Okay so i'm using windows 7 Home Premium 64bit and Kaspersky as my Anti-Virus and recently every single time i start the computer it finds a file in my C:\Windows\Temp with a its name always changing but always ends in .temp.exe
These files are either Trojan-Downloader.Win32.Agent.hhfk or Trojan.Win32.Wdfload.b
I did a full system scan with Kaspersky but it didn't seem to find anything. After the system starts it always finds and deletes 1 or 2 of these and says that my PC is clean.
So i investigated the problem a little bit, also found another temp.exe file gF351.tmp.exe that appears after every restart and runs on my pc but Kaspersky find no danger in it. What i found interesting about this file however is the fact that it has a different permission setup than other files in the temp folder
Further more i only have 1 user on my PC and that is Csapi i don't even know whats that S-1-15-2-1 is. I don't know if i should be worried about this file but it looked like the ones that Kaspersky detected so i looked into it in Process Monitor
C:\ProgramData\10720_75196-38688 is a hidden folder and it was kinda weird as ProgramData was hidden itself and folders inside it were not except for this one. It contains 2 files:
Im not sure what to do with these as Kaspersky said they were clean so i didn't touch them but it is possible that some files are being missed by Kaspersky or rather it must be that as these Trojans always appear when my system boots up.
Any idea what could be the problem and what should i do?
Oh and instead of downloading Anti-Viruses as i don't know what counts as good i used VirusTotal to scan the files that looked interesting yet clean.
I don't really know how much should i trust VirusTotal and Kaspersky didn't trigger on these so rather decided to ask for help here before doing anything stupid.
Edited by Kiszembabatag, 02 December 2016 - 06:26 AM.