Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Constantly Making New Files


  • Please log in to reply
10 replies to this topic

#1 narcispy

narcispy

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 28 January 2008 - 08:53 AM

I'm using Symantec Endpoint Protection and Vista x64 ultimate. Anyways upon scanning I found out I have a virus on my machine and it keeps sucking up all my processor. What it does is there's a temporary directory under /users/username... (this is the new format for Vista other than /documents and settings/username/) it constantly makes a random filename in this directory named something like D34512.tmp every few seconds. I've got the latest definitions of my program and I've tried doing a full scan in both safe mode and regular mode. I have it set to automatically delete files upon infection and everytime it finds one it deletes it but the virus just makes another one in that directory automatically. Norton finds this trojan as named Trojan Horse which is like a generic name for a virus. Doesn't say much about removing the virus other than downloading the newest definitions and running a full scan but this thing is still on my machine and active as ever. I've got a quad core processor and this virus basically tops out the processor when its making a copy of itself. I can post you a Hijackthis but I don't think its a program running in the background, although Vista processes are harder to determine since they have changed the names since XP.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:57 PM

Posted 28 January 2008 - 10:36 AM

Norton finds this trojan as named Trojan Horse which is like a generic name for a virus

Did Norton provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system?

Is Norton providing detection alerts on the temp files? If not, they may be generated by another program and not malware. That will require furtehr investigation.

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of one of these temp files and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 narcispy

narcispy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 29 January 2008 - 08:30 AM

Okay thanks. Not sure but theres a temp file located under /Users/<username>/... somewhere under a hidden file I'm guessing where it saves user settings temporarily or program installs. I don't know much about vista I'm MCDST certified for XP. But thanks for the link I'll upload a sample and see what turns up. Norton really didn't have a name for the actual virus it just said Trojan Horse which could mean anything pretty much just a generic name since most of them are like Hacktoolz.w32 trojan or something. But ya detection alerts come up every second for like an hour then stops again then starts back up sometime later when the .tmp files keep popping up in that directory.

Edited by narcispy, 29 January 2008 - 08:33 AM.


#4 narcispy

narcispy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 29 January 2008 - 06:19 PM

Alright what it is: it's an irc flood tool Application.Irc.Flood.Tool.E or HackTool/Flood something like that
What I don't know is how to get rid of it.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:57 PM

Posted 29 January 2008 - 09:52 PM

Have your tried running your scans in "Safe Mode"? If not, then do so.

Then perform at least one of these online Virus scans:
((All the following, except Trend Micro Housecall Scan, require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)
F-Secure Online Scanner. <- Follow the directions on the F-Secure page for proper Installation. (also checks for rootkits) (Vista compatible)
ESET Nod32 Online Scanner <- Vista compatible but Internet Explorer must be Run as Administrator.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 narcispy

narcispy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 30 January 2008 - 08:31 AM

I didn't try in safemode but I ran NOD32 last night it found some of them and removed them. I thought it was gone but then early this morning symantec came up with about 60 matches of the virus and constantly growing every second, basically running my cpu up to 100%.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:57 PM

Posted 30 January 2008 - 09:00 AM

Go ahead and scan in safe mode. The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using "Safe Mode" reduces the number of modules requesting files to only the essentials to make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files when performing scans with anti-virus and anti-malware tools.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 narcispy

narcispy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 31 January 2008 - 07:59 AM

Okay cus I know I did a safe mode scan with my symantec endpoint. I'll do the NOD safe mode scan tonight and see if it grabs anything.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:57 PM

Posted 31 January 2008 - 10:00 AM

Ok. Let me know the results.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 narcispy

narcispy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 04 February 2008 - 06:41 PM

Alright about time I replied right? I got a chance to do it over the weekend and it detected like 3,000 some instances of this virus which was all the .tmp files it was making in that directory, it deleted them all. I haven't seen symantec pop up about any new ones but I think I'm gonna go ahead and buy NOD32 anyways I like that program better than symantec, less system resources too. Still leary about this virus though I hope it got rid of all of it.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:57 PM

Posted 05 February 2008 - 07:48 AM

I'm gonna go ahead and buy NOD32 anyways I like that program better than symantec, less system resources too

Good decision. That's why I use NOD32 myself.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users