Temp.exe keeps hauting

Hi!

When I run CCleaner registry cleaning an entry called “Temp.exe” pops out, which is located at “Templates” folder somewhere inside “Documents and Settings”. I don’t remember the exact location. Though I delete that entry, it pops out again in two days. This has been happened about for a week. I’ve ran Avast, MBAM and Hitman Pro, but they found nothing. I did search “Temp.exe” with Google and they say it’s some kind of trojan.

Hope you can help me with this :).

Please attach your logs. (MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

upload and test suspicious files b[/b] at one of these places www.virustotal.com / www.metascan-online.com / www.jotti.org

Here are MBAM and OTL logs. AswMBR crashed when I ran it two times. Both time it crashed when it was scanning a folder including Windows 8 theme (I’m running Windows 7 x64). I don’t know why this happens, since it ran well some months ago.

The problem is it, that there’s no Temp.exe exist on my computer really, but CCleaner finds always a trace of it and deletes it, but in two days it comes again and I delete it and then in two days it pops out again. But it doesn’t always find that trace, but when I run CCleaner next day, it finds it again.

Hi Mad_Dog,

Once again we shall use OTL for additional checks. Re-run OTL by double-clicking and press the None button
[None shall be changed to Standard]

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



C:\Windows\expstart.exe /MD5
/MD5Start
temp.exe
/MD5Stop


[*]Then click the Run Scan button at the top.
[*]When OTL finish his scan, attach here fresh created OTL.txt logreport.

Here’s that log.

Hi Mad_Dog,

Posted OTL does not show the malware activity. OTL shows some .tmp files therefore we shall deploy TFC tool to preform some temp & cache cleaning …

Although, OTL log is clean, I can’t tell you that mashine is clean as you did not post the aswMBR.txt logreprot. Without that ARK logfile, I can only tell that OTL doesn’t show the malware.

Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

I ran TFC. I was also able to finish AswMBR scan, when I deleted a folder including Windows 8 theme, that caused the crash. That folder was in “Downloaded Files” folder in my “Documents” folder. So here’s that log.

aswMBR doesn’t work on Windows 8. We require a more comprehensive ARK (antirootkit) scan to determine the presence of usercode / kernelcode malware.

Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
[i]For full instructions how MBAR works, read this article

> Doubleclick on the MBAR file (
http://www.mcshield.net/personal/magna86/Images/mbar.png
) and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.

• On the Update Database screen, click on the Update button. Once you see ‘Success: Database was successfully updated’ click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:

  • ‘Could not load protection driver’. Click ‘OK’.
  • ‘Could not load DDA driver’. Click ‘Yes’ to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.

>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe

  • Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution …
  • When you see “press any key to exit” fix is completed, press any key to close the window. Reboot the system.

> The following reports will be created in mbar folder:

  1. mbar-log-year-month-day (hour-minute-second).txt
  2. system-log.txt

Please post both logs in your next reply.

I did run MBAR and it found nothing. Here are the logs.

Hi Mad_Dog,

I can go with deeper look but I think that there is no need for that. In posted OTL logs I don’t see the malware, additional ARK check has no detections …

I would like to remove used tools. Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.

Thank you very much for helping me again! :slight_smile: