spyware problem

[Arjay13]

The computer I am working on has one last bit of spyware in it. It generates 56Kb files in the windows temp directory that have 4 character names with a .tmp extension (like f7c4.tmp or 3baf.tmp). Zonealarm is catching them trying to contact 209.160.64.178. I have run Hijackthis,Adaware,spybot search and destroy and Norton antivirus 2006 repeatedly.

I just can't seem to identify what is generating these files. Any guesses?

Thanks in advance

Arjay13

[EvilRick]

Have you disabled System Restore?

[M_Six]

And empty every user's temp internet files and temp folder. Under C:\Documents and Settings and under each user, go to Local Settings and then temp and temp internet folders.

Also, if you know approximately the date you got the spyware, you can do a search for any file with that date or newer. Then sort by file type and look for unexplained executable files with .exe, .scr, .dat, or .dll extensions.

[EvilRick]

One thing I do when I first setup a PC is go into the Environmental Variables and change the default 'TEMP' and 'TMP' locations to just C:\WINDOWS\TEMP so I only have to look in one spot for junk like this.

[Arjay13]

Thanks for the ideas - I did dump the System Restore but it is active now. I killed most of the tmp files in safe mode. I'll check again to be sure I haven't missed any. I'll get back to you friday. Thanks again!

[M_Six]

Quote:

Originally Posted by EvilRick

One thing I do when I first setup a PC is go into the Environmental Variables and change the default 'TEMP' and 'TMP' locations to just C:\WINDOWS\TEMP so I only have to look in one spot for junk like this.

Great idea. Need to write that one down.

[Arjay13]

Well guys, I still have the same problem. Zonealarm keeps catching new *.tmp files that are trying to contact the same IP address. I have run the IP address and am trying to contact the internet abuse folks at the ISP. I'm not sure what to do - can I configure Zone Alarm to block that IP address?

[SeanC]

Set Zonealarm to "remember your answer" and select No to allowing the connection. It should stop bugging you about it.

Download and run the Sophos Antirootkit Scanner:
http://www.sophos.com/products/free-...i-rootkit.html

And the Rootkit Revealer package:
http://www.sysinternals.com/Utilitie...tRevealer.html

Just to make sure there isn't a rootkit installed that's preventing the spyware/av scanners from finding what's generating the stuff.

There are other rootkit scanners as well. Like AV and Antispyware scanners, Antirootkit scanners aren't all alike either.

[Arjay13]

Sean C
Your rootkitrevealer idea worked! It turns out that there was a directory c:\windows\softwaredistribution that the rootkit search programs revealed. I was able to go and delete the directory and voila, the problem is gone! Thank you so much!
Arjay13

[SeanC]

That's excellent.

I'd suggest running these programs every so often, like you run spyware scans every so often.