|
Viruses in temp folder
#265860 - 10/07/11 05:46 PM
|
|
|
I'm running Windows XP and I use Microsoft Security Essentials as my antivirus. Lately it's been picking up viruses in my
C:\Documents and Settings\[USER]>\Local Settings\Temp
folder and cleaning them, but then the same virus just comes back 5 minutes later and gets wiped again. A full scan reveals nothing, but I'm assuming whatever is creating these virus files in my temp folder is still there. They are all listed as Trojan:Win32/Startpage.BO. Several weeks ago it was hf2.dll that kept appearing, then it stopped for a while, then a week later it was hf3.dll for a few days, and today it is zpa.dll and zpa.exe. Anyone got any ideas?
|
|
|
|
Re: Viruses in temp folder
[Re: mike20599]
#265862 - 10/07/11 05:54 PM
|
|
|
> I'm running Windows XP and I use Microsoft Security Essentials as my antivirus.
> Lately it's been picking up viruses in my
> C:\Documents and Settings\[USER]>\Local Settings\Temp
> folder and cleaning them, but then the same virus just comes back 5 minutes later and
> gets wiped again. A full scan reveals nothing, but I'm assuming whatever is creating
> these virus files in my temp folder is still there. They are all listed as
> Trojan:Win32/Startpage.BO. Several weeks ago it was hf2.dll that kept appearing, then
> it stopped for a while, then a week later it was hf3.dll for a few days, and today it
> is zpa.dll and zpa.exe. Anyone got any ideas?
Yes; whatever is dropping those viruses into your temp folder is still running and active. Try running spybot, rkunhooker, etc to track down where it is coming from, or perhaps its easier to back up your important stuff, wipe the system and start from scratch.
LN
|
"When life gives you zombies... *CHA-CHIK!* ...you make zombie-ade!"
|
|
|
Re: Viruses in temp folder
[Re: Lord Nightmare]
#265863 - 10/07/11 05:58 PM
|
|
|
Spybot comes up clean, going to try some other things.
|
|
|
| Hizzout |
|
70's baby, early 80's child
|
|
|
|
|
Reged: 02/05/04
|
|
Posts: 4841
|
|
|
|
|
|
Send PM
|
|
|
Re: Viruses in temp folder
[Re: mike20599]
#265866 - 10/07/11 06:28 PM
|
|
|
Check these 2 paths in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and look for anything suspicious set to run when Windows starts up and delete it.
Also, you might want to run Malwarebytes with the computer in safe mode.
|
|
|
| redk9258 |
|
Regular
|
|
|
|
|
Reged: 09/21/03
|
|
Posts: 3968
|
|
Loc: Troy, Illinois USA
|
|
|
|
Send PM
|
|
|
Re: Viruses in temp folder
[Re: Hizzout]
#265867 - 10/07/11 06:55 PM
|
|
|
|
|
|
Found a strange IP
[Re: Hizzout]
#265868 - 10/07/11 06:57 PM
|
|
|
I checked the registry and didn't see anything suspicious looking. Also checked the processes under Task Manager and didn't see anything weird there either.
I did turn on PeerBlock though and saw this strange IP address that my computer seemed to connect to right about the same time the viruses appear. Turns out it is in Argentina. I have now blocked that IP, and the virus hasn't come back since. My computer is still trying to connect to that IP every few minutes through a different port though. This thing must be it. But how do I figure out what program is making that outgoing request to that IP?
|
|
|
|
Re: Found a strange IP
[Re: mike20599]
#265874 - 10/07/11 07:57 PM
|
|
|
> I checked the registry and didn't see anything suspicious looking. Also checked the
> processes under Task Manager and didn't see anything weird there either.
>
> I did turn on PeerBlock though and saw this strange IP address that my computer
> seemed to connect to right about the same time the viruses appear. Turns out it is in
> Argentina. I have now blocked that IP, and the virus hasn't come back since. My
> computer is still trying to connect to that IP every few minutes through a different
> port though. This thing must be it. But how do I figure out what program is making
> that outgoing request to that IP?
