A simple trojan imposible to detect

Hi all.

I’ve decided to register here to see if someone can definetly help me. On december 24th, I was infected by a lot of spyware and virus. I could get rid of all of it, using Avant Home, ewido, adaware and NOD32. But here comes the problem… I still have a virus which is creating me .tmp files on my folder c:\documents and settings\marc\Configuración local\temp This files has teorically 0kb, and comes under the name _geAB1.tmp, and changing the AB1 by other letters and numbers… It creates around 3 files a second. I can delete them but still creates news one. I’ve run all the antivirus both in my pc and online, and also in safe mode, but none of them finds out that I have a virus. I’ve also cleaned the registry with regseeker. The situation begins to be a little desperanting, so it’s imposible to find out where the virus is. Can anyone give me a hint of how to arrange this? Thank you.

Hi vanway,

Welcome to the forum.

Please post a HijackThis! log for us to look at. Full instructionjs here:

http://www.bleepingcomputer.com/forums/tutorial42.html

Aside from the HJT info from Frank, you could also check the offending/suspect file/s at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

This may be able to identify the trojan/malware and from that you could google it for more/removal info.

Hi vanway,

You did not have two resident scanners at at time, did you? Because then you can get weird scan results too. Always use one resident scanner, added scanning like non-resident or online or on-demand scanning or in-browser scanning is OK.

polonus

:slight_smile: Hi Vanway :

 Assuming you do NOT have 2 Antivirus programs
"resident/running" on your machine at the same time
 AND you have Ad-Aware, I recommend you seek help
 on the forums at www.landzdown.com . This forum is
 staffed by ALL the volunteer Experts ( including HJT )
 who used to advise on the now-defunct Lavasoft
 Ad-Aware Support forums.

Hi vanway,

Here’s an analysis of your HijackThis! log, available for 3 days:

http://hijackthis.de/logfiles/f6fec9165d116de784e1226448dec6e0.html

It does look like you’re running two AV’s, which is not a good idea as they will fight over files like dogs over a bone. You need to decide which one you want to keep, and uninstall the other one.

Could you check this file on Jotti as mentioned above, because it can be legitmate or part of a Trojan:

D:\Archivos de programa\WinTV\Ir.exe

Otherwise, I can’t see anythong suspicious.

You could try an online scan and see if it identifies anything;

http://www.kaspersky.com/virusscanner

It might also be worth trying the free trial of Trojan Hunter to see if that can find any Trojans, maybe a process injecting Trojan hiding in a system process?

http://www.trojanhunter.com/

Thank you all. Aparently, it’s not a virus. The problem comes that my first executable on windows got caught by a virus, and the action taken to get it out damaged the registry. With that, sadly, the only action I can make is to format my drive.

Thank you very much all for your help

Well, now I’m definetly going mad… yesterday happened a mistery that not even Bill Gates could resolve. I was going to format my drive, but yesterday happened something really strange. I was surfing through the web, when my computer crashed and gave me an error on the explore.exe. I thought that it was going to reboot but it didn’t… and what was my surprise when I saw that the temp files stopped to create!!! I don’t know why, but it happened… I still haven’t reboot it, but do you think it’s now possible to solve the problem without format my drive? Any help is really apreciate it, as I have a lot of information and to format my drive would suppose a lot of trouble for me!

Thank you!

Have you followed any of the advice offered already?
Quite happy to help if you can help yourself.