Viruses in temp folder

Discussion in 'Windows XP / Older OS' started by mike20599, Oct 7, 2011.

  1. mike20599

    mike20599 MDL Novice

    Dec 28, 2010
    14
    0
    0
    I'm running Windows XP and I use Microsoft Security Essentials as my antivirus. Lately it's been picking up viruses in my
    C:\Documents and Settings\[USER]>\Local Settings\Temp
    folder and cleaning them, but then the same virus just comes back 5 minutes later and gets wiped again. A full scan reveals nothing, but I'm assuming whatever is creating these virus files in my temp folder is still there. They are all listed as Trojan:Win32/Startpage.BO. Several weeks ago it was hf2.dll that kept appearing, then it stopped for a while, then a week later it was hf3.dll for a few days, and today it is zpa.dll and zpa.exe. Anyone got any ideas? What exactly has permission to create files in my temp folder? Just about everything?
     
  2. Paiva

    Paiva MDL Developer

    Apr 9, 2011
    1,275
    1,451
    60
    Make sure there is a virus executable starting with Windows ...
    If so delete the entry ...
     
  3. mike20599

    mike20599 MDL Novice

    Dec 28, 2010
    14
    0
    0
    I checked the registry and didn't see anything suspicious looking. Also checked the processes under Task Manager and didn't see anything weird there either.

    I did turn on PeerBlock though and saw this strange IP address that my computer seemed to connect to right about the same time the viruses appear. Turns out it is in Argentina. I have now blocked that IP, and the virus hasn't come back since. My computer is still trying to connect to that IP every few minutes through a different port though. This thing must be it. But how do I figure out what program is making that outgoing request to that IP?
     
  4. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    710
    116
    30
    #4 stayboogy, Oct 7, 2011
    Last edited: Oct 7, 2011
    acrsn is right, do a full scan with malwarebytes'.

    but in the mean time, you should go and delete every file in your temp folder manually (go to start, run, and type "%temp%" without quotations and manually delete every file--if you use divx do not delete DDMCache folder but delete every file in that folder). MSE and other AV programs my say that they clean a file in your "temp" folder but they do not really delete it fully and it is still there because it is normally in .tmp extension and most often comes from a file you downloaded or partly downloaded. also you need to manually delete all the cookie files from every browser you have used, and then manually delete all your temporary internet files (do not use the internet options but manually go into the folder location and do it C:\Documents and Settings\your user name\Local Settings\Temporary Internet Files\ and manually delete every file.) if you use firefox you will have to go to C:\Documents and Settings\your user name\Application Data\Mozilla\Firefox\Profiles\whatever.default\ and delete cookies.sqlite manually.

    also you need to download spybot (not the new 2.0 beta because it sux) but download 1.6.2 or whatever and update it then immunize your browsers. this will help with possible tracking cookies and other viruses that are downloaded to your machine that you never ever know about and take no input from you but just using the internet. also run a full scan with this too. i have to disagree with acrsn here because i think superantispyware is a piece of crap and i've got a ton of experience fighting these things, malwarebytes' and spybot are going to be the number 1 and 2 go getters of most malware/spyware out there. trojans and everything else generally require a standard AV program but can most often be beat manually providing you find where the file is and delete the hidden registry keys pertaining to it...

    this should fix your problems providing that something has not hidden itself in your registry or somewhere else in your file system which is why you need to run malwarebytes'
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. evlad

    evlad MDL Member

    May 23, 2011
    225
    175
    10
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    710
    116
    30
    #7 stayboogy, Oct 7, 2011
    Last edited: Oct 8, 2011
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. x86

    x86 MDL Addicted

    Jul 8, 2011
    894
    204
    30
    @ stayboogy
    Removing malware under Safe Mode vs Normal Mode has worked for me in the past. Although it is harder to detect malware under Safe Mode, it is much easier to remove once it's been detected - for the very same reason you mentioned i.e. because hijacked process(es) are not running / not in use. That is why I emphasised for him to run full system scan (MBAM) and not just a quick scan.

    @ mike20599
    Feel free to follow any suggestion you prefer (even if it isn't mine...). This ain't a "who's right vs who's wrong" contest - just people putting down useful ideas that might help fix a problem. I haven't ever suggested anything of luck / guesswork; all comes from my own experience under similar problems I already tackled in the past...
     
  8. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    710
    116
    30
    it's all good x86, it's just even on blogs and security sites Safe Mode is suggested and it never works that well at removing the root problem, since most malware, spyware, and trojans come in pairs and more most often. and you are right, this isn't who's right vs. who's wrong, and that's not what i was meaning in my response in any way, and not claiming i'm the most right or anything, but experience has proved on my end that my suggestions more times than not work, as opposed to some of these others (others in general) which i've tried in the past as well. to each his own, i guess, but i'm really prideful when it comes to virus removal, i've done it A LOT... :cool:

    still friends? i hope so :hug2:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. x86

    x86 MDL Addicted

    Jul 8, 2011
    894
    204
    30
    No worries at all mate. It's quite often I found that there is more than one possible solution to a particular problem. Just like whilst filling in a puzzle you need all pieces in order to master it. Likewise you may consider any useful suggestions we make here as the missing pieces of that puzzle. Some of them might not fit straight in; yet again others will eventually provide the ideal solution. Just a metaphor of me trying to say that all (useful / constructive) suggestions are welcome here :)