Maybe it's a running service and not a run on startup program. Type "services.msc" in a command prompt and check if you see anything unusual. It could also be a rootkit, that will be a bit harder to detect.
|
|
|
| Hizzout |
|
70's baby, early 80's child
|
|
|
|
|
|
Reged: 02/05/04
|
|
Posts: 4841
|
|
|
|
|
|
Send PM
|
|
|
Re: Found a strange IP
[Re: mike20599]
#265878 - 10/07/11 08:39 PM
|
|
|
Might want to check your hosts file then. It's at:
c:\windows\system32\drivers\etc\hosts
Open the hosts file with notepad. Look for any strange redirects or other funky IP's you;re not familiar with.
127.0.0.1 localhost is normal, and ok to leave.
|
|
|
| Sune |
|
Connected
|
|
|
|
|
Reged: 09/21/03
|
|
Posts: 5648
|
|
Loc: Lagoa Santa, Brasil
|
|
|
|
Send PM
|
|
|
Re: Viruses in temp folder
[Re: mike20599]
#265879 - 10/07/11 08:48 PM
|
|
|
|
|
|
Re: Found a strange IP
[Re: mike20599]
#265880 - 10/07/11 08:50 PM
|
|
|
Normally I swear by Malwarebyte's Anti-Malware which is generally fantastic, however for that rogue shit stuff like what you are describing that is doing what you are saying I recommend ComboFix first, then Malwarebyte's Anti-Malware.
Combofix, http://www.combofix.org/download.php , just nukes stuff like that and the Malwarebytes, http://www.malwarebytes.org , will remove anything left over.
Good luck.
|
cyberdman
|
|
Stiletto |
|
They're always after me Lucky ROMS!
|
|
|
|
|
|
Reged: 03/07/04
|
|
Posts: 6472
|
|
|
|
|
|
Send PM
|
|
|
Re: Found a strange IP
[Re: cyberdman]
#265882 - 10/07/11 09:44 PM
|
|
|
> Normally I swear by Malwarebyte's Anti-Malware which is generally fantastic, however
> for that rogue shit stuff like what you are describing that is doing what you are
> saying I recommend ComboFix first, then Malwarebyte's Anti-Malware.
>
> Combofix, http://www.combofix.org/download.php , just nukes stuff like that and the
> Malwarebytes, http://www.malwarebytes.org , will remove anything left over.
>
> Good luck.
I've become a fan of Hitman Pro, a quick-and-dirty cloud-based antivirus.
http://www.surfright.nl
- Stiletto
|
|
|
|
Re: Found a strange IP
[Re: Stiletto]
#265884 - 10/07/11 09:58 PM
|
|
|
> > Normally I swear by Malwarebyte's Anti-Malware which is generally fantastic,
> however
> > for that rogue shit stuff like what you are describing that is doing what you are
> > saying I recommend ComboFix first, then Malwarebyte's Anti-Malware.
> >
> > Combofix, http://www.combofix.org/download.php , just nukes stuff like that and the
> > Malwarebytes, http://www.malwarebytes.org , will remove anything left over.
> >
> > Good luck.
>
> I've become a fan of Hitman Pro, a quick-and-dirty cloud-based antivirus.
> http://www.surfright.nl
>
> - Stiletto
SUPERAntiSpyware is a good portable alternative too.
http://www.superantispyware.com
|
|
|
| redk9258 |
|
Regular
|
|
|
|
|
|
Reged: 09/21/03
|
|
Posts: 3968
|
|
Loc: Troy, Illinois USA
|
|
|
|
Send PM
|
|
|
Re: Found a strange IP
[Re: BIOS-D]
#265889 - 10/08/11 12:58 AM
|
|
|
Lot's of good links. Maybe this should be consolidated and made a sticky!
|
|
|
|
Re: Viruses in temp folder
[Re: Hizzout]
#265891 - 10/08/11 01:57 AM
|
|
|
|
|
Index 
Threaded 
Viruses in temp folder
Reply
[Re: 
