Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-Downloader in Windows temp folder reapearing


  • Please log in to reply
3 replies to this topic

#1 Kiszembabatag

Kiszembabatag

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 02 December 2016 - 06:22 AM

Okay so i'm using windows 7 Home Premium 64bit and Kaspersky as my Anti-Virus and recently every single time i start the computer it finds a file in my C:\Windows\Temp with a its name always changing but always ends in .temp.exe

image.png

 

These files are either Trojan-Downloader.Win32.Agent.hhfk or Trojan.Win32.Wdfload.b

 

I did a full system scan with Kaspersky but it didn't seem to find anything. After the system starts it always finds and deletes 1 or 2 of these and says that my PC is clean.

So i investigated the problem a little bit, also found another temp.exe file gF351.tmp.exe that appears after every restart and runs on my pc but Kaspersky find no danger in it. What i found interesting about this file however is the fact that it has a different permission setup than other files in the temp folder

image.png

 

Further more i only have 1 user on my PC and that is Csapi i don't even know whats that S-1-15-2-1 is. I don't know if i should be worried about this file but it looked like the ones that Kaspersky detected so i looked into it in Process Monitor

image.png

C:\ProgramData\10720_75196-38688 is a hidden folder and it was kinda weird as ProgramData was hidden itself and folders inside it were not except for this one. It contains 2 files:

image.png

Im not sure what to do with these as Kaspersky said they were clean so i didn't touch them but it is possible that some files are being missed by Kaspersky or rather it must be that as these Trojans always appear when my system boots up.

 

Any idea what could be the problem and what should i do?

 

Oh and instead of downloading Anti-Viruses as i don't know what counts as good i used VirusTotal to scan the files that looked interesting yet clean.

image.png

 

(Link: https://www.virustotal.com/en/file/a5d0cec60038bfa8eccb8e5183a393b47a99e762abf31bf0241a5979320d2041/analysis/1480677052/ )

 

image.png

 

(Link: https://www.virustotal.com/en/file/b038237b68a9a12cf95978e157ed63e0a7f414056ee7f5c67e99b1e37deae7d6/analysis/1480677212/ )

 

I don't really know how much should i trust VirusTotal and Kaspersky didn't trigger on these so rather decided to ask for help here before doing anything stupid.


Edited by Kiszembabatag, 02 December 2016 - 06:26 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:36 AM

Posted 02 December 2016 - 04:25 PM

Hello, let's also run these 2 and see.

zcMPezJ.pngAdwCleaner
  • Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
lv0mVRW.pngJunkware Removal Tool
  • Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Kiszembabatag

Kiszembabatag
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 03 December 2016 - 06:26 AM

Hello, and forgive me for my late response but i have already solved the problem yesterday and i went to sleep and forgot to post  it. Just in case if anyone is dealing with this problem here is how i solved it.

I have downloaded Junkware Removal Tool and the Kaspersky TDSSkiller after that i rebooted my PC in safe mode and ran both (First TDSSKiller), + i did a DiskClean to remove any leftover files in the Temp directory.

 

After that was done and i reboot my pc  Kaspersky stopped with the warnings on startup, i checked and the files that looked suspicious were gone. And no temp.exe file was running either.

image.png



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:36 AM

Posted 03 December 2016 - 10:29 AM

Thanks for posting back!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users