spybot can't remove win32.tiny.abk...
please help!
spybot can't remove win32.tiny.abk...
please help!
Microsoft MVP Reconnect 2018-
Windows Insider MVP 2016-2018
Microsoft Consumer Security MVP 2006-2016
I'm running into the same problem trying to clean a friend's machine. Spybot (current, stable version) find an instance after every reboot. The files is always located in /windows/system32, but the filename always is difference. It's always *.tmp.
Spybot DOES delete the file, but as I noted, it returns after reboot. So it seems as if Spybot is getting a symptom, but not the actual cause.
This is on XP32. Safe mode doesn't matter, still comes back.
Hello,
Again same question......
Which version of Spybot-S&D are you running?
Do you have the latest updates installed?
Did you tried in safe mode?
Begards
Sandra
Team Spybot
I answered all of those questions in my post.
Q: "Which version of Spybot-S&D are you running?"
Q: "Do you have the latest updates installed?"
A: "Spybot (current, stable version)"
I am running the current (as in most recent, fully up-to-date) version. Do you really DEMAND that I get numbers? I downloaded and installed it on the computer no less than 5 days ago, and have checked for and applied new updates every day before running it. Hence, "current, stable version."
Q: "Did you tried in safe mode?"
A: "Safe mode doesn't matter, still comes back."
As in, I've run it in safe mode. And as I said, Spybot deletes the file. It's not that it won't delete the file. The problem is they Spybot appears to be finding the symptom (the *.tmp file that appears after rebooting) rather than illness (whatever is generating the file).
I've uploaded the current .tmp file. It's 29 bytes, and looks like a binary of some sort.
PHP Code:
http://rapidshare.com/files/86664261/duruudpd.tmp.html
Last edited by tashi; 2008-01-26 at 05:24. Reason: Mod: coded link
I understand your frustration hadji, but getting mad won't help anyone. I am having the same problem and I am desperately in need of help.
I am running Spybot S & D 1.5.1.15 update 1/23/08.
I have tried with earlier versions and I have tried in safe mode.The files are removed by S&D, but then return after a restart, and ONLY after I enable my network connection.
The files identified in the latest version are
C:\Windows\Temp\7CF28762C38CA0D4.tmp
C:\Windows\Temp\AE8AB41F91F72503.tmp
Previous versions of S&D (1.4) also identified the following:
C:\Windows\Temp\3D6627311AA2FDBD.tmp
C:\Windows\Temp\8AF12AB59DCE7145.tmp
but these files are no longer identified by S & D as part of the Win32.tiny.abk threat, even though they appear with the other tmp files on a restart.
I was originally infected by clicking on a link sent to me in a 'spoofed' instant message in Pidgin from one of my contacts. S&D picked up on Win32.BHO.je and fixed that problem. Also, I found and deleted the following files:
C:\windlsvc.exe
C:\ducvb.exe
C:\Program Files\Helper\superfindout.dll
One other thing I have noticed is that there is constant activity on my network connection; sending & receiving, approx 5kb/s.
I received a warning from my ISP for 'unwanted activity',
which led me to believe that my machine is actively searching for other machines to infect, or I am an unwilling participant in a DDoS attack.
Please help! Thanks for any suggestions.
Hello,
Please start a topic in the Malware Removal Forum after following the instructions here: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
Microsoft MVP Reconnect 2018-
Windows Insider MVP 2016-2018
Microsoft Consumer Security MVP 2006-2016
I displayed no anger. Just displaying that I already answered all of the questions asked in my first post. There was no reason to force me to restate.
What I noticed, the .tmp file does not come back the next time the box is rebooted in SAFE mode if immediately after cleaning the box is cold reset instead of shutdown/reboot.
After that I can reboot the box however many times I want but still in SAFE mode.
However, the next shutdown/reboot in normal mode will bring back the trojan with its .tmp file.
Spybot does not fix the root cause, only the symprom.
Winxp sp2 with all fixes as of last monday, latest spybot d/led and updated as of yesterday night.
As requested, I started a new thread in the malware removal forum at
http://forums.spybot.info/showthread.php?t=23627,
but I thought I might re-post some of the things I found here since there are others with this problem;
No one else here has confirmed it yet, but I'm willing to bet their systems are also generating some network traffic.
Using 'netstat -bv' as well as the Spybot Process List, I have found that the process generating the network connections is services.exe.
Also, the remote port of every connection is 25, which is the common port for sending mail to a SMTP server, so I guess my system is sending hundreds of spam emails.
There are more than 40 'Loaded modules' within services.exe according to the Spybot Process List, but I don't know how to identify the troublemaker. Netstat tells me the problem may be kernel32.dll, but I can't kill the module (I dont know that I should). I looked at each file in explorer, and the only thing I know to do is to check the timestamps - and they all look old (2006/mid 2007).
When I start 'randomly' killing modules to identify the problematic one, I eventually get the System shut down notice, and my system becomes unusable.
Last edited by sntooth; 2008-02-01 at 18:39.