Spyware Creating tmp files, ie Win1.tmp Win2.tmp

[JCO]

Running WindowsXP-Pro SP2 and all updates.

My son's computer has something running that I can't figure it out. In the
tmp directory, the files Winx.tmp gets created where "x" can be any digit.
It starts as "1" and increments forever. I've had over 2000 files that I
deleted.
Win1.tmp
Win2.tmp
Win3.tmp
......
Win2066.tmp ....
Each file shows up as 0 kbs and when I open them... they are empty.

What I've done:
Ran Norton SystemWorks / Antivirus and deleted all known issues.
Ran SpyBot and have cleaned out all known issues.
Ensured that HKLM-Run & HKCU-Run is cleaned (stripped) to a minimum that I
know is required.
Deleted all tmp folders and web temp folders.
Emptied Trash
I've used "HijackThis" but not posting here unless someone wants to see it.
I've looked into the Services but don't see anything bad, however, not
familiar with everything there.

One added Note:
Spybot is not able to update to the latest definitions because of a Socket
Error 10086 (I think). Tried to uninstall, reboot, re-install but I get the
same socket error. Not sure how hold my definitions are since I don't know
when this started doing this. I guess this should be posted separately?

Thanks

 

[JCO]

Added Note:
Running the task manager, I see lots of activity from the following:
EXPLORER (all caps which is not on my other computer)
CISVC.EXE (sometimes is 60-70%, then goes to 0% for a while)
EXPLORER.EXE
WINLOGON.EXE

 

[Terry R.]

On 7/9/2007 4:46 PM On a whim, JCO pounded out on the keyboard

Running WindowsXP-Pro SP2 and all updates.

My son's computer has something running that I can't figure it out. In the
tmp directory, the files Winx.tmp gets created where "x" can be any digit.
It starts as "1" and increments forever. I've had over 2000 files that I
deleted.
Win1.tmp
Win2.tmp
Win3.tmp
.....
Win2066.tmp ....
Each file shows up as 0 kbs and when I open them... they are empty.

What I've done:
Ran Norton SystemWorks / Antivirus and deleted all known issues.
Ran SpyBot and have cleaned out all known issues.
Ensured that HKLM-Run & HKCU-Run is cleaned (stripped) to a minimum that I
know is required.
Deleted all tmp folders and web temp folders.
Emptied Trash
I've used "HijackThis" but not posting here unless someone wants to see it.
I've looked into the Services but don't see anything bad, however, not
familiar with everything there.

One added Note:
Spybot is not able to update to the latest definitions because of a Socket
Error 10086 (I think). Tried to uninstall, reboot, re-install but I get the
same socket error. Not sure how hold my definitions are since I don't know
when this started doing this. I guess this should be posted separately?

Thanks

JCO,

If Spybot won't run, download and install Lavasoft Ad-Aware and give it
a try. Be sure to update it after the install and prior to running a check.

http://www.download.com/Ad-Aware-20...045910.html?part=dl-ad-aware&subj=dl&tag=top5

--
Terry R.

***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.

 

[HeyBub]

Running WindowsXP-Pro SP2 and all updates.

My son's computer has something running that I can't figure it out.
In the tmp directory, the files Winx.tmp gets created where "x" can
be any digit. It starts as "1" and increments forever. I've had over
2000 files that I deleted.
Win1.tmp
Win2.tmp
Win3.tmp
.....

According to Google, you've got a Trojan.

For example:

http://www.spyware-removal-guideline.com/win-tmp-exe-popups-removal

 

[JCO]

The LavaSoft did not work.
The virus names are:
download.? (can't remeber)
trojan.nebuler

Tools did not work. After two days, I finally recovered from an Image (that
was very old).
Anyway, updates are being done.

Thanks