access denied to temp file rOV70.exe
Results 1 to 11 of 11

Thread: access denied to temp file rOV70.exe

  1. #1
    Join Date
    Jul 2004
    Posts
    7

    Angry access denied to temp file rOV70.exe

    I have a question and I am new to the forum, so I appologize if I'm not doing this right...

    I have been reading up and getting rid of as much spyware, adware, and malware as possible on my computer...the pop-ups had become unbearable...I installed and ran adaware yesterday (free version), have been running spybot s&d for about 6 months, as well as NAV, McAfee firewall (free version-installed yesterday), and I believe that my Windows XP firewall is enabled as well. My issue now (since the pop-ups have decreased dramatically and I am very satisfied with that) is that I keep getting a message (either from McAfee firewall or from windows) advising me that a program is asking for access to the internet. The windows warning asks me to select a method of connecting...and I just keep hitting cancel because I haven't asked anything to access the internet, but I don't think that's solving the problem. The two connection options it offers are AOL and pa_peterpaulentrada (which I have no idea what it is, I keep deleting it from Temp and it comes back). The message from McAfee tells me that a specific program is requesting access to the internet and offers me the option of blocking or granting access. I have been writing down the names and going in to delete them (when appropriate) but this one file rOV70.exe will not allow me to delete it from C:\Documents & settings\owner\local settings\Temp...it says "Cannot delete rOV70: access is denied. Make sure the disk is not full or write protected and that the file is not currently in use" I have tried to enter "safe mode" to try deleting it (I have read that this sometimes works) but can't get my computer to enter safe mode at reboot (any advice on this would be appreciated too)...anyways, it is really making me mad that I am being denied access to my own computer! Even though I know this has got to be some technical issue, it feels like a personal insult :-)

    Here is my HJT log...


    Logfile of HijackThis v1.97.7
    Scan saved at 2:30:32 PM, on 7/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\System32\eetjanxq.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\rOV70.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\wnsintcc.exe
    C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\bdcz1k.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\Mp***ent.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    C:\HJT\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Mediacom\BBClient\Programs\RegCon.exe" /admincheck
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [vutaezchetmx] C:\WINDOWS\System32\eetjanxq.exe
    O4 - HKLM\..\Run: [rOV70] C:\Documents and Settings\Owner\Local Settings\Temp\rOV70.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [bdcz1k] C:\WINDOWS\System32\bdcz1k.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
    O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe"
    O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: AOL Toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
    O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...3/cpbrkpie.cab
    O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

    The particular file I am concerned about is rOV70.exe and it's related files...although there are probably others in there that I haven't found out about yet...things keep trying to access all kinsds of websites that I recognize as spyware addresses (clickspring, doubleclick, etc.) and that pa-peterpaulentrada thing bugs me too...

    Any advice anyone can offer about how to fix these issues...or even to tell me that it's not a big deal, would be appreciated. Also if anyone sees anything else in there that I can fix I'd appreciate it. Oh, and I am also having an issue with things being deleted from prefetch and then showing up again after next reboot (things that should have been deleted because they were spyware, malware, etc.)

    I also have run a trojan scan that came back clean, as well as a NAV complete system scan that was clean.

    Thanks in advance, sorry to be so long winded, just don't know how much info you need from me :-)

    Oh, I have a cable modem connection, run IE and sometimes AOL, and I spend a lot of time online (or connected anyways) because I am doing online schooling. Our computer is 2.66 GHz, 512 MB memory, 120 MB hard drive (I think these are the right numbers :-)

  2. #2
    Join Date
    Feb 2000
    Location
    26.03N 80.14W
    Posts
    9,410
    Welcome to VirtualDr.

    To get into Safe Mode, power down your PC, (the proper way of course). Wait a few seconds and power it back up. Now start tapping the [F8] key, like once a second or so. When Windows starts loading and recognizes your [F8] keystroke it will give you the option (on a text-based menu) to enter Safe Mode. (Use the arrow keys on your keyboard to move up and down and then [Enter] to make a selection).
    Vernon Frazee, Microsoft MVP (Windows - Shell/User)

    Defenses Up!
    Tip: When prompted for a password, give an incorrect one first. A phishing site will accept it; a legitimate one won't.


    Inside Spyware: A Guide to Finding, Removing and Preventing Online Pests


    If you don't keep up with security fixes, your computer|network won't be yours for long.

  3. #3
    Join Date
    Jul 2004
    Posts
    7
    Thank you I'll try that...maybe I'll be able to delete the file from safe mode...one can always hope :-) I'll let you know how it goes.

  4. #4
    Join Date
    Jul 2004
    Posts
    7
    That worked (entering safe mode allowed me to delete all rov70 files. Thank you for the help with that issue :-)

    But I am still getting a message from windows saying that a program is asking to access the internet, and offering me two choices for connection (AOL and pa_peterpaulentrada)...it says it wants to access www.clickspring.net (or .com I can't remember) which I know is a pop-up site because I am forever deleting it in spybot. Any ideas on which program might be trying this and how I can stop it or delete it? Thanks!

  5. #5
    Join Date
    Feb 2000
    Location
    26.03N 80.14W
    Posts
    9,410
    You're Welcome.

    As far as that clickspring, try this: Press [Ctrl-Alt-Del] to load the Task Manager. If you see "winservs", highlight it and select End Task, (and repeat until it's gone). Then load Windows Explorer, browse to Start\Programs\Startup and delete "winservs.exe". Reboot, see if that solved the problem and let us know ...
    Vernon Frazee, Microsoft MVP (Windows - Shell/User)

    Defenses Up!
    Tip: When prompted for a password, give an incorrect one first. A phishing site will accept it; a legitimate one won't.


    Inside Spyware: A Guide to Finding, Removing and Preventing Online Pests


    If you don't keep up with security fixes, your computer|network won't be yours for long.

  6. #6
    Join Date
    Jul 2004
    Posts
    7

    Question

    I don't find winservs anywhere in my computer (tried searching (in hidden files too)) Could this be a hard file to find? Any other suggestions?

    In the past hour or so I've also recieved messages advising that a program is trying to contact crl.verisign.com and sa.windows.com...these seem like they might be legitimate functions trying to access, but I wasn't sure so I hit cancel rather than choose connect method. I don't know that this is actually preventing them from accessing the internet, but it seems to work.

    Thanks :-)

  7. #7
    Join Date
    Feb 2000
    Location
    26.03N 80.14W
    Posts
    9,410
    spyhater> Any other suggestions? [i.e., clickspring]

    Other related file names are: iebs.exe, lsem.exe, purityscan.exe, rs.exe, sear1.exe, winservs.exe, winservn.exe, wnsinttr.exe, wnsintsu.exe, wnsintsv.exe, wnsintcc.exe, wintsu.exe, wintit.exe, wnsapiit.exe, wnsapisv.exe, wnsapicc.exe, wnsapisu.exe, wnsapitr.exe, wintcc.exe, winttr.exe and wnsapicc.exe

    Try this:
    1. Click Start|Run, type in regedit and press [Enter].
    2. Browse to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
    3. In the right pane, look for values "WNST", "WCPS" and "WNSC". If there, jot down the files they point to and then delete the values.
    4. Exit the Registry Editor and then Reboot.
    5. Load Windows Explorer [Winkey-E] and delete the files you jotted down.
    If that doesn't work, you might try PuritySCAN's uninstaller. http://www.purityscan.com/uninstall.html

    spyhater> In the past hour or so I've also recieved messages advising that a program is trying to contact crl.verisign.com ...

    In Internet Explorer, click Tools | Internet Options | Advanced tab and scroll down to the Security section. Uncheck both of the following:
    • Check for publisher's certificate revocation
    • Check for server certificate revocation (requires restart)
    Click Apply | OK (and let it reboot if necessary).

    Got my fingers crossed ...
    Vernon Frazee, Microsoft MVP (Windows - Shell/User)

    Defenses Up!
    Tip: When prompted for a password, give an incorrect one first. A phishing site will accept it; a legitimate one won't.


    Inside Spyware: A Guide to Finding, Removing and Preventing Online Pests


    If you don't keep up with security fixes, your computer|network won't be yours for long.

  8. #8
    Join Date
    Jul 2004
    Posts
    7
    All I see in the HKEY.....\Run file is these files:

    Default
    cftmon.exe C:\Windows\system32\cftmon.exe
    MSMSGS "C:\programfiles\messenger\msmsgs.exe"/background
    NvMediaCenter
    PopUpStopper
    PopUpWasher
    SpyKiller

    I included the files extensions for the cftmon.exe and the MSMSGS because I thought they might be problems.

    I don't see any of the other values you said to look for, so I didn't go any further. Do any of these look suspicious?

    Would you recommend still running purityscan uninstaller since I don't have a file to aim it at?

    I will fix the crl.verisign.com thing too, thanks for that info :-)

    Do the file names xircom, inetsrv, or wins mean anything (in relation to the winserv issue)? They are in my system 32 file as .exe files...just wondering because they look unusual.

    Thanks for all the help :-)

  9. #9
    Join Date
    Feb 2000
    Location
    26.03N 80.14W
    Posts
    9,410
    Vernon Frazee, Microsoft MVP (Windows - Shell/User)

    Defenses Up!
    Tip: When prompted for a password, give an incorrect one first. A phishing site will accept it; a legitimate one won't.


    Inside Spyware: A Guide to Finding, Removing and Preventing Online Pests


    If you don't keep up with security fixes, your computer|network won't be yours for long.

  10. #10
    Join Date
    Jul 2004
    Posts
    7
    Thank you thank you thank you... :-)

    I removed PopUpStopper, it was an old program that never worked anyways, I uninstalled it but was apparently not successful in removing everything the first time.

    I also removed spykiller, don't remember downloading it, but got rid of it anyways :-)

    Do I need the Xircom.exe file...I use a cable modem, is this associated with that or could it be an unecessary file?

    I went to delete inetsrv.exe, but it wasn't there anymore, don't know what happened to it, maybe I deleted it along with something else? Any ideas on where to look to make sure its good and gone?

    wins.exe was not in the same place either when I went back, so I guess it has been removed or it moved itself? I searched and didn't find it anymore, so I'm not sure what to do about that.

    Thanks for all your help :-)

  11. #11
    Join Date
    Jul 2004
    Posts
    7
    Also, I removed spykiller and popupstopper simply by highlighting them in regedit and deleting them....(hkey....run) Do I need to delete them soemwhere else to really get rid of them? Thanks!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •