Can anyone identify this trojan/spyware - No success removing it

[liesnerj]

Hello,
I have been trying for the past week or so to get rid of some
trojan/spyware. Running McAfee, Spybot, adaware etc. does not detect
nor remove it.
This starts a process named "xxxx.tmp", where the x represents a
hexadecimal number, always 4 characters and the .tmp extension. I see
all over the net that people have trojans that are named like
"winxx.tmp" or "idxxxx.tmp", but ours is just the 4 hex numbers and
..tmp.
This process then proceeds to send and receive things over the net
and tie up the machine. Aside from tying up the machine, I know it
must be sending personal/password/user name etc. information over the
net.
The .tmp file is in the c:\windows\temp folder. I can delete the
process, it will go away nicely, except it leaves the file in the temp
folder. I can then also delete the file out of the temp folder. But
it will regenerate itself, usually within 15 minutes.

We are using the following:
Windows XP service pack 2
McAfee 8.0
Internet Explorer 6.0 and AOL


Can anyone identify this one? And even better yet, tell me how to
get rid of the underlying software that keeps regenerating this. Like
I mentioned previously, I have tried many things and software with no
luck.

Thanks.

 

[Guest]

Hello

You need someone to examin what is running on your machine. You can get free
help here:

http://www.5starsupport.com/ipboard/index.php?act=idx

http://www.5starsupport.com/ipboard/index.php?act=announce&f=18&id=3

 

[Malke]

Hello,
I have been trying for the past week or so to get rid of some
trojan/spyware. Running McAfee, Spybot, adaware etc. does not detect
nor remove it.
This starts a process named "xxxx.tmp", where the x represents a
hexadecimal number, always 4 characters and the .tmp extension. I see
all over the net that people have trojans that are named like
"winxx.tmp" or "idxxxx.tmp", but ours is just the 4 hex numbers and
.tmp.
This process then proceeds to send and receive things over the net
and tie up the machine. Aside from tying up the machine, I know it
must be sending personal/password/user name etc. information over the
net.
The .tmp file is in the c:\windows\temp folder. I can delete the
process, it will go away nicely, except it leaves the file in the temp
folder. I can then also delete the file out of the temp folder. But
it will regenerate itself, usually within 15 minutes.

We are using the following:
Windows XP service pack 2
McAfee 8.0
Internet Explorer 6.0 and AOL

We won't be able to identify the malware from that information. Lots of
malware behaves that way. Please review the malware removal steps at
the link below. If you followed similar procedures, including
prep/finishing work, then certainly don't do them all over again. If
you didn't prepare and scan the way I suggest and with the suggested
tools, it would be wise to go through the steps.

http://www.elephantboycomputers.com/page2.html#Removing_Malware

The next step is to run HijackThis and post your log in one of the
specialty forums listed at the links below (listed in no particular
order). Please do not post HJT logs in the MS newsgroups; post in one
of the forums below.

http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forums.subratam.org/index.php?showforum=7
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/

If the procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a professional
computer repair shop (not your local version of BigStoreUSA).

Malke

 

[Mike S]

Hello,
I have been trying for the past week or so to get rid of some
trojan/spyware. Running McAfee, Spybot, adaware etc. does not detect
nor remove it.

You know, adaware and spybot don't do crap. Can't say much about
mcafee, but I do know symantec is pretty good at stopping stuff before
it gets on there - as far as removing it.. dunno.

Regardless, the tool you want to get is security task manager. It blows
all of those tools out of the water and then some. It will list all of
your running tasks and tell you if it thinks they are bad. You can then
go and end the task and it will quarantine it just in case you need to
bring it back.

It gets even better, you can click on a task and hit the google button
and look at what other people think about that task.

http://www.neuber.com/taskmanager/

this is the best tool I have found to date, hands down. Don't waste
your time with those others because they just can't remove the pesky stuff.

Mike

 

[Guest]

I have seen in the past that these files regenerate themselves because they
reside in the registry. Performing a search through REGEDIT for the xxxx.tmp
or manually going through the HKEYs looking through the RUN and RUN ONCE keys
under Windows will sometimes allow you to delete the registry key and then
you can successfully delete the file from the tmp directory.

 

[Mike S]

I have seen in the past that these files regenerate themselves because they
reside in the registry. Performing a search through REGEDIT for the xxxx.tmp
or manually going through the HKEYs looking through the RUN and RUN ONCE keys
under Windows will sometimes allow you to delete the registry key and then
you can successfully delete the file from the tmp directory.

again, you're really making your life much more difficult than it needs
to be. First kill all the bad stuff with security task manager. If you
can't kill something, but have identified it as a bad process, process
explorer might come in handy as well. Going through the run and run
once keys is the same as using msconfig which is also taken care of in
security task manager as it kills the task and then moves the file to a
quarantine where it can't be run anymore. Even if the entry still
exists in the run or run once keys, it won't make a difference if the
file is not there anymore.

After you've killed all the bad stuff, then run your
spybot/adaware/whatever to search and find all the bad files and clean
them up.

mike