Tags:







What's producing these exe files in my temp folder?
January 4, 2005 6:29 AM   RSS feed for this thread Subscribe

On WinXP, every minute, I get a new file in my temp directory, and it appears to be a downloaded webpage. I'm sure I have a virus or summat, but I can't see where. MI.

I've run adaware and AntiVir, but nothing is found. There are no scheduled tasks and I am no novice user.

The files are being created in
C:\Documents and Settings\User\Local Settings\Temp

There is a new one each minute. Filenames are randomly created, such as ddgdjjgi.exe and jqdobkpk.exe. The files are Hex when I view them in Textpad, but the program also shows the ASCII version (?) of the Hex code, which is virtually identical to the source from http://www.flexiblesolutions.ws, or at least the first 2 to 6 kb of it.

It's really wierd. I've been through all the running processes, and all seem to be valid.
posted by ajbattrick to computers & internet (8 comments total)
Could they be attachments from your email app?
posted by gen at 6:51 AM on January 4, 2005


Try filemon to see if you can figure out what process is creating the file.
posted by SNACKeR at 6:53 AM on January 4, 2005


Filemon I have used before in the long distant past, and forgotten about, cheers SNACKeR. Anyway, that points me to
C:\WINDOWS\system32\rnbw\hgkpgbmc.exe
which leads me to the Troj/Banker-X trojan / virus.

But now I am stumped again, as the only bit that matches with that trojan is "rnbw." None of the other symptoms appear
posted by ajbattrick at 7:15 AM on January 4, 2005


Ad Aware is good, but try also Spybot Search & Destroy. It's another excellent spyware-removal app and, together with Ad Aware, they make a great team.
posted by Alex Handcoding at 8:16 AM on January 4, 2005


My favorite is HijackThis. But you need to have a bit of knowhow to know what to delete and not.
posted by u.n. owen at 8:20 AM on January 4, 2005


If it's a trojan and not spyware (the line between the two is becoming more and more blurred...) and AntiVir won't get rid of it, try Stinger, a quick removal tool for the most "popular" viruses. Failing that, I've had good luck with AVG Free.
posted by zsazsa at 8:35 AM on January 4, 2005


echoing what people have already said, update your definitions and hit it with the trinity of adaware, spybot and hijackthis. then avgfree.
if issue persists, reboot in safe mode, repeat.
this gets rid of most stuff.
posted by juv3nal at 7:30 PM on January 4, 2005


Spybot tells me that it is "n-Case"

Thanks all
posted by ajbattrick at 1:14 AM on January 5, 2005


« Older I'm looking for opinions on Ad...   |   Any music historians out there... Newer »
This thread is closed to new comments.