strange virus

[Kevin M]

Please help. I have a very strange virus or spyware issue as follows:

Running XP Pro
Norton AntiVirus (updated)

Files in my Windows\temp folder keep growing. Some of the files that appear
in the temp folder are .exe files. Most of these files cannot be deleted
even in safe mode. Usually, some of the .exe files which are in the temp
folder are a running process. I have scaned with Spybot, Ad Aware,
CWShredder, Trend Mico on-line and done scans with my Norton AntiVirus.
However, nothing I've done picks anything up. Spybot did pick up
wwwcoolwebsearch one time but deleted it. Also, I see nothing unusal in the
RUN keys of the registry.

Any suggestions would be greatly appreciated.

Thanks,

Kevin

 

[David H. Lipman]

From: "Kevin M" <[email protected]>

| Please help. I have a very strange virus or spyware issue as follows:
|
| Running XP Pro
| Norton AntiVirus (updated)
|
| Files in my Windows\temp folder keep growing. Some of the files that appear
| in the temp folder are .exe files. Most of these files cannot be deleted
| even in safe mode. Usually, some of the .exe files which are in the temp
| folder are a running process. I have scaned with Spybot, Ad Aware,
| CWShredder, Trend Mico on-line and done scans with my Norton AntiVirus.
| However, nothing I've done picks anything up. Spybot did pick up
| wwwcoolwebsearch one time but deleted it. Also, I see nothing unusal in the
| RUN keys of the registry.
|
| Any suggestions would be greatly appreciated.
|
| Thanks,
|
| Kevin
|


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Kevin M]

Thanks, but this did not work.

 

[David H. Lipman]

From: "Kevin M" <[email protected]>

| Thanks, but this did not work.

Then it is NOT a virus and you need to look at what application has top store TMP or other
files in the %windir%\temp folder. Maybe you need more physical RAM or Virtual RAM enabled
such that the causative application doesn't have to create TEMP files in that TEMP folder.

 

[Kevin M]

Thanks, but no. I have 512 RAM and I've used this PC for about two yesrs.
Also, I noticed that a folder within the programs folder keeps appearing
called UCAS.

 

[Offbreed]

Thanks, but no. I have 512 RAM and I've used this PC for about two yesrs.
Also, I noticed that a folder within the programs folder keeps appearing
called UCAS.

I wonder if you need to pull that hard drive and let a shop check it for
back doors?

 

[Kevin M]

Do What??? Please explain

I wonder if you need to pull that hard drive and let a shop check it for
back doors?

 

[Offbreed]

Do What??? Please explain

I'm confused by your request for an explanation. You know enough to
check Run keys in your register, but... Well, my apologies if I'm
speaking to someone who already knows about this sort of thing and I am
misunderstanding you.

Remove the hard drive from your computer and let someone who specializes
in computer security install it in his own computer as a slave or
secondary master. He boots to his hard drive instead of yours so he is
using his operating system and no part of yours is active. He can then
examine your hard drive for programs that allows someone to use your
machine (via back doors, root kits, etc) as a spam zombie, or storage
for stolen software, or off site storage for child pornography, or some
kids are using your computer for their games, or?

You could end up in deep shit if your computer is being used as a child
pornography distribution point because cops usually figure it's your
computer and you have total control over what is in it. We are talking
thousands of dollars in lawyer fees at best, and hard time in prison at
worst. This is the least likely explanation, but the most dangerous to you.

From what I've been reading, a more likely explanation is that someone
who knew what he was doing penetrated your computer (hiding his tracks
better) and sold access to it to someone with less skill who intends to
use it as a cutout for something illegal, such as spam or hacking
someone else's computer.

You might try the "Hijack This" log route. Visit alt.privacy.spyware and
read the FAQ. Ignore anything from pcbutts, an idiot with delusions of
competency.

The simplest alternative is a reinstall, which you should probably do
anyway if you have a backdoor.

 

[Kevin M]

10-4. I follow you now. I think it would be more simple to format and
reinstall.

Thanks