What's producing these exe files in my temp folder?
January 4, 2005 6:29 AM Subscribe
On WinXP, every minute, I get a new file in my temp directory, and it appears to be a downloaded webpage. I'm sure I have a virus or summat, but I can't see where. MI.
I've run adaware and AntiVir, but nothing is found. There are no scheduled tasks and I am no novice user.
The files are being created in
C:\Documents and Settings\User\Local Settings\Temp
There is a new one each minute. Filenames are randomly created, such as ddgdjjgi.exe and jqdobkpk.exe. The files are Hex when I view them in Textpad, but the program also shows the ASCII version (?) of the Hex code, which is virtually identical to the source from http://www.flexiblesolutions.ws, or at least the first 2 to 6 kb of it.
It's really wierd. I've been through all the running processes, and all seem to be valid.
I've run adaware and AntiVir, but nothing is found. There are no scheduled tasks and I am no novice user.
The files are being created in
C:\Documents and Settings\User\Local Settings\Temp
There is a new one each minute. Filenames are randomly created, such as ddgdjjgi.exe and jqdobkpk.exe. The files are Hex when I view them in Textpad, but the program also shows the ASCII version (?) of the Hex code, which is virtually identical to the source from http://www.flexiblesolutions.ws, or at least the first 2 to 6 kb of it.
It's really wierd. I've been through all the running processes, and all seem to be valid.
Try filemon to see if you can figure out what process is creating the file.
posted by SNACKeR at 6:53 AM on January 4, 2005
posted by SNACKeR at 6:53 AM on January 4, 2005
Response by poster: Filemon I have used before in the long distant past, and forgotten about, cheers SNACKeR. Anyway, that points me to
C:\WINDOWS\system32\rnbw\hgkpgbmc.exe
which leads me to the Troj/Banker-X trojan / virus.
But now I am stumped again, as the only bit that matches with that trojan is "rnbw." None of the other symptoms appear
posted by ajbattrick at 7:15 AM on January 4, 2005
C:\WINDOWS\system32\rnbw\hgkpgbmc.exe
which leads me to the Troj/Banker-X trojan / virus.
But now I am stumped again, as the only bit that matches with that trojan is "rnbw." None of the other symptoms appear
posted by ajbattrick at 7:15 AM on January 4, 2005
Ad Aware is good, but try also Spybot Search & Destroy. It's another excellent spyware-removal app and, together with Ad Aware, they make a great team.
posted by Handcoding at 8:16 AM on January 4, 2005
posted by Handcoding at 8:16 AM on January 4, 2005
My favorite is HijackThis. But you need to have a bit of knowhow to know what to delete and not.
posted by u.n. owen at 8:20 AM on January 4, 2005
posted by u.n. owen at 8:20 AM on January 4, 2005
If it's a trojan and not spyware (the line between the two is becoming more and more blurred...) and AntiVir won't get rid of it, try Stinger, a quick removal tool for the most "popular" viruses. Failing that, I've had good luck with AVG Free.
posted by zsazsa at 8:35 AM on January 4, 2005
posted by zsazsa at 8:35 AM on January 4, 2005
echoing what people have already said, update your definitions and hit it with the trinity of adaware, spybot and hijackthis. then avgfree.
if issue persists, reboot in safe mode, repeat.
this gets rid of most stuff.
posted by juv3nal at 7:30 PM on January 4, 2005
if issue persists, reboot in safe mode, repeat.
this gets rid of most stuff.
posted by juv3nal at 7:30 PM on January 4, 2005
Response by poster: Spybot tells me that it is "n-Case"
Thanks all
posted by ajbattrick at 1:14 AM on January 5, 2005
Thanks all
posted by ajbattrick at 1:14 AM on January 5, 2005
« Older Adobe Premiere Elements/Vegas Movie Studio; what... | need good music for play set in ireland 1936 Newer »
This thread is closed to new comments.
posted by gen at 6:51 AM on January 4, 2005