Rogue executable in C:\windows\temp

[jholland1964]

Sorry, but this shows nothing. Have you tried checking Taskmanager to find the unknown rogue running, ending it and then deleting the Windows Temp Files? Have you tried deleting Temp files in Safe Mode?
Did you follow all the steps given in the sticky including running ATF-Cleaner in Safe Mode? Did you run the AVG anti-spy program in safe mode?

[hipp2112]

This executable does show in the list of processes in taskmanager with the exact same name that appears in C:\windows\temp. I have deleted temp files, not in Safe Mode though. I will do this and let you know. Thanks.

[jholland1964]

This executable does show in the list of processes in taskmanager with the exact same name that appears in C:\windows\temp.

Have you tried ending the process using Taskmanager?

[hipp2112]

yes. we are able to end the process. however, whenever the system is rebooted the process and file 'reappear' under a completely different and random name.

[jholland1964]

End process in Taskmanager and then empty Temp files.

[PhilliePhan]

You guys might also want to try locating the current "rogue .exe" and uploading it for analysis here ---> http://www.kaspersky.com/remoteviruschk.html

I think Jotti is down, but you should try it as well --> http://virusscan.jotti.org/

It might give you an idea of what "family" of baddie you have here. Reminds me a bit of Vundo or WebNexus.....

Best Luck
PP

[hipp2112]

thank you both. will post back any findings shortly.

[hipp2112]

Quick update. I ran a program called RegCure. After this fixed 300+ errors the rogue .exe and process were gone. I then searched for and deleted .tmp files (84 found). In Safe Mode, also searched for .tmp files. None found.

hey philliephan, i'm located in Phillies country (1 hour northeast of philly). what a season. hope they learned something and build on it.

anyway, i will try uploading this .exe to that site. i'm assuming they will allow a .exe to be uploaded?

[hipp2112]

After rebooting from in Safe Mode, a newly named file and process has reappeared. This time it is called SG7CB6.exe. I submitted this file to the 2 sites suggested by PhilliePhan and the file was not recognized as a 'baddy'. When jotti was done, there was text that indicated this file was submitted before. I'm really baffled by this. It appears I may have no choice but to wipe this machine and reinstall. Any other suggestions before I do this?

[jholland1964]

No, No don't wipe clean, Try the following two tools first! If these find either of the two items noted by PP they will remove them, if they aren't there neither tool will harm the computer BUT then we can try something else.

VundoFix by Atribune

• Double-click VundoFix.exe to run it.
• When VundoFix opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in the thread you are working in.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions above, starting from "Click the
Scan for Vundo button" when VundoFix appears at reboot.

To remove the latest forms of Qoologic infections, follow the steps below:

• Download Qoofix to your Desktop or any other convient location
• Unzip the files from Qoofix.zip to a convenient location such as C:\Qoofix.
• Navigate to the folder you unzipped the files to and double click on the file named Qoofix.exe.
• Finally, select Begin Removal and the removal process will commence. A reboot may be necessary if an infection is found.

Credit: Marcin Kleczynski redesigned LonnyRJones' Qoofix.bat program. Credit is all given to Merijn, Sean, Anil, Calvin, and Aaron.

Then run new HJT scan and post new log back here.