General discussion

Locked

regenerating files in c:\windows\temp\xxx.tmp

By fahimsolkar ·
hi everyone,

I'm having this weird problem where in I'm getting Norton alert saying that my files in C:\windows\temp\ files are infected.. I have tried the following things still the files get regenerated...
1)Deleted everything in the temp folder after restarting the files get regenerated..
2)Tried a disk cleanup.. still no go...
3)booted from safe, safe mode with command prompt tried to deleted was successful but again it regenerated once I boot back to desktop..
4) Deleted the entire folder..through MS-DOS prompt i.e. safe mode with command prompt did an attrib +h +s +r c:\windows\temp folder ..after doing this I restarted the computer but again those files got regenerated & still those files got regenerated...

I really getting frustrated with problem any help is more than welcome...

pls make fast & snappy....

Thanks guys.. I owe U one...

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Maybe try some other third party programs.

by Jim_P In reply to regenerating files in c:\ ...

Can I ask have you tried other anti-virus removal tools, and ant-spyware programs such as Spybot, Ad-Aware. Stinger is also a great program for removing worms and viruses.
I say there is a virus that has put an entry in the registry to re-infect you everytime you restart the computer. You could manually check in regedit, if you go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run see if there are any bizarre entries, even check the HKEY_CURRENT_USER\Microsoft\Windows\Microsoft\CurrentVersion\Run, or you could go to Start Menu-Run, type in msconfig this will show you a list of startup programs that are in the registy. Also get the chance to look at other config files there too.
But the fastest thing is to as said scan for viruses, spyware, and worms/trojans. Which Trojan Hunter is another great program for this as well.

Good luck,

Regards,
Jim

Collapse -

Download These apps

by cmiller5400 In reply to regenerating files in c:\ ...

http://free.grisoft.com
http://www.safer-networking.org
http://www.lavasoftusa.com

They will help you clean your machine. Make sure that you update them before you boot into safe mode and run each scan until it comes back clean 2x.

Collapse -

thanks....

by fahimsolkar In reply to Download These apps

hey buddy..

thanks for the links...I have tried to get rid of using many tools...including Symantec..Mcafee the online scan from Symantec.. & Microsoft...I have also ran Hijackthis..& remove the nasty entries..also tried tools like killbox & smitfraufix....used registy cleaner.. to clean up the registy.. I know there is trojan called downloader..as you must be aware there was major outbreak of Downloader last week...I'm working with Symantec..quite surprisingly..still this thing still hitting me hard... any other help.. or tips are welcome.. & thanks again...

Collapse -

You're not alone.

by Tiamat In reply to regenerating files in c:\ ...

Trying to resolve a similar problem. :-)

Mine is being detected as MidAddle in c:\windows\temp\~*.tmp files.

If mine is resolved I will try to remember to post and give credit.

Collapse -

Its a modified version of Porn dialer Virus program

by wrongmails In reply to regenerating files in c:\ ...

Hi, your system is infected with a virus that is modified version of a porn dialer Trojan program. It will be making files like "c:\WINDOWS\Temp\win35.tmp.exe " and many other temp files. You have to kill some running files like ishost.exe and ismini.exe. Also this virus would have embedded into your intenet explorer. You might have getting messages while over internet that your system is infected. Try Pest patrol by Computer Associates. It will clean this mess. Remember both of these exes reside in system32 folder. Goto internet option and see in add on pluggins. It may have added itself as activeX in intenet explorer. Install a good fire wall like zone alarm because this dialer program sends info from ur computer(password, id, visited websites, credit cards etc) to internet. Usually people got this virus trying to activate illegally symmentec antivirus 2007 through an exe. It is very dangerous, and works in resident and stealth mode. Remember, even if you kill running exes and delete them , still a hidden process (even hidden from task manager) keeps on making these files but danger of harm minimizes. This virus has associated with explorer also.
Use Pest Patrol and Zone Alarm for its removal and Protection. Norton will only be able to identify a part of this virus i.e dialer trojan and will delete it.

Collapse -

ZoneAlarm is Responsible

by wrongmails In reply to Its a modified version of ...

In my previous post, I said use Zone Alarm for Protection. I feel sorry to reveal Zone Alarm Security Suit is also using this trojan to carry out its functionality. I have kept temp folder under deep observation by my own written programs. I came to know and its confirm that Zonealarm is responsible for this mess. It is using temp folder as a base to give birth to trojans. Why? I don't know. Why a gaurd will steel from you? VSMON.exe, an important service of Zonealarm keeps on using two files (Names constantly changes but with extension of tmp like ZLT0697.tmp etc)to generate viruses like win35.tmp.exe. These files then, try to go over internet and by pass Zone alarm security. These files carries your valuable data....

Eddy Rulz and You may contact Zone Alarm if you are a legal user for explanation...

Collapse -

Final Solution to this Problem

by wrongmails In reply to ZoneAlarm is Responsible

Start in safe mode. After deleting files mentioned like ismini.exe and ishost.exe (if present in system32 folder), and deleting all the contents of temp folder present in windows folder, go to the folder C:\WINDOWS\Prefetch
delete all prefech files. Actually whenever you delete or empty your temp folder, VSMON.exe regenerates them by calling a prefetch file.

Just to be on safe side, make a search *.tmp.exe on C: drive (with search hidden file option) and delete any of the remainings if possible.

It is 100% confirm , the virus will be removed..............
You don't have to uninstall zone alarm.


Please let me know if it worked for you.

Remember, Eddy Rulz....

Back to Malware Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums