Comments on: What's producing these exe files in my temp folder?

Question: What's producing these exe files in my temp folder?

ajbattrick — Tue, 04 Jan 2005 06:29:12 -0800

On WinXP, every minute, I get a new file in my temp directory, and it appears to be a downloaded webpage. I'm sure I have a virus or summat, but I can't see where. MI.

I've run adaware and AntiVir, but nothing is found. There are no scheduled tasks and I am no novice user.

The files are being created in
C:\Documents and Settings\User\Local Settings\Temp

There is a new one each minute. Filenames are randomly created, such as ddgdjjgi.exe and jqdobkpk.exe. The files are Hex when I view them in Textpad, but the program also shows the ASCII version (?) of the Hex code, which is virtually identical to the source from http://www.flexiblesolutions.ws, or at least the first 2 to 6 kb of it.

It's really wierd. I've been through all the running processes, and all seem to be valid.

By: gen

gen — Tue, 04 Jan 2005 06:51:49 -0800

Could they be attachments from your email app?

By: SNACKeR

SNACKeR — Tue, 04 Jan 2005 06:53:07 -0800

Try filemon to see if you can figure out what process is creating the file.

By: ajbattrick

ajbattrick — Tue, 04 Jan 2005 07:15:31 -0800

Filemon I have used before in the long distant past, and forgotten about, cheers SNACKeR. Anyway, that points me to
C:\WINDOWS\system32\rnbw\hgkpgbmc.exe
which leads me to the Troj/Banker-X trojan / virus.

But now I am stumped again, as the only bit that matches with that trojan is "rnbw." None of the other symptoms appear

By: Alex Handcoding

Alex Handcoding — Tue, 04 Jan 2005 08:16:38 -0800

Ad Aware is good, but try also Spybot Search & Destroy. It's another excellent spyware-removal app and, together with Ad Aware, they make a great team.

By: u.n. owen

u.n. owen — Tue, 04 Jan 2005 08:20:04 -0800

My favorite is HijackThis. But you need to have a bit of knowhow to know what to delete and not.

By: zsazsa

zsazsa — Tue, 04 Jan 2005 08:35:41 -0800

If it's a trojan and not spyware (the line between the two is becoming more and more blurred...) and AntiVir won't get rid of it, try Stinger, a quick removal tool for the most "popular" viruses. Failing that, I've had good luck with AVG Free.

By: juv3nal

juv3nal — Tue, 04 Jan 2005 19:30:19 -0800

echoing what people have already said, update your definitions and hit it with the trinity of adaware, spybot and hijackthis. then avgfree.
if issue persists, reboot in safe mode, repeat.
this gets rid of most stuff.

By: ajbattrick

ajbattrick — Wed, 05 Jan 2005 01:14:04 -0800

Spybot tells me that it is "n-Case"

Thanks all