|
Microsoft Anti-Spyware just found trojan.backdoor.small.fb
This just showed up on a daily scan. I run one every morning, so it shouldn't have been on my computer for more than a day. I had MAS delete it, and running Spy-Bot and Ad-Aware didn't find anything. I'm about to run a full AV scan.
I haven't had a lot of success googling to find out what this thing does. If my AV comes up clean, should I do anything else? Specifically, should I change my passwords and/or reinstall my operating system? Thanks. scrub |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
It just showed up for me yesterday also. Any info?
DQPAulie |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
Same I use MAS and it found it 2 days in a row. Once I'm done multi-tasking I'm going to reboot and see if it regenerates itself.
dude re-install os slow down! it has been in the same temp. file both times.. jpg34 ..some such. Maybe its a trojan from a certain porn site ..chill.dont do anything drastic to your os. do you have system restore ? I havent used it yet just curious. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
I had the exact same thing happen to me, scrub. It showed it yesterday. I deleted it, and it showed up again in a scan again today. Other spyware tools don't find anything.
I'm not sure what this thing is either and haven't been able to find much info about it. I installed ZoneAlarm for more protection. I was planning on changing my passwords as well, but I don't want to do that until I'm sure it's off my system. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
If it returns check this out:
Generic Trojan / Adware Removal Procedures |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
do you have system restore ? [/ QUOTE ] if you do you may have to disable system restore to remove the virus/trojan effectively. We/you should be able to remove it thu w/o having to go that far. Also run hijackthis.exe to follow what processes your pc is running. If you call up Symantec this is what they'll tell you to initially scan your system with-pretty lame but true. NIS 2006 has not been doing the job of late. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
This showed up on mine too. Any idea where it's from?
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
This showed up on mine too. Any idea where it's from? [/ QUOTE ] The only weird link I clicked on yesterday was the facial recognition thing in OOT. I didn't see if the MAS definitions updated yesterday--there's a chance this is something that showed up as a result of that... scrub |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
For it to show up on this many 2+2'ers computers in no coincidence. This might be a brand new worm. Let us know if the spyware was able to fully delete it. I might reinstall itself on your machine's bootup. Also post if system restore worked.
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
It didn't come back for me at startup, nor did it show up on subsequent SpyBot, Ad-Aware, or KAV scans.
I'm wondering if the MAS definitions changed in a way that would cause a false positive on a common temp file... scrub |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
[ QUOTE ] This showed up on mine too. Any idea where it's from? [/ QUOTE ] The only weird link I clicked on yesterday was the facial recognition thing in OOT. I didn't see if the MAS definitions updated yesterday--there's a chance this is something that showed up as a result of that... scrub [/ QUOTE ] fwiw, I clicked that link too and no problems here.. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
It didn't come back for me at startup, nor did it show up on subsequent SpyBot, Ad-Aware, or KAV scans. I'm wondering if the MAS definitions changed in a way that would cause a false positive on a common temp file... scrub [/ QUOTE ] Weird. It came back again, but not after a restart or anything. I definitely didn't click on anything remotely suspect today either. scrub |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
The trojan probably did not get fully cleaned from your system. Did you disable System Restore?
I have a 2nd computer, and it appeared there, too. Yikes. I wonder if this is a new definition they added to MS Anti-Spyware recently, which might be why we all found the trojan at the same time. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
I've got it too!
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
I wonder if this is a new definition they added to MS Anti-Spyware recently, which might be why we all found the trojan at the same time. [/ QUOTE ] I figure it's either that or we all clicked on some bad link in OOT. MS Anti-spyware can't find it again after it deletes it, so it's not like something that is respawning itself after every restart. I downloaded a Trojan Scanner, and that found a "suspicious file", which I sent to the company to look at. I'll let you know how that goes. scrub |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
I have system restore turned off, so that's not why I got it a second time. As I was searching for some info, I do believe I found a post saying it was a new addition to the MAS file list.
As far as what it is and where it comes from, I could find nothing anywhere, not even the microsoft site. DQ |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
I have system restore turned off, so that's not why I got it a second time. As I was searching for some info, I do believe I found a post saying it was a new addition to the MAS file list. As far as what it is and where it comes from, I could find nothing anywhere, not even the microsoft site. DQ [/ QUOTE ] Yeah--I'm surpised at how difficult it is to find information about this. If there are so many people in one small community with this problem, it's got to be fairly widespread. scrub |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
I've got it too, and I think this may be serious trouble for us since the trojan seems to specific to poker players.
