spybot can't remove win32.tiny.abk...
- Thread starter guy-chi
- Start date
tashi
Member of Team Spybot
Hello.
Did you try removing in safe mode?
Best regards.
More details please, which version of Spybot-S&D are you running. Open Spybot Search & Destroy > Help > About if not sure.
Did you try removing in safe mode?
Best regards.
I'm running into the same problem trying to clean a friend's machine. Spybot (current, stable version) find an instance after every reboot. The files is always located in /windows/system32, but the filename always is difference. It's always *.tmp.
Spybot DOES delete the file, but as I noted, it returns after reboot. So it seems as if Spybot is getting a symptom, but not the actual cause.
This is on XP32. Safe mode doesn't matter, still comes back.
Spybot DOES delete the file, but as I noted, it returns after reboot. So it seems as if Spybot is getting a symptom, but not the actual cause.
This is on XP32. Safe mode doesn't matter, still comes back.
spybotsandra
New member
Hello,
Again same question......
Which version of Spybot-S&D are you running?
Do you have the latest updates installed?
Did you tried in safe mode?
Begards
Sandra
Team Spybot
Again same question......
Which version of Spybot-S&D are you running?
Do you have the latest updates installed?
Did you tried in safe mode?
Begards
Sandra
Team Spybot
I answered all of those questions in my post.
Q: "Which version of Spybot-S&D are you running?"
Q: "Do you have the latest updates installed?"
A: "Spybot (current, stable version)"
I am running the current (as in most recent, fully up-to-date) version. Do you really DEMAND that I get numbers? I downloaded and installed it on the computer no less than 5 days ago, and have checked for and applied new updates every day before running it. Hence, "current, stable version."
Q: "Did you tried in safe mode?"
A: "Safe mode doesn't matter, still comes back."
As in, I've run it in safe mode. And as I said, Spybot deletes the file. It's not that it won't delete the file. The problem is they Spybot appears to be finding the symptom (the *.tmp file that appears after rebooting) rather than illness (whatever is generating the file).
I've uploaded the current .tmp file. It's 29 bytes, and looks like a binary of some sort.
Q: "Which version of Spybot-S&D are you running?"
Q: "Do you have the latest updates installed?"
A: "Spybot (current, stable version)"
I am running the current (as in most recent, fully up-to-date) version. Do you really DEMAND that I get numbers? I downloaded and installed it on the computer no less than 5 days ago, and have checked for and applied new updates every day before running it. Hence, "current, stable version."
Q: "Did you tried in safe mode?"
A: "Safe mode doesn't matter, still comes back."
As in, I've run it in safe mode. And as I said, Spybot deletes the file. It's not that it won't delete the file. The problem is they Spybot appears to be finding the symptom (the *.tmp file that appears after rebooting) rather than illness (whatever is generating the file).
I've uploaded the current .tmp file. It's 29 bytes, and looks like a binary of some sort.
PHP:
http://rapidshare.com/files/86664261/duruudpd.tmp.html
Last edited by a moderator:
I understand your frustration hadji, but getting mad won't help anyone. I am having the same problem and I am desperately in need of help.
I am running Spybot S & D 1.5.1.15 update 1/23/08.
I have tried with earlier versions and I have tried in safe mode.The files are removed by S&D, but then return after a restart, and ONLY after I enable my network connection.
The files identified in the latest version are
C:\Windows\Temp\7CF28762C38CA0D4.tmp
C:\Windows\Temp\AE8AB41F91F72503.tmp
Previous versions of S&D (1.4) also identified the following:
C:\Windows\Temp\3D6627311AA2FDBD.tmp
C:\Windows\Temp\8AF12AB59DCE7145.tmp
but these files are no longer identified by S & D as part of the Win32.tiny.abk threat, even though they appear with the other tmp files on a restart.
I was originally infected by clicking on a link sent to me in a 'spoofed' instant message in Pidgin from one of my contacts. S&D picked up on Win32.BHO.je and fixed that problem. Also, I found and deleted the following files:
C:\windlsvc.exe
C:\ducvb.exe
C:\Program Files\Helper\superfindout.dll
One other thing I have noticed is that there is constant activity on my network connection; sending & receiving, approx 5kb/s.
I received a warning from my ISP for 'unwanted activity',
which led me to believe that my machine is actively searching for other machines to infect, or I am an unwilling participant in a DDoS attack.
Please help! Thanks for any suggestions.
I am running Spybot S & D 1.5.1.15 update 1/23/08.
I have tried with earlier versions and I have tried in safe mode.The files are removed by S&D, but then return after a restart, and ONLY after I enable my network connection.
The files identified in the latest version are
C:\Windows\Temp\7CF28762C38CA0D4.tmp
C:\Windows\Temp\AE8AB41F91F72503.tmp
Previous versions of S&D (1.4) also identified the following:
C:\Windows\Temp\3D6627311AA2FDBD.tmp
C:\Windows\Temp\8AF12AB59DCE7145.tmp
but these files are no longer identified by S & D as part of the Win32.tiny.abk threat, even though they appear with the other tmp files on a restart.
I was originally infected by clicking on a link sent to me in a 'spoofed' instant message in Pidgin from one of my contacts. S&D picked up on Win32.BHO.je and fixed that problem. Also, I found and deleted the following files:
C:\windlsvc.exe
C:\ducvb.exe
C:\Program Files\Helper\superfindout.dll
One other thing I have noticed is that there is constant activity on my network connection; sending & receiving, approx 5kb/s.
I received a warning from my ISP for 'unwanted activity',
which led me to believe that my machine is actively searching for other machines to infect, or I am an unwilling participant in a DDoS attack.
Please help! Thanks for any suggestions.
tashi
Member of Team Spybot
Hello,
Please start a topic in the Malware Removal Forum after following the instructions here: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
For Goshs Sake
New member
Same problem here
What I noticed, the .tmp file does not come back the next time the box is rebooted in SAFE mode if immediately after cleaning the box is cold reset instead of shutdown/reboot.
After that I can reboot the box however many times I want but still in SAFE mode.
However, the next shutdown/reboot in normal mode will bring back the trojan with its .tmp file.
Spybot does not fix the root cause, only the symprom.
Winxp sp2 with all fixes as of last monday, latest spybot d/led and updated as of yesterday night.
What I noticed, the .tmp file does not come back the next time the box is rebooted in SAFE mode if immediately after cleaning the box is cold reset instead of shutdown/reboot.
After that I can reboot the box however many times I want but still in SAFE mode.
However, the next shutdown/reboot in normal mode will bring back the trojan with its .tmp file.
Spybot does not fix the root cause, only the symprom.
Winxp sp2 with all fixes as of last monday, latest spybot d/led and updated as of yesterday night.
More info
As requested, I started a new thread in the malware removal forum at
http://forums.spybot.info/showthread.php?t=23627,
but I thought I might re-post some of the things I found here since there are others with this problem;
No one else here has confirmed it yet, but I'm willing to bet their systems are also generating some network traffic.
Using 'netstat -bv' as well as the Spybot Process List, I have found that the process generating the network connections is services.exe.
Also, the remote port of every connection is 25, which is the common port for sending mail to a SMTP server, so I guess my system is sending hundreds of spam emails.
There are more than 40 'Loaded modules' within services.exe according to the Spybot Process List, but I don't know how to identify the troublemaker. Netstat tells me the problem may be kernel32.dll, but I can't kill the module (I dont know that I should). I looked at each file in explorer, and the only thing I know to do is to check the timestamps - and they all look old (2006/mid 2007).
When I start 'randomly' killing modules to identify the problematic one, I eventually get the System shut down notice, and my system becomes unusable.
As requested, I started a new thread in the malware removal forum at
http://forums.spybot.info/showthread.php?t=23627,
but I thought I might re-post some of the things I found here since there are others with this problem;
No one else here has confirmed it yet, but I'm willing to bet their systems are also generating some network traffic.
Using 'netstat -bv' as well as the Spybot Process List, I have found that the process generating the network connections is services.exe.
Also, the remote port of every connection is 25, which is the common port for sending mail to a SMTP server, so I guess my system is sending hundreds of spam emails.
There are more than 40 'Loaded modules' within services.exe according to the Spybot Process List, but I don't know how to identify the troublemaker. Netstat tells me the problem may be kernel32.dll, but I can't kill the module (I dont know that I should). I looked at each file in explorer, and the only thing I know to do is to check the timestamps - and they all look old (2006/mid 2007).
When I start 'randomly' killing modules to identify the problematic one, I eventually get the System shut down notice, and my system becomes unusable.
Last edited:
I HAVE THE SAME PROBLEMS AS REPORTED ABOVE
THANKS FOR PORT 25 INFO
This worked for me at first, I went into my linksys
router and blocked all ports 0-26, my internet
connection immediately improved, this worked
at first, but shortly after the connection
is still bad but it is better than before.
This thing is also screwing up my other programs.
Everything is slower but not as noticeable
as really bad internet connection.
AVG does not pick this up.
Spybot kills files but cannot get the source.
THANKS FOR PORT 25 INFO
This worked for me at first, I went into my linksys
router and blocked all ports 0-26, my internet
connection immediately improved, this worked
at first, but shortly after the connection
is still bad but it is better than before.
This thing is also screwing up my other programs.
Everything is slower but not as noticeable
as really bad internet connection.
AVG does not pick this up.
Spybot kills files but cannot get the source.
THIS CRAP KEEPS COMING BACK
I HAVE HAD ZERO PROBLEMS ON MY SYSTEM BEFORE THIS
--- Report generated: 2008-01-31 21:32 ---
Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2
Win32.Tiny.abk: Data (File, fixed)
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp
Win32.Tiny.abk: Temporary file (File, fixed)
C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
I HAVE HAD ZERO PROBLEMS ON MY SYSTEM BEFORE THIS
--- Report generated: 2008-01-31 21:32 ---
Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2
Win32.Tiny.abk: Data (File, fixed)
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp
Win32.Tiny.abk: Temporary file (File, fixed)
C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
Is there any way to use Spybot just in particular
chosen folders, so I can debug without running
the whole thing for an hour ?
I will upload file if I can copy it.
Do we got SpyBot on this ?
Nothing else picks this up.
AVG and AVAST pick nothing up.
Everything is updated.
chosen folders, so I can debug without running
the whole thing for an hour ?
I will upload file if I can copy it.
Do we got SpyBot on this ?
Nothing else picks this up.
AVG and AVAST pick nothing up.
Everything is updated.
Last edited:
Thanks to everyone above for the tips.
I have the critter under control now.
IT IS USING SERVICES.EXE TO CONNECT TO SUSPECT
COMPUTER
IT STOPPED WRITING ON MY MACHINE, I WAS ABLE
TO DELETE .TMP FILES MANUALLY AND THIS TIME
THEY HAVE NOT COME BACK
PORTS 0-26 ARE BLOCKED BY MY ROUTER
SYGATE IS PERMANENTLY BLOCKING SERVICES.EXE
BUT THE SOURCE IS STILL ON MY MACHINE
MORE HERE
INFESTED 3 days of hell
http://www.goldenagora.com/phpBB3/viewtopic.php?f=6&t=943
FOLKS ! YOU CAN GET THIS UNDER CONTROL LIKE ME.
AT LEAST YOU KNOW WHAT IT IS NOW.
HAVE A LOOK AT THIS, SOMEONE NEEDS TO CONTACT THESE PEOPLE AND MAYBE INVESTIGATE THEM
I have the critter under control now.
IT IS USING SERVICES.EXE TO CONNECT TO SUSPECT
COMPUTER
IT STOPPED WRITING ON MY MACHINE, I WAS ABLE
TO DELETE .TMP FILES MANUALLY AND THIS TIME
THEY HAVE NOT COME BACK
PORTS 0-26 ARE BLOCKED BY MY ROUTER
SYGATE IS PERMANENTLY BLOCKING SERVICES.EXE
BUT THE SOURCE IS STILL ON MY MACHINE
MORE HERE
INFESTED 3 days of hell
http://www.goldenagora.com/phpBB3/viewtopic.php?f=6&t=943
FOLKS ! YOU CAN GET THIS UNDER CONTROL LIKE ME.
AT LEAST YOU KNOW WHAT IT IS NOW.
HAVE A LOOK AT THIS, SOMEONE NEEDS TO CONTACT THESE PEOPLE AND MAYBE INVESTIGATE THEM
Win32 Tiny.abk
I had the same problem this is what cleared mine. It seems to be a hidden program but try it
Edit: Removed, no malware removal advice in this forum.
Please see:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
NOTE:We do NOT ask Users to run fixes before helpers have analyzed HJT/KAV scans
Good luck if it works pass it on
I had the same problem this is what cleared mine. It seems to be a hidden program but try it
Edit: Removed, no malware removal advice in this forum.
Please see: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
NOTE:We do NOT ask Users to run fixes before helpers have analyzed HJT/KAV scans
Good luck if it works pass it on
Last edited by a moderator:
joeblack111
New member
Ok, for anyone trying to remove this thing, I have found this on a french forum. This website has software that got rid of this, nothing else did.
Removed
Here's the link to the software, it's dos based. You have to run it in safe mode.
Removed
This is the only thing that worked.
Removed
Here's the link to the software, it's dos based. You have to run it in safe mode.
Removed
This is the only thing that worked.
Last edited by a moderator:
tashi
Member of Team Spybot
Hello.
Once again, please do not post fixes/tools in the Spybot-S&D support forums.
http://forums.spybot.info/showthread.php?t=1266
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
Best regards.
Once again, please do not post fixes/tools in the Spybot-S&D support forums.
http://forums.spybot.info/showthread.php?t=1266
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
I have seen numorous users making their machines unstable by running tools willy nilly.
Best regards.
Once again, please do not post fixes/tools in the Spybot-S&D support forums.
http://forums.spybot.info/showthread.php?t=1266
Unfortunately for me, Im another statistic with this variant of win32.tiny.abk that seems to be a mass mailer. It doesn't have any obvious entry point in HJT logs and Ive exhausted all spyware (counterspy, spybot, spyware doctor) and virus (kapersky, nod32, norton 2008, panda, avg) tools in attempt to eliminate this.
This appears to be a different variant of the one detailed in january's spybot update, from what I've gathered, this variant has only existed since early this month.
Its unfortunate that this site's rules goes against the whole consensus of the internet, freedom of information. If its a legal concern, then maybe add a liability (no warranty) clause and have forum moderators proactively commenting for liability such resolutions rather than removing them.
The purpose of this forum is to identify issues and present resolutions, I think there should be serious look to Safer Networking's approach to moderation of information.
/rant -> Now I got 4 hours to format the machine, reupdate, reinstall 3rd party apps and get some sleep to get my customers machine back to them. hence why im
tashi
Member of Team Spybot
Hi there.
Developers of some tools used in help forums requested that their tools be applied by trained helpers after log analysis, to avoid users turning their machine into a doorstop.
For infections not removed by normal means we have the Malware Removal Forum, where volunteers trained to use such tools as safely as possible assist people.
A google search will show links to others' fixes and anyone can find and use that information as they wish.
Best regards.
Developers of some tools used in help forums requested that their tools be applied by trained helpers after log analysis, to avoid users turning their machine into a doorstop.
For infections not removed by normal means we have the Malware Removal Forum, where volunteers trained to use such tools as safely as possible assist people.
A google search will show links to others' fixes and anyone can find and use that information as they wish.
Best regards.
Last edited: