These DIO#.tmp and MAR#tmp files got me stumped. I am almost sure they are malware related. I keep deleting them, and they keep popping back whenever I reboot.
My XP SP3 PC was badly infected. The only symptom was that IE7 would take forever to start file downloads (they got stuck at 0%) and would start after a minute or so. Netstat showed no strange connections, but I knew it was highly suspicious behavior when I discovered IE would allow me to open the said files directly, instead of downloading. When I downloaded combofix, it said it was changed, which was a dead giveaway.
It didn't matter that I had AVG 7.5 installed and running.
I suspect I got infected after I downloaded 2 .ISO files from torrent sites (my new kitty played with the video dvds for a legit excercise program I purchased, and messed them up ) No, really. My wife has pictures of the %$# critter in action.
Following the different posts in this forum, I updated to AVG 8, which detected 2 trojans (password stealers). I turned Hard Drive monitoring off, but the trojans would pop in again after reboots. IE7 kept malfunctioning. Lots of weird exes (such as skp66.exe, 542.exe and such ) and dlls were visually detected within my local settings\temp folders. Some were in use and would not delete. Some I killed from taskmgr.
I booted in safemode and ran AVG cmdline. Nothing was detected. I removed the exes and dlls manually, along with almost everything in temporary internet and temp, for each of my user profiles.
I rebooted to normal mode and ran esset online (NOD32 ?) and nothing was detected. But it behaved funny. I thought of running karspersky, but it states that it doesn't really clean stuff, just detects. Wise guys... Anyways, IE 7 still malfunctioned, so I uninstalled IE7. IE6 = same symptoms.
I got tired of this and removed the drive. Stuck it in a 100% clean Vista PC, adopted it, and ran esset online again. It detected a WHOLE BUNCH of malware, tracking cookies, registry entries, etc in the imported drive. I had it clean everything.
I decided to follow your advice for other instances, and downloaded SpybotS&D162, MBytes, Combofix, ant the one with the big Superman icon...
- Reinserted the hardrive on its PC, turned off AVG, and ran Spybot. Another bunch of stuff detected, and cleaned.
- Ran Malware Bytes full diag.... It froze the PC after scanning most of the system, and finding 1 unknown infection.
- Re-ran Mbytes fast detect and it found 4 more things, which I had it clean up.
The ###.exe files and the other exes are no longer popping back on again. The dlls are gone too. All thanks to your advise on removal tools.
However, I still have those DIO#.tmp, MAR#.tmp and ~DF4### files, which regenerate after reboots. I can delete them manually, but that doesn't reassure me much. I'm seeing this files in many of the submitted infected logs, and they don't look like regular tmp files.
I installed a cleaned CF this morning, made a deletion CFscript file and ran it. It deleted the files, but I know they will be regenerated, so I let CF run wild. It complained about an avg service that won't shut down, and the cmdcons, which I don't want to install. Left it when it was about to reboot.
I'm still wondering about those tmps. Anyone have any experience on what sort infection generates them?
Thanks in advance.
Edited by garmanma, 05 June 2009 - 01:00 PM.