEB7634E-BCD5-461F-8421-309484CD3947}.TMP SUCCESS
| OPENEXISTING READONLY DENYNONE
| 1:33:20 PM Dllhost:FFF354AD Open C:\WINDOWS\SYSTEM\OLEPRO32.DLL SUCCESS
| OPENEXISTING READONLY DENYNONE
| 1:33:20 PM Dllhost:FFF354AD Open C:\WINDOWS\SYSTEM\OLEPRO32.DLL SUCCESS
| OPENEXISTING READONLY DENYWRITE
|
|
 
D

Dave Patrick

Another thought is that %temp% and or %tmp% variable assignments may be
incorrect and or missing.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]
http://www.microsoft.com/protect.
 
D

David H. Lipman

Thanx...

I'll pass on your thoughts with the reference...
"Dave Patrick Microsoft MVP [Windows NT/2000 Operating Systems] "

Dave L.
 
J

John John

I've read the thread and I know that you know your stuff but it still
suspiciously sounds like Machine Debug Manager. This thing can be
persistent, make sure that the user has properly disabled it. Make sure
that Script debugging in IE is disabled and for good measure rename
mdm.exe to mdm.old, just to make sure. Also, if the user uses the
Office Cd to add a new component or repair Office, mdm.exe will
magically reappear! How convenient...

John
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top