Rogue executable in C:\windows\temp

**hipp2112** · 10-23-2007, 09:49 AM

Network admin has noticed that a system is constantly trying to connect to a domain with the following IP: 216.133.246.134. We have blocked all outbound traffic to this 'ad' site. Upon further investigation of the PC, I have found that there is an unknown, rogue process running with a corresponding .exe located in the C:\windows\temp folder. This executable and process name changes upon every reboot. We have tried various spyware programs and registry cleaning programs to no avail. I do have a HijackThis log file available and will post this when asked.

Any help will be greatly appreciated.

**jholland1964** · 10-23-2007, 12:07 PM

Go ahead and post the HJT log, but I would also suggest you follow the steps given here READ ME Before Posting A Request For Assistance!
paying close attention to the instructions given in step #8 to disconnect completely from the internet when doing steps listed in that section. But do them all of course as directed before you get to step #8. But DO post that first HJT log you all ready have.

Searching the IP it shows it is Vitalstream Holdings, Inc. in Irvine, CA. It appears to relate to Streaming Media and Media Console Software.

Is this taking place on only ONE computer?

**hipp2112** · 10-23-2007, 03:29 PM

Yes, it is only happening on one computer. I am in the process of following the steps in the 'Read Me' post. Should have all attachments posted tomorrow.
thank you for your reply.

**jholland1964** · 10-23-2007, 06:02 PM

I'll be waiting.

**hipp2112** · 10-24-2007, 06:49 AM

I have attached the 2 HJT logs and the kaspersky log. After running AVG, there was nothing found by the scan and did not see an option to save the log. Regarding the HJT logs, take note of the sections I have "***". This is the executable that continues to rename itself upon every reboot. There is also a subsequent process running of the same name. I'll be waiting for your reply and hopefully you'll have some idea.

**jholland1964** · 10-24-2007, 08:53 AM

Go back and do a Full system scan with the Kaspersky online.

**hipp2112** · 10-24-2007, 10:22 AM

I must be missing something. Was that not a full system scan log that I submitted? If I recall the choices, I did not see an option for a FULL SCAN. I performed the Critical scan I believe.

**jholland1964** · 10-24-2007, 10:32 AM

Note your log you didn't scan the full computer, just Critical Areas;

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\JVinski\LOCALS~1\Temp\
Total number of scanned objects: 16419

Here is one which has scanned the entire computer;

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 62856

Note the differences. Your scan only scanned 16419 objects. Full computer scan scanned 62856 objects.

**hipp2112** · 10-24-2007, 10:40 AM

okay, so then I should be choosing the 'select folders' option and select all of the C: drive. If I do 'My Computer' as you suggested, will this program also scan the contents of the 15 mapped drives this user has setup?

**hipp2112** · 10-24-2007, 12:19 PM

I hope not to be wasting your time, but I ran a 'selected folder' scan on this system. It scanned 30,000+ files. Attaching the log. IF this still isn't good enough, I will document and unmap all drives and run another scan overnight.

Thread: Rogue executable in C:\windows\temp

Thread Tools

Display

Rogue executable in C:\windows\temp

Thread Information

Users Browsing this Thread

Posting Permissions