General discussion

Locked

C:\WINDOWS\TEMP\~DF8AE0.TMP; Is It a Trojan Horse?

By txgreek ·
I'm working on a computer infected with a trojan horse. Everytime you turn on the computer, it reappears after being removed with the Virus protection. I found it at the above location, and haven't gotten it removed yet. Now the puter's running Win98SE, but ...could this be a new trojan horse? I haven't found any info on it yet. Poor Ole Puter.

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Nope, that's just a Temp File.

by deepsand In reply to C:\WINDOWS\TEMP\~DF8AE0.T ...

Temp file names are automatically assigned by the OS when they are created; this includes files that are downloaded from the 'net.

While it may have been the original source of the infection, i.e. where the infective vector was temporarily stored upon its being downloaded from the 'net, an infective agent would not rely on a transient copy to ensure its survival.

No matter the type of infection, the fact that it remains after seemingly having been removed indicates that there is at least one component that is being launched by the startup process itself, by way of one or more Registry entries, and/or a .reg file that is present in the Startup sub-directory, which then alters the Registry each time the machine is restarted.

Collapse -

PS - This matter probably more properly belongs in the Question forum, ...

by deepsand In reply to Nope, that's just a Temp ...

rather than in the Discussions.

When seeking an answer to a specific problem, you're more likely to be visible to those who seek out problems in need of a solution by selecting "Ask a Question" rather than "Start a Discussion."

Collapse -

Thanks deepsand

by txgreek In reply to PS - This matter probably ...

I appreciate the help Deepsand. Had found out
the file was part of a spyware scanner on the computer. The trojan horse was in somehow
and whenever the computer was turned on, the antivirus caught it. Removed the spyware. Removed the horse,put a different spyware on the puter.Fixed!!! Just had to get deep in the files. Thank you again for the input.

Collapse -

Yes, one should never assume that one's security apps are ok.

by deepsand In reply to Thanks deepsand

As it is they who stand as defense against intruders, they are natural targets of such, and may themselves become compromised so as to become servants of the attacker.

In fact, it has happened, on more than one ocassion, that update files for security apps had been compromised before they left the providers' servers!

In your case it may have been that the trojan created a temporary .reg file, placed an entry for it in the Registry in the Run Once area, so that, upon boot, the .reg file would patch one or more Registry entries for the anti-virus application such that, when launched, the anti-virus program would 1st execute the trojan, which would create a new .reg file, identical to the old one, but with a different name, modify the Registry Run Once area so as to run the new .reg file at the next boot, etc., ad infinitum.

In cases where an infection is supposedly removed, but continues to reappear upon a boot, I generally scan the entire hard drive for .reg files, looking for one or more that is newly created, and check the Registry keys for entries for such file(s). If found, simply deleting the offending .reg files does the trick. When in doubt, 1st rename the suspect .reg file, reboot, and see if the problem goes away; if it does, or is at least partially mitigated, then you know that that .reg file is the cause of at least one problem.

If one is comfortable with editing the Registry, the corresponding enties there can be deleted as well, but such is generally not necessary, as the fact that the sought after .reg file is missing is seldom a show stopper .

Back to Malware Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums