I work as programmer. Because of my job (I want to stay more or less up to date) I downloaded a ZIP and during this I got an announce. I I pressed Abort connection. Then, I tried to download this file via another site.
Now I have a file named ~DF31C9.tmp in my Temp folder, and a file arc29.tmp, which is invissible for XP, I found it using Rootkit Revealer.
Avast said in the report:
Win32:Trojan-gen. {VC} with the VPS version 0638-0, 19/09/2006
Are you using Windows XP?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
Maybe the file was not properly deleted by avast when it detects it.
Anyway, avast seems to be blocked the infection to activate as far I can see.
I have to say that in this case of doubt I restarted with a very hard reset and booted via a cdrom, just a very basic one that reads the hard disk (with NTFS access) I simple removed the files and had no warning afterwards.
It wasn’t my PC, and I didn’t want to screw it up.
I went back home and just my own PC, just to figure out what it was. I have good back ups, so…
The .tmp file seems to have a suspicious code in it, but I think it was waiting to be activated.
The “how to remove…” hint as posted by Tech didn’t work, it said: “acces denied”
What ever, I am rid of it, but I keep on digging… and you’ll be informed later.
No, not at the boot time, but when I work in command.com, and in run (startmenu),as well when I started in safe mode and jumped to command.com or run command.
Or, with other words, when I started via hard disk. After one hour I gave up and went to sleep.
Well, I did, but didn’t tell it here… Sorry…
Anyway, at the boot time scan (archives included) there was nothing to be found, and I still could not remove the files. With rootkit removers like Blacklight, Sophos, etc. the file is mentioned.
Reset and startup via cdrom works fine, I can remove it, so don’t worry to much. But I want to figure it out: Or I have some wrong settings, or there is a structural mistake somewhere. The files are zipp-able, but Yahoo rejects to send them. During zipp-ing, Avast! remains silent.
I just verified, and the file is still download-able at rootkit.com (at the left site, the Russian HE…)
To be very clear: I know the risk of using downloads etc. and experimenting with soft/hardware! I don’t have the “Sony bug” repaired, because I don’t like the patch, so I use a simple XP sp2 Laptop.