Hi, I've read a previous forum here regarding the problem I'm now experiencing, and I'm hoping someone can give me some advice. I've definately got the win.tmp.exe trojan, and it seems to give itself a different .dll name for each system it infects. I've run hijackthis, and suspect my problem is in the WINBUH32.DLL, as I've not been able to find any info about this driver elsewhere. It's really annoying and slowing down my system as well as filling my win/temp directory, so any advice will be greatly apprecitated. Thanks.

try running virus scan and spyware scan in safe mode, check start up files ~winME, check msconfig, empty temp folder, empty temporary internet files, empty trash, manually move files to trash if needed, post hjt log if problem continues,

Rats - the neither my virus scanner nor spybot recognizes this trojan! I'm still getting the win*.tmp and win*.tmp.exe files spawning in my win/temp directory. Here's my hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 3:19:47 PM, on 3/26/2006 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\SSDPSRV.exe C:\WINDOWS\SYSTEM\MDM.exe C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe C:\WINDOWS\SYSTEM\KB891711\KB891711.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe C:\WINDOWS\EXPLORER.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\SYSTEM\ATIPTAXX.exe C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.exe C:\PROGRAM FILES\CREATIVE\SBAUDIGY\PROGRAM\ADGJDET.exe C:\WINDOWS\STARTER.exe C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\TEMP\HIJACKTHIS.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spacetelescope.org/index.html O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.exe O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.exe /run O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\SYSTEM\taskmon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [WINBUH32] rundll32 WINBUH32.DLL,run O4 - HKLM\..\RunServices: [HC Reminder] hc.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.exe O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.exe O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by5fd.bay5.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

Please download ATF_cleaner, a temp file cleaner from this link http://www.atribune.org/content/view/19/2/ by Atribune. We will run it in safe mode later. Reboot into safe mode by following these directions How to Boot into Safe Mode Then set up the computer to view hidden files as directed Here Run Ht again in safe mode, place a check to the left of the following items and press "fix checked": O4 - HKLM\..\Run: [WINBUH32] rundll32 WINBUH32.DLL,run Then while stile in safe mode navigate to and delete these files if found: C:\WINBUH32.DLL C:\windows\WINBUH32.DLL C:\windows\System\WINBUH32.DLL Run ATF-Cleaner.Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Run this free online scan from Panda When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it.

try this solution to remove win*tmp.exe popups

Success! Thanks much jabuck & paul3 for your much needed advice. Panda said I still had a spyware cookie, but I quickly found it and my system is clean.

check: O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\SYSTEM\taskmon.exe, taskmon suppose to be in \windows\