Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DIO2.tmp (3,4,5...) & MAR1.tmp/MERGED TOPICS


  • Please log in to reply
7 replies to this topic

#1 Jetfly

Jetfly

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 02 June 2009 - 10:52 AM

Hello Guys.

These DIO#.tmp and MAR#tmp files got me stumped. I am almost sure they are malware related. I keep deleting them, and they keep popping back whenever I reboot.

My XP SP3 PC was badly infected. The only symptom was that IE7 would take forever to start file downloads (they got stuck at 0%) and would start after a minute or so. Netstat showed no strange connections, but I knew it was highly suspicious behavior when I discovered IE would allow me to open the said files directly, instead of downloading. When I downloaded combofix, it said it was changed, which was a dead giveaway.

It didn't matter that I had AVG 7.5 installed and running.

I suspect I got infected after I downloaded 2 .ISO files from torrent sites (my new kitty played with the video dvds for a legit excercise program I purchased, and messed them up ) :flowers: No, really. My wife has pictures of the %$# critter in action.

Following the different posts in this forum, I updated to AVG 8, which detected 2 trojans (password stealers). I turned Hard Drive monitoring off, but the trojans would pop in again after reboots. IE7 kept malfunctioning. Lots of weird exes (such as skp66[1].exe, 542.exe and such ) and dlls were visually detected within my local settings\temp folders. Some were in use and would not delete. Some I killed from taskmgr.

I booted in safemode and ran AVG cmdline. Nothing was detected. I removed the exes and dlls manually, along with almost everything in temporary internet and temp, for each of my user profiles.

I rebooted to normal mode and ran esset online (NOD32 ?) and nothing was detected. But it behaved funny. I thought of running karspersky, but it states that it doesn't really clean stuff, just detects. Wise guys... Anyways, IE 7 still malfunctioned, so I uninstalled IE7. IE6 = same symptoms.

I got tired of this and removed the drive. Stuck it in a 100% clean Vista PC, adopted it, and ran esset online again. It detected a WHOLE BUNCH of malware, tracking cookies, registry entries, etc in the imported drive. I had it clean everything.

I decided to follow your advice for other instances, and downloaded SpybotS&D162, MBytes, Combofix, ant the one with the big Superman icon...

- Reinserted the hardrive on its PC, turned off AVG, and ran Spybot. Another bunch of stuff detected, and cleaned.

- Ran Malware Bytes full diag.... It froze the PC after scanning most of the system, and finding 1 unknown infection.

- Re-ran Mbytes fast detect and it found 4 more things, which I had it clean up.

The ###.exe files and the other exes are no longer popping back on again. The dlls are gone too. All thanks to your advise on removal tools. :thumbsup:

However, I still have those DIO#.tmp, MAR#.tmp and ~DF4### files, which regenerate after reboots. I can delete them manually, but that doesn't reassure me much. I'm seeing this files in many of the submitted infected logs, and they don't look like regular tmp files.

I installed a cleaned CF this morning, made a deletion CFscript file and ran it. It deleted the files, but I know they will be regenerated, so I let CF run wild. It complained about an avg service that won't shut down, and the cmdcons, which I don't want to install. Left it when it was about to reboot.

I'm still wondering about those tmps. Anyone have any experience on what sort infection generates them?
Thanks in advance.

Jet

Edited by garmanma, 05 June 2009 - 01:00 PM.


BC AdBot (Login to Remove)

 


#2 Jetfly

Jetfly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 04 June 2009 - 11:01 PM

Hello guys;

Does anyone know what is the malware that generates the

DIO2.TMP
DIO3.TMP
...DIO#.tmp

and

MAR1.TMP
MAR2.TMP
MAR#.TMP

and

BIT3D.tmp (this one's 35 MB)

I haven't found any reference to legit programs that generate them. The closest matches are within PREVX, but are still "un-cathegorized"
:thumbsup:

#3 Jetfly

Jetfly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 05 June 2009 - 08:11 AM

I just saw a Windows Live Setup file which was the same size as the BIT3D.tmp file. Seems that one is msn messenger related, and PrevX classifgies it as safe.


Still trying to find what creates those pesky DIO# and MAR# temp files.

So far attempted:

AVG (installed)
Eset Online Scanner
sophos-antirootkit
trojanhunter
fsecure cleaner
superantispyware
spybot s&d
malwarebytes
combofix

All of them found something in the quick 1st run, but after the 2nd full run state that the system is clean.

Only MGTools left untried in the toolkit.

I don't dare use any of my passwords to enter ebay , banking or messaging accounts, in case there's a keylogger or something in the PC.

Any suggestions will be appreciated.

Thanks in advance to anyone who can come up with useful advice.

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:07 AM

Posted 05 June 2009 - 09:31 PM

You can try submitting them (one at a time) for a jotti scan
http://virusscan.jotti.org/en

You also might consider submitting a HJT log:


Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Jetfly

Jetfly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 06 June 2009 - 12:29 AM

THANKS Mark, I see you look through all the posts in the place!

Anyways, I don't think it would be of any use to post the HJT log. I went through each entry, and there is no reference to any known infection file or registry entry.

What makes me so suspicious is that many virus infectees have these files in their logs, and I cant find a concise reference to them.

From the lack of answers in the site, I'm guessing neither can some of the people who read this post.

Although I'm not suffering any symptoms, I'd feel very much more at ease if I could find where do these pesky files come from.

Jet

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:07 AM

Posted 06 June 2009 - 07:48 PM

I have searched a couple of libraries and couldn't find anything, sorry
I will ask around

BIT3D.tmp (this one's 35 MB)
http://www.threatexpert.com/report.aspx?md...b0d5709bdf57191
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:07 AM

Posted 07 June 2009 - 08:36 AM

Looks like malware has created these and likely a rootkit protecting whatever is responsible.

MAR1.TMP
MAR2.TMP
MAR#.TMP

Are all related, there are many more variants. See here:

http://spywaredlls.prevx.com/RRHFCJ18892640/MAR1.TMP.html

DIO2.TMP
DIO3.TMP
DIO#.tmp

Possibly related to ToSeeka Again there are many variants.

See topic title of this thread, and post number 4 of that thread for files listed to be removed by Avenger.

http://forums.majorgeeks.com/showthread.php?p=1131186

See also here: http://spywaredlls.prevx.com/RRIDJA19492223/DIO291.TMP.html

THX ~OB

Edited by garmanma, 07 June 2009 - 08:37 AM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,989 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:07 AM

Posted 07 June 2009 - 07:53 PM

You're welcome garmanma

@ Jetfly,

The tools used in the HiJack This forum go much more deeply than the tools allowed here. I strongly recommend that you post in that forum especially since the infection appears to be unknown and because we are unable to resolve the issues in this forum. The malware team is trained in malware research and diagnosis. Please note that we are not asking you to create a HiJack This log.

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you cannot produce the DDS logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users