I should add that yesterday I logged into every poker account that I have to count my money, and upon logging into one of the sites my firewall blocked something that came from a trojan. I can't remember which poker site it was, but we may find that the trojan was created take advantage of users of that site. I don't want to relog into all the sites to find out which site it was, but if anyone else experienced this please post what site it was so we can figure out what is going on. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
I've removed this 3 times now using MAS. It is in the same location each time c:\documents and settings\USERNAME\Local Settings\Temp\34.tmp
Are others having the "virus" placed in the same location? I let MAS remove it reboot and scan my system and it is clean. I've scanned my system while leaving the "trojan" on my system with HijackThis,Norton Anti-Virus,Lavasoft's AdAware and Spybot and found no ducumentation of the virus from these other scanners. Here's some info on it: Cuebot Family Win32/Cuebot Family LSASS vulnerability was supposed remedied by Microsoft windows updates in the past. I've looked for registry settings or win directory changes that may have been altered according to this and other documents and found nothing. Obviously if it's a new variant the trojan hides itself in other spots. I havent gotten the virus with my usual surfing about the web. I've scanned for it after surfing typical sites for 2-3 hours.. It just may be coming from a poker site. Either way "34.tmp" is getting replicated from what source I dont know. No other scanners are finding this so its very odd. Right now I'm scanning again with Stinger and then pulling out the big guns with TrendMicro's sysclean with the latest lpt.185 virus patterns. TrendMicro has almost always found any serious virus for me in the past. Why is MAS only detecting this worm? I didnt do anything last nite out of the usual ie surfing the web..usual stuff:2+2,Yahoo Finance and my usual assortment of rooms:Party Poker,EuroBet,PokerStars,DoylesRoom and Paradise. I've scanned the specific tmp w/ NIS2006 Anti-Virus and come up with nothing. But Norton hasnt updated virus defintions in 6 days. Going to run TrendMicro's sysclean now w/the supposed trojan still on my system and see if it recognizes it..if not just delete and hope it doesnt come back which is doubtful. Has anyone had this bug and tried to turn system restore off before attempting to remove it w/MAS?that may work. Or is this a false alarm..no other scanners are finding it..?? If it comes back again I'm going to disable system restore and then remove it-hopefully that will do the trick |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
I had this on both my computers as well. When I first saw this thread I was relieved because it looks widespread. Now i'm a bit uneasy about it because we seem to be the only forum discussing it (and twoplustwo is almost the top google hit).
It may just be erroneously reporting it from a heuristic scan and have to do with some image posted on oot, or some poker site's temp file. None the less I don't think it's an awful time to make some password changes. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
scanned the temp file and my whole system with TrendMicro's sysclean and it's clean.
[ QUOTE ] It may just be erroneously reporting it from a heuristic scan and have to do with some image posted on oot, or some poker site's temp file. [/ QUOTE ] well searching about twoplustwo.com the offending temp file hasnt shown up. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
It came back for me once, but has not come back again. I ran this malware removal protocol after it came back the first time.
Spybot found something called Zonemap.Ranges when it was scanning in Safe Mode after I had cleaned out all of my temp files and stuff. It was able to remove it, but it needed to run first thing on restart to get rid of some things that were in memory. I haven't been able to find good information about it, either, but since I got rid of it, disabled system restore, restarted, and reenabled system restore, the MAS problem has not come back. If it is any of the things with similar sounding names described by other antivirus vendors, it changes a bunch of security settings to make your machine more vulnerable to other attacks, and possibly acts as a downloader or phones the monthership to let it know you're infected. I spent a lot of time looking for information about the original MAS infection, but I wasn't able to find anything useful. The closest thing I found was a listing for it on the F-Secure world map thing. Unfortunately, the link to more information did not mention the name of our problem specifically, nor was it particularly helpful or comforting. I've done a lot of scans at this point, and my HJT log looks v. clean, and a wide variety of scanners, including some rootkit and trojan-specific tools, come back clean. I'm hoping that getting rid of the two things I did took care of the problem, but I may still get paranoid and reinstall my operating system. I tried to get Evan to replicate the scans I performed to see if he had the same problem, but he was masturbating with his credit report and therefore useless. scrub |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
BINGO
34.tmp is loaded when you log on to Party Poker. It also can not be deleted when the Party client is open. We should ask Party about this file... whether it is necesary component of their client or not.. if not it may be a real threat. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
first off what was the location of the trojan when you had it? was it located in the same place mine is (C:\Documents and Settings\USERNAME\Local Settings\Temp\34.tmp
also if you havent logged back into Party since you cleaned your system you may have only found another virus on your system not this one. Try logging on to Party see if 34.tmp is created and run MAS-for me 34.tmp was the offending file. I just changed my password aslo...Excellent call krimson..getting closer to a resolution hopefully. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
first off what was the location of the trojan when you had it? was it located in the same place mine is (C:\Documents and Settings\USERNAME\Local Settings\Temp\34.tmp also if you havent logged back into Party since you cleaned your system you may have only found another virus on your system not this one. Try logging on to Party see if 34.tmp is created and run MAS-for me 34.tmp was the offending file. I just changed my password aslo...Excellent call krimson..getting closer to a resolution hopefully. [/ QUOTE ] My original MAS problem was located at 34.tmp. It is not coming back every time I use Party. scrub |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
My original MAS problem was located at 34.tmp. It is not coming back every time I use Party. scrub [/ QUOTE ] you sure try again now.. logon to Party and look again for 34.tmp?..I hope you are right.I'm going to try the scanner you mentioned.. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
[ QUOTE ] My original MAS problem was located at 34.tmp. It is not coming back every time I use Party. scrub [/ QUOTE ] you sure try again now.. logon to Party and look again for 34.tmp?..I hope you are right.I'm going to try the scanner you mentioned.. [/ QUOTE ] I just did. Logged onto Party. Scanned with MAS. Clean. No 34.tmp was created in the directory. Then logged into Party, logged off of Party, scanned with MAS. Clean. No 34.tmp was created in the directory. Follow that whole protocol page I linked to--SypBot did not find any problems until I had restarted in Safe Mode and run CCleaner first. scrub |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
Opening the 34.tmp file on my computer shows it is a security certificate, probably from Thawte.
I don't usually use Microsoft stuff ... downloaded the Antispyware program yesterday and the scan didn't find anything even though 34.tmp is on my computer. I tried it again today and there is a new update ... still doesn't show any problems for me. It's possible you guys are getting a false positive ... try scanning with the new update. If it's still showing up after the update, don't assume it's a false positive, though. I only mention it as a possibility. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
Using majorgeeks I ran all the scans in safe mode w/ system restore off-didnt find much other than one browser hijacker :about.blank and CCleaner clears out log files,.tmp files all sorts of crap you dont need.
Great link scrub most helpful! |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
I can't create the tmp file logging into Party. My original 34.tmp file was created on Jan 05, 2006. Scanning the original file with NOD32, Norton, and a trojan scanner found nothing.
I just logged into Absolute, UB, Party (Beta), Paradise, Bodog, Stars, FullTilt and TGC. None of them created a new 34.tmp file. This temp folder is not used by IE or Firefox so I am assuming it has to be created by an application are you still able to produce this file goodguy_1? |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
no not anymore. i'll post if I see it again.
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
I bet when we see it again, we will all see it at the same time. If it was Party, they must have put it there on all our systems the same day, yes or no? Maybe it was some kind of scan they did for something?
DQ |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
i have 34.tmp and bunch of other files that are exactly the same, but the scan only said 34.tmp had the trojan. also when i read about the trojan it said it is based on some exploit that was patched over a year ago. maybe this is some kind of error in the scanner
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
i have 34.tmp and bunch of other files that are exactly the same, but the scan only said 34.tmp had the trojan. also when i read about the trojan it said it is based on some exploit that was patched over a year ago. maybe this is some kind of error in the scanner [/ QUOTE ] Unabridged, I strongly recommend that you download Crap Cleaner. There is a link for it somewhere else in the thread. Whatever placed 34.tmp on our computers seems to have placed other files as well. Since 34.tmp regenerated itself on many people's computers, it is important to get rid of all of the other files. Crap Cleaner will do this for you, and no one who has run it has had 34.tmp regenerate. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
[ QUOTE ] i have 34.tmp and bunch of other files that are exactly the same, but the scan only said 34.tmp had the trojan. also when i read about the trojan it said it is based on some exploit that was patched over a year ago. maybe this is some kind of error in the scanner [/ QUOTE ] Unabridged, I strongly recommend that you download Crap Cleaner. There is a link for it somewhere else in the thread. Whatever placed 34.tmp on our computers seems to have placed other files as well. Since 34.tmp regenerated itself on many people's computers, it is important to get rid of all of the other files. Crap Cleaner will do this for you, and no one who has run it has had 34.tmp regenerate. [/ QUOTE ] For the record, Evan finally ran the scans on the page I linked to tonight. It turned out he had a ton of stuff on his computer that normal MAS scanning wasn't picking up. If you found this file, it's worth taking the time to make sure your system is OK. scrub |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
All,
I had it as well. Have not gone through the whole protocol yet. |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
It's late, I am tired and have a headache but here here is what I learned:
Party is creating these tmp files once you login (I am using the beta). The file "34.tmp" has a md5 sum of 73bb6ac0e80583a43e5875590c95af98. It's 28,672 bytes big. Deleting this file with Microsoft AntiSpyware (MAS) will result in it enumerating the file number; I got 37.tmp and then 3a.tmp, 3F.tmp etc. upon each subsequent Party login. These files do not get flagged via MAS nor any other scanner I have used. (NortonAV, NOD32, A-squared, Spybot, and a few others). They all md5 sum to 73bb6ac0e80583a43e5875590c95af98 and are 28KB(28,672b) so it's clearly the same file Party is creating each time. Creating a 728kb bmp file and renaming it to "34.tmp" and placing into C:\Documents and Settings\Lazