D
David H. Lipman
Dave:
Trying to help a user with numerous files such as;
%windirr%\fffd3921_{EE4BEF57-44C4-43C7-8F9C-286B60EBE60E}.tmp
Through a series of posts and replies, Find Fast was removed from the equation and so was
MDM.EXE
The Winternals.Com utility Filemon was suggested and the user downloaded and executed. the
following was his log and reply.
Have you any ideas ?
Thanx
Dave L.
~ ~ ~
Thanks for the info. I downloaded the Filemon, I found out that the process
writing these fff*.tmp files is the dllhost. I don't know what this does,
but can I get rid of it safely. I've heard some documentation that the
Welchia virus can infect the dllhost, is this true? If so, how do I clean
it? I hope you can read the bottom entry, I copied it from the Filemon log.
it shows that dllhost.exe was opened at 1:33 PM and Opened the FFF354AD*.tmp
files. I checked my windows directory as soon as I saw these entries and
indeed, these files were now in the C:\Windows directory.
1:33:20 PM ???:FFF354AD Open C:\WINDOWS\SYSTEM\DLLHOST.EXE SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM ???:FFF354AD Open C:\WINDOWS\SYSTEM\DLLHOST.EXE SUCCESS
OPENEXISTING READONLY DENYWRITE
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{C7761974-1B72-4E2C-B873-80883C41F965}.TMP SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Delete
C:\WINDOWS\FFF354AD_{C7761974-1B72-4E2C-B873-80883C41F965}.TMP SUCCESS
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{D364BF6E-9083-4EF6-8405-3EF17202B58B}.TMP SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Delete
C:\WINDOWS\FFF354AD_{D364BF6E-9083-4EF6-8405-3EF17202B58B}.TMP SUCCESS
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{7DC2EF3B-1AAC-4774-8C4E-AA56141F774E}.TMP SUCCESS
CREATENEW READWRITE DENYWRITE
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{7DC2EF3B-1AAC-4774-8C4E-AA56141F774E}.TMP SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{DEB7634E-BCD5-461F-8421-309484CD3947}.TMP SUCCESS
CREATENEW READWRITE DENYWRITE
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{DEB7634E-BCD5-461F-8421-309484CD3947}.TMP SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Open C:\WINDOWS\SYSTEM\OLEPRO32.DLL SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Open C:\WINDOWS\SYSTEM\OLEPRO32.DLL SUCCESS
OPENEXISTING READONLY DENYWRITE
Trying to help a user with numerous files such as;
%windirr%\fffd3921_{EE4BEF57-44C4-43C7-8F9C-286B60EBE60E}.tmp
Through a series of posts and replies, Find Fast was removed from the equation and so was
MDM.EXE
The Winternals.Com utility Filemon was suggested and the user downloaded and executed. the
following was his log and reply.
Have you any ideas ?
Thanx
Dave L.
~ ~ ~
Thanks for the info. I downloaded the Filemon, I found out that the process
writing these fff*.tmp files is the dllhost. I don't know what this does,
but can I get rid of it safely. I've heard some documentation that the
Welchia virus can infect the dllhost, is this true? If so, how do I clean
it? I hope you can read the bottom entry, I copied it from the Filemon log.
it shows that dllhost.exe was opened at 1:33 PM and Opened the FFF354AD*.tmp
files. I checked my windows directory as soon as I saw these entries and
indeed, these files were now in the C:\Windows directory.
1:33:20 PM ???:FFF354AD Open C:\WINDOWS\SYSTEM\DLLHOST.EXE SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM ???:FFF354AD Open C:\WINDOWS\SYSTEM\DLLHOST.EXE SUCCESS
OPENEXISTING READONLY DENYWRITE
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{C7761974-1B72-4E2C-B873-80883C41F965}.TMP SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Delete
C:\WINDOWS\FFF354AD_{C7761974-1B72-4E2C-B873-80883C41F965}.TMP SUCCESS
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{D364BF6E-9083-4EF6-8405-3EF17202B58B}.TMP SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Delete
C:\WINDOWS\FFF354AD_{D364BF6E-9083-4EF6-8405-3EF17202B58B}.TMP SUCCESS
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{7DC2EF3B-1AAC-4774-8C4E-AA56141F774E}.TMP SUCCESS
CREATENEW READWRITE DENYWRITE
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{7DC2EF3B-1AAC-4774-8C4E-AA56141F774E}.TMP SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{DEB7634E-BCD5-461F-8421-309484CD3947}.TMP SUCCESS
CREATENEW READWRITE DENYWRITE
1:33:20 PM Dllhost:FFF354AD Open
C:\WINDOWS\FFF354AD_{DEB7634E-BCD5-461F-8421-309484CD3947}.TMP SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Open C:\WINDOWS\SYSTEM\OLEPRO32.DLL SUCCESS
OPENEXISTING READONLY DENYNONE
1:33:20 PM Dllhost:FFF354AD Open C:\WINDOWS\SYSTEM\OLEPRO32.DLL SUCCESS
OPENEXISTING READONLY DENYWRITE