Spyware Creating tmp files, ie Win1.tmp Win2.tmp

  • Thread starter Thread starter JCO
  • Start date Start date
J

JCO

Running WindowsXP-Pro SP2 and all updates.

My son's computer has something running that I can't figure it out. In the
tmp directory, the files Winx.tmp gets created where "x" can be any digit.
It starts as "1" and increments forever. I've had over 2000 files that I
deleted.
Win1.tmp
Win2.tmp
Win3.tmp
......
Win2066.tmp ....
Each file shows up as 0 kbs and when I open them... they are empty.

What I've done:
Ran Norton SystemWorks / Antivirus and deleted all known issues.
Ran SpyBot and have cleaned out all known issues.
Ensured that HKLM-Run & HKCU-Run is cleaned (stripped) to a minimum that I
know is required.
Deleted all tmp folders and web temp folders.
Emptied Trash
I've used "HijackThis" but not posting here unless someone wants to see it.
I've looked into the Services but don't see anything bad, however, not
familiar with everything there.

One added Note:
Spybot is not able to update to the latest definitions because of a Socket
Error 10086 (I think). Tried to uninstall, reboot, re-install but I get the
same socket error. Not sure how hold my definitions are since I don't know
when this started doing this. I guess this should be posted separately?

Thanks
 
Added Note:
Running the task manager, I see lots of activity from the following:
EXPLORER (all caps which is not on my other computer)
CISVC.EXE (sometimes is 60-70%, then goes to 0% for a while)
EXPLORER.EXE
WINLOGON.EXE


"JCO" <someone@somewhere.com> wrote in message
news:uRDKINowHHA.840@TK2MSFTNGP03.phx.gbl...
> Running WindowsXP-Pro SP2 and all updates.
>
> My son's computer has something running that I can't figure it out. In the
> tmp directory, the files Winx.tmp gets created where "x" can be any digit.
> It starts as "1" and increments forever. I've had over 2000 files that I
> deleted.
> Win1.tmp
> Win2.tmp
> Win3.tmp
> .....
> Win2066.tmp ....
> Each file shows up as 0 kbs and when I open them... they are empty.
>
> What I've done:
> Ran Norton SystemWorks / Antivirus and deleted all known issues.
> Ran SpyBot and have cleaned out all known issues.
> Ensured that HKLM-Run & HKCU-Run is cleaned (stripped) to a minimum that I
> know is required.
> Deleted all tmp folders and web temp folders.
> Emptied Trash
> I've used "HijackThis" but not posting here unless someone wants to see
> it.
> I've looked into the Services but don't see anything bad, however, not
> familiar with everything there.
>
> One added Note:
> Spybot is not able to update to the latest definitions because of a Socket
> Error 10086 (I think). Tried to uninstall, reboot, re-install but I get
> the same socket error. Not sure how hold my definitions are since I don't
> know when this started doing this. I guess this should be posted
> separately?
>
> Thanks
>
>
>
 
On 7/9/2007 4:46 PM On a whim, JCO pounded out on the keyboard

> Running WindowsXP-Pro SP2 and all updates.
>
> My son's computer has something running that I can't figure it out. In the
> tmp directory, the files Winx.tmp gets created where "x" can be any digit.
> It starts as "1" and increments forever. I've had over 2000 files that I
> deleted.
> Win1.tmp
> Win2.tmp
> Win3.tmp
> .....
> Win2066.tmp ....
> Each file shows up as 0 kbs and when I open them... they are empty.
>
> What I've done:
> Ran Norton SystemWorks / Antivirus and deleted all known issues.
> Ran SpyBot and have cleaned out all known issues.
> Ensured that HKLM-Run & HKCU-Run is cleaned (stripped) to a minimum that I
> know is required.
> Deleted all tmp folders and web temp folders.
> Emptied Trash
> I've used "HijackThis" but not posting here unless someone wants to see it.
> I've looked into the Services but don't see anything bad, however, not
> familiar with everything there.
>
> One added Note:
> Spybot is not able to update to the latest definitions because of a Socket
> Error 10086 (I think). Tried to uninstall, reboot, re-install but I get the
> same socket error. Not sure how hold my definitions are since I don't know
> when this started doing this. I guess this should be posted separately?
>
> Thanks
>
>
>

JCO,

If Spybot won't run, download and install Lavasoft Ad-Aware and give it
a try. Be sure to update it after the install and prior to running a check.

http://www.download.com/Ad-Aware-20...045910.html?part=dl-ad-aware&subj=dl&tag=top5

--
Terry R.

***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.
 
JCO wrote:
> Running WindowsXP-Pro SP2 and all updates.
>
> My son's computer has something running that I can't figure it out.
> In the tmp directory, the files Winx.tmp gets created where "x" can
> be any digit. It starts as "1" and increments forever. I've had over
> 2000 files that I deleted.
> Win1.tmp
> Win2.tmp
> Win3.tmp
> .....
>

According to Google, you've got a Trojan.

For example:

http://www.spyware-removal-guideline.com/win-tmp-exe-popups-removal
 
The LavaSoft did not work.
The virus names are:
download.? (can't remeber)
trojan.nebuler

Tools did not work. After two days, I finally recovered from an Image (that
was very old).
Anyway, updates are being done.

Thanks

"HeyBub" <heybub@gmail.com> wrote in message
news:%23qsmhd0wHHA.736@TK2MSFTNGP06.phx.gbl...
> JCO wrote:
>> Running WindowsXP-Pro SP2 and all updates.
>>
>> My son's computer has something running that I can't figure it out.
>> In the tmp directory, the files Winx.tmp gets created where "x" can
>> be any digit. It starts as "1" and increments forever. I've had over
>> 2000 files that I deleted.
>> Win1.tmp
>> Win2.tmp
>> Win3.tmp
>> .....
>>
>
> According to Google, you've got a Trojan.
>
> For example:
>
> http://www.spyware-removal-guideline.com/win-tmp-exe-popups-removal
>
 
Back
Top