Rogue executable in C:\windows\temp

[jholland1964]

Sorry, but this shows nothing. Have you tried checking Taskmanager to find the unknown rogue running, ending it and then deleting the Windows Temp Files? Have you tried deleting Temp files in Safe Mode?
Did you follow all the steps given in the sticky including running ATF-Cleaner in Safe Mode? Did you run the AVG anti-spy program in safe mode?

[hipp2112]

This executable does show in the list of processes in taskmanager with the exact same name that appears in C:\windows\temp. I have deleted temp files, not in Safe Mode though. I will do this and let you know. Thanks.

[jholland1964]

This executable does show in the list of processes in taskmanager with the exact same name that appears in C:\windows\temp.

Have you tried ending the process using Taskmanager?

[hipp2112]

yes. we are able to end the process. however, whenever the system is rebooted the process and file 'reappear' under a completely different and random name.

[jholland1964]

End process in Taskmanager and then empty Temp files.

[PhilliePhan]

You guys might also want to try locating the current "rogue .exe" and uploading it for analysis here ---> http://www.kaspersky.com/remoteviruschk.html

I think Jotti is down, but you should try it as well --> http://virusscan.jotti.org/

It might give you an idea of what "family" of baddie you have here. Reminds me a bit of Vundo or WebNexus.....

Best Luck
PP

[hipp2112]

thank you both. will post back any findings shortly.

[hipp2112]

Quick update. I ran a program called RegCure. After this fixed 300+ errors the rogue .exe and process were gone. I then searched for and deleted .tmp files (84 found). In Safe Mode, also searched for .tmp files. None found.

hey philliephan, i'm located in Phillies country (1 hour northeast of philly). what a season. hope they learned something and build on it.

anyway, i will try uploading this .exe to that site. i'm assuming they will allow a .exe to be uploaded?

[PhilliePhan]

hey philliephan, i'm located in Phillies country (1 hour northeast of philly). what a season. hope they learned something and build on it.

I'm in Ohio - right near OSU. Have been a long-suffering Phillies fan for 30+ years. I think they will indeed build on this season's success. If there is a silver lining to the season, it is that the Rockies proved that a team in that kind of stadium/atmosphere or whatever you want to call it can reach the series. The Phils are in the same sort of boat with the new ballpark being such an offensive mecca....


--- Anyhoo, regarding your "malware" - I am not sure you have a real baddie. I wonder if it is not something a bit on the "grey" side that you or somebody else installed recently?
For example, I see that you have stopped QuickSweeper from running via msconfig. It is mild adware:
http://www.spywareresources.com/thre...threatid=44396

So, I wonder if there is anything else along those lines? Perhaps you could get us a Startup List or and Uninstall List? (Judy - SPD's scanner should do the trick here).

It looks through WhoIs that your compy is trying to connect to a legit ad site in California (most we tend to run into head straight for the Ukraine, lol) and that would indicate to me an adware bundler such as that QuickSweeper......

I think the problem is hiding in plain sight as a "legitimate" app. Just my $.02


Best Luck
PP

[jholland1964]

I agree totally with PP that QuickSweeper is the only thing I see in the combofix log.

Run HJT again but this time first get a Start Up listing;
In order to do this go into the Config option when you start HijackThis and then click on the Misc Tools button at the top.
You will then click on the button labeled "Generate StartupList Log"
Once you click that button, the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste these entries into a message and submit it.

Next we will want an Uninstall List.
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that here also.
Judy