wextract_cleanup0 should run once on a reboot and be gone.
wextract_cleanup0, apparently, is for cleaning up and deleting temporary
files leftover from a software installation. wextract_cleanup0 could run if
it were a good or a bad software installation. Good being something that
was wanted and bad being some sort of malware.
wextract_cleanup0 by itself is a legitimate process. Whether the software
that was installed is legit or not is a whole other question.
Wextract.exe = Win32 Cabinet Self-Extractor from Microsoft.
Wextract.exe is located in C:\WINDOWS\system32.
Cabinet files have a .cab extension. Cabinet files are Microsoft
installation archive files, that store compressed files in a file library,
usually used for installing software.
Example:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value Name: Auto Run
Value Data: wextract_cleanup0=rundll32.exe
C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32
C:\DOCUME~1\Ricky\LOCALS~1\Temp\IXP000.TMP\""
Since it's in a RunOnce key, it will ... well, run once.
RunDLL32 = rundll32.exe = Run a DLL as an App. rundll32.exe enables users
to run a .DLL file as an application, as if it were an executable (exe)
file.
A .DLL file, Dynamic Link Library, is a library that contains code and data.
advpack.dll assists with hardware and software installs by reading and
verifying .INF files.
..INF files are Information or Setup Files. They are text files that specify
the files needed for installing a specific piece of software or plug-in.
I cannot find very much on delnode.exe, except that it exists and deletes
stuff.
In the Example, on reboot, IXP000.TMP and anything down stream gets deleted.
..TMP is a Temporary File.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In