jjjjI.tmp- is it dangerous?

[Brigham]

A quick thanks to Alwil for their wonderful AV software. 

I recently encountered a bout with some trojans, and am still quite suspicious about a file that the Standard Shield app keeps scanning.  Has anyone ever encountered "jjjjI.tmp" in their system32 folder?  Avast keeps scanning this file, so something must be calling it.  However, the file does not ever exist when I search for it. 

I've run through every resource I could think of and I'm at a complete loss as to what this file is.  A google search turned up a single site that merely referenced it, and then, in French.  I'm at wits end, and I got nothing on this.  Any help would be greatly appreciated.  Thanks in advance for any help.

[sasin44]

hi *.tmp files are uses by softwares as a intermidate file[temporary file]..it may act as a temporary  storage for data ...it may be used by some running program so avast be scaning it.. virus USUALLY dont use *.tmp files... if u want us to point which process is using this file please give us ur hijackthis log
http://www.softpedia.com/progDownload/HijackThis-Download-5034.html

[DavidR]

I find it a little strange having a .tmp file on the system32 folder, having just done a search of my system32 folder the only one there is config.tmp and that is a really old file, created 4 Sept 2003, probably about the time I upgraded to winXP Pro.

If you right click on it, is there anything in the properties that might reveal an associated program ?
The file name in itself is strange, unlike you I didn't find any hits in google, but you could use a translation service, http://babelfish.altavista.com/.

You could try a program called WhoLockMe, http://www.dr-hoiby.com/WhoLockMe/.

WhoLockMe is a freeware Windows Explorer shell extension that will tell you what processes are locking a file. You can then attempt to stop the processes, making it possible to delete the file. This would be particularly useful in fighting persistent spyware.

http://www.dr-hoiby.com/WhoLockMe/WhoLockMe104.zip. With this installed if you tried to rename this file (not delete) it might object so perhaps WhoLockMe may be able to say what application is locking it.

[Brigham]

Thanks to both for the quick replies.  I can't check the properties on the .tmp file, because it isn't present in the sys32 directory whenever I search it.  It would seem to be a dump-and-delete file for something. 

Also, the standard shield "scanned count" jumps by "2" every nine to ten seconds (when there is 'no' activity), but the "last scanned:" file is always jjjjI.tmp.

-------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:42:01 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/history/
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O15 - Trusted Zone: http://www.bbc.co.uk
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
----------------------------

[DavidR]

Sorry I don't see anything obvious in the log, though you appear to have remnants of Symantec.

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
http://www.liutilities.com/products/wintaskspro/processlibrary/symwsc/

You should check these two entries, google search on the {activeX object id}
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

Also:

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.

Perhaps you didn't replace the Symantec Security Center firewall when you uninstalled it ?
Or as has been said you are using the windows firewall ?

Try renaming the file jjjjI.tmp to jjjjIOLD.tmp, that should mean what is modifying it won't find it and possibly pop-up an alert that might suggest what is modifying it.

[Spiritsongs]

   Hi Brigham :

     Your HijackThis log indicates you have a very outdated Sun Java, a
      serious security risk ( you MAY have a "virtumonde" "infection" !? ) ;
     should immediately uninstall it. The latest version is available at
     www.java.com .
     Your log also indicates you have "Flashget"; this is considered Adware by ( www.spywareguide.com/spydet_1176_flashget.html ) . There are safer
    alternatives .
     Spybot is no longer considered a top antispyware program per
     antispyware Expert Eric Howes & the info he provides at
     www.spywarewarrior.com/rogue_anti-spyware.htm#trustworthy ;
     his "Trustworthy" List includes the "Trial" ( after 30 days can become the
     Free ) version of AVG Antispyware, most easily downloaded from
     www.ewido.net and the FREE ver of SUPERAntiSpyware from
     www.superantispyware.com . These 2 seems to be the top choices
     of many malware-fighting Experts .

[Brigham]

Thanks all.  It's really appreciated.

[DavidR]

No problem, let us know how you get on.

Welcome to the forums.