strange processes showing up in the task list some random numbers.TMP

Register

Forgot Password

Site FAQ

Home > IT Answers > CIO > strange processes showing up in the task list...

BigDInfla

0 pts.

strange processes showing up in the task list some random numbers.TMP

Tech support, Servers, Interoperability, Current threats, Viruses, worms, Hacking, Spyware, Trojans, backdoors, human factors, Software, Web security, Access control, Browsers, SSL/TLS, filtering

I suspect I have some trojan downloader? I keep finding strange processes showing up in the task list. These are some random numbers and letters with a .TMP extension? They cause my internet connection to either run very slow or in most cases it stops the connection to the internet. When I kill the .TMP running process my internet connection comes back? I've run lots of adaware scans and malwhere won't handle the removal. Have no clue how to get rid of this unwanted pest. H E L P ! ! !

ASKED: Jun 15 2006 10:28 PM GMT

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RELATED QUESTIONS

penfold2006

0 pts.

RATE THIS ANSWER

0
Click to Vote:

Have you tried Spybot SnD? Seems to be quite good at keeping my desktop at home clean.

http://www.safer-networking.org/en/download/index.html

It's free to download, but donations certainly help his cause.

Also, what AV are you running? Some of them (Trend Micro is a big culprit) look a bit suspicious when checking out your system. Randomly named executables and suchlike.

Good luck.

Last Answered: Jun 16 2006 8:24 AM GMT by penfold2006

0 pts.

View History

RSS - Discussions Help

Discuss This Answer:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

netware13 0 pts. | Jun 16 2006 9:18AM GMT

Not knowing your platform or OS, and your statement that you think it is a trojan, I am going to assume you are talking about a workstation OS.
Here is a link to a discussion that sounds a lot like what you are talking about:

<a href="http://forums.spybot.info/archive/index.php/t-3208.html" title="http://forums.spybot.info/archive/index.php/t-3208.html" target="_blank">http://forums.spybot.info/archive/index….</a>

I saw some information on somethings that are similar, but they are in regards to an IBM server running a version of symantec AV, and also windows 2003 IIS6 using ,NET V2.

Hope this helps, and good luck.

dwiebesick 1740 pts. | Jun 16 2006 9:22AM GMT

If you have the technical experience, here are some suggestions to try:
Down load autoruns from <a href="http://www.systernals.com" title="http://www.systernals. " target="_blank">www.systernals.com</a> Run the program and uncheck any item from the list that looks suspecious. This is like a toggle switch, you can uncheck to turn it off and put the check back to reenable the item.

Boot in safe mode with networking and go to <a href="http://www.bitdefender.com/scan8/ie.html" title="http://www.bitdefender.com/scan8/ie.html" target="_blank">http://www.bitdefender.com/scan8/ie.html</a> and run their online scan.

Reboot into safe mode with networking and go to <a href="http://housecall.trendmicro.com/" title="http://housecall.trendmicro.com/" target="_blank">http://housecall.trendmicro.com/</a> and run their online scan.

<a href="http://www.merijn.org/" title="http://www.merijn.org/" target="_blank">http://www.merijn.org/</a> is a site that contains more information that may assist you.

report back and let us know your results.

Best of luck
dmw

bladish 0 pts. | Jun 16 2006 9:24AM GMT

To help you better identify the process and get more information you might conisder getting a program called Process Explorer from Sysinternals - <a href="http://www.sysinternals.com" title="http://www.sysinternals. " target="_blank">www.sysinternals.com</a>.

They have another handy tool that I like to use called TCPView that will show you processes and what connections they are making via udp and tcp protocols.

dusty1 0 pts. | Jun 16 2006 10:04AM GMT

If you’re not running a workstation (I’m assuming this is a workstation) firewall, install one! Download ZoneAlarm, at least, and set it up so that only the programs you designate can get to the network.

While that might not remove your bot, if you have one, at least it will stop it from transmitting it’s info out to the ‘net.

I’ve seen some music sharing programs or other streaming media programs use so much thruput that they can also shut down an Internet connection.

Just my 2 cents.

ELPUEBLO 0 pts. | Jun 16 2006 12:45PM GMT

PER CA (Makers of PestPatrol and etrust products)

it may be 1 of 2 trojan/viruses

1) Win32.Betalire Family
aka AdClicker-BA.dll (McAfee), Win32/Betalire, Win32.Betalire, Win32.Betalire.B, Win32/Betalire.B!DLL!Trojan, Win32/Betalire.C, Win32.Betalire.C, Win32/Betalire.D, Win32.Betalire.D, Win32/Betalire.D!Trojan, Win32/Betalire.E, Win32.Betalire.E, Win32/Betalire.E!Trojan, Win32.Betalire.F, Win32.Betalire.G, Win32.Betalire.H, Win32.Betalire.I, Win32.Betalire.J, Win32.Betalire.K, Win32.Betalire.L, Win32.Betalire.M, Win32.Betalire.N, Win32.Betalire.O, Adware-EliteBar (McAfee)

“http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43340″
or

2)Win32.Spabot.A
aka Downloader-LZ (McAfee), Trojan.Spabot (Symantec), Win32/SpaBot.A.Trojan, Trojan.Win32.Spabot.c (Kaspersky)

“http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39923″

I too am interested to know what AV you have running.

are you running the adaware in safe mode? Get a copy of clamwin @ “clamwin.com” (using another computer if possible), burn it to cd (Instructions on Clamwin site) and run a scan from the CD

bobkberg 895 pts. | Jun 16 2006 2:46PM GMT

In general, anything executable with a .TMP extension is suspicious. Furthermore, if it/they are running out of the “Temp” directory or any of the “Temporary Internet Files” directories/folders, they’re suspect.

All of the previous posters are correct, so no need to restate what they’ve already said. One simple thing to try though is to delete all temporary Internet files, and clear out the temp directory. Then see what happens after a reboot.

Bob

p.s. I also donate money to Patrick Kolla (safer-networking), author of Spybot Search & Destroy and other fun products. If you value his work, reward him.

maxpro4u 0 pts. | Jun 17 2006 1:23PM GMT

I have written some pages that might be of some help
Virus Removal Instructions
<a href="http://home.neo.rr.com/manna4u/" title="http://home.neo.rr.com/manna4u/" target="_blank">http://home.neo.rr.com/manna4u/</a>
Keeping Windows Clean
<a href="http://home.neo.rr.com/manna4u/keepingclean.html" title="http://home.neo.rr.com/manna4u/keepingclean.html" target="_blank">http://home.neo.rr.com/manna4u/keepingcl…</a>
And here is a list of tools and help links
<a href="http://home.neo.rr.com/manna4u/tools.html" title="http://home.neo.rr.com/manna4u/tools.html" target="_blank">http://home.neo.rr.com/manna4u/tools.htm…</a>
post back with results
max

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.

All Rights Reserved, Copyright 1999-2009, TechTarget | Read our Privacy Policy | Site Map

Browse IT Answers by Topic