Page 1 of 4 1234 LastLast
Results 1 to 10 of 33

Thread: spybot can't remove win32.tiny.abk...

  1. #1
    Junior Member
    Join Date
    Jan 2008
    Posts
    1

    Exclamation spybot can't remove win32.tiny.abk...

    spybot can't remove win32.tiny.abk...
    please help!

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    29,945

    Default

    Hello.
    Quote Originally Posted by guy-chi View Post
    spybot can't remove win32.tiny.abk...
    please help!
    More details please, which version of Spybot-S&D are you running. Open Spybot Search & Destroy > Help > About if not sure.

    Did you try removing in safe mode?

    Best regards.
    Microsoft MVP 2006-2016
    Windows Insider MVP 2016, 2017

  3. #3
    Junior Member
    Join Date
    Jan 2008
    Posts
    3

    Default

    I'm running into the same problem trying to clean a friend's machine. Spybot (current, stable version) find an instance after every reboot. The files is always located in /windows/system32, but the filename always is difference. It's always *.tmp.

    Spybot DOES delete the file, but as I noted, it returns after reboot. So it seems as if Spybot is getting a symptom, but not the actual cause.

    This is on XP32. Safe mode doesn't matter, still comes back.

  4. #4
    Senior Member spybotsandra's Avatar
    Join Date
    Oct 2005
    Location
    Germany
    Posts
    5,269

    Default

    Hello,

    Again same question......
    Which version of Spybot-S&D are you running?
    Do you have the latest updates installed?
    Did you tried in safe mode?

    Begards
    Sandra
    Team Spybot

  5. #5
    Junior Member
    Join Date
    Jan 2008
    Posts
    3

    Default

    I answered all of those questions in my post.


    Q: "Which version of Spybot-S&D are you running?"
    Q: "Do you have the latest updates installed?"

    A: "Spybot (current, stable version)"

    I am running the current (as in most recent, fully up-to-date) version. Do you really DEMAND that I get numbers? I downloaded and installed it on the computer no less than 5 days ago, and have checked for and applied new updates every day before running it. Hence, "current, stable version."

    Q: "Did you tried in safe mode?"

    A: "Safe mode doesn't matter, still comes back."

    As in, I've run it in safe mode. And as I said, Spybot deletes the file. It's not that it won't delete the file. The problem is they Spybot appears to be finding the symptom (the *.tmp file that appears after rebooting) rather than illness (whatever is generating the file).

    I've uploaded the current .tmp file. It's 29 bytes, and looks like a binary of some sort.

    PHP Code:
    http://rapidshare.com/files/86664261/duruudpd.tmp.html 
    Last edited by tashi; 2008-01-26 at 06:24. Reason: Mod: coded link

  6. #6
    Junior Member
    Join Date
    Jan 2008
    Posts
    4

    Default spybot can't remove win32.tiny.abk...

    I understand your frustration hadji, but getting mad won't help anyone. I am having the same problem and I am desperately in need of help.

    I am running Spybot S & D 1.5.1.15 update 1/23/08.
    I have tried with earlier versions and I have tried in safe mode.The files are removed by S&D, but then return after a restart, and ONLY after I enable my network connection.

    The files identified in the latest version are
    C:\Windows\Temp\7CF28762C38CA0D4.tmp
    C:\Windows\Temp\AE8AB41F91F72503.tmp

    Previous versions of S&D (1.4) also identified the following:
    C:\Windows\Temp\3D6627311AA2FDBD.tmp
    C:\Windows\Temp\8AF12AB59DCE7145.tmp
    but these files are no longer identified by S & D as part of the Win32.tiny.abk threat, even though they appear with the other tmp files on a restart.

    I was originally infected by clicking on a link sent to me in a 'spoofed' instant message in Pidgin from one of my contacts. S&D picked up on Win32.BHO.je and fixed that problem. Also, I found and deleted the following files:
    C:\windlsvc.exe
    C:\ducvb.exe
    C:\Program Files\Helper\superfindout.dll

    One other thing I have noticed is that there is constant activity on my network connection; sending & receiving, approx 5kb/s.

    I received a warning from my ISP for 'unwanted activity',
    which led me to believe that my machine is actively searching for other machines to infect, or I am an unwilling participant in a DDoS attack.

    Please help! Thanks for any suggestions.

  7. #7
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    29,945

    Default

    Hello,
    Quote Originally Posted by sntooth View Post
    One other thing I have noticed is that there is constant activity on my network connection; sending & receiving, approx 5kb/s.

    I received a warning from my ISP for 'unwanted activity',
    which led me to believe that my machine is actively searching for other machines to infect, or I am an unwilling participant in a DDoS attack.
    Please start a topic in the Malware Removal Forum after following the instructions here: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
    Microsoft MVP 2006-2016
    Windows Insider MVP 2016, 2017

  8. #8
    Junior Member
    Join Date
    Jan 2008
    Posts
    3

    Default

    I displayed no anger. Just displaying that I already answered all of the questions asked in my first post. There was no reason to force me to restate.

  9. #9
    Junior Member
    Join Date
    Jan 2008
    Posts
    5

    Default Same problem here

    What I noticed, the .tmp file does not come back the next time the box is rebooted in SAFE mode if immediately after cleaning the box is cold reset instead of shutdown/reboot.
    After that I can reboot the box however many times I want but still in SAFE mode.
    However, the next shutdown/reboot in normal mode will bring back the trojan with its .tmp file.

    Spybot does not fix the root cause, only the symprom.

    Winxp sp2 with all fixes as of last monday, latest spybot d/led and updated as of yesterday night.

  10. #10
    Junior Member
    Join Date
    Jan 2008
    Posts
    4

    Default More info

    As requested, I started a new thread in the malware removal forum at
    http://forums.spybot.info/showthread.php?t=23627,
    but I thought I might re-post some of the things I found here since there are others with this problem;

    No one else here has confirmed it yet, but I'm willing to bet their systems are also generating some network traffic.

    Using 'netstat -bv' as well as the Spybot Process List, I have found that the process generating the network connections is services.exe.

    Also, the remote port of every connection is 25, which is the common port for sending mail to a SMTP server, so I guess my system is sending hundreds of spam emails.

    There are more than 40 'Loaded modules' within services.exe according to the Spybot Process List, but I don't know how to identify the troublemaker. Netstat tells me the problem may be kernel32.dll, but I can't kill the module (I dont know that I should). I looked at each file in explorer, and the only thing I know to do is to check the timestamps - and they all look old (2006/mid 2007).

    When I start 'randomly' killing modules to identify the problematic one, I eventually get the System shut down notice, and my system becomes unusable.
    Last edited by sntooth; 2008-02-01 at 19:39.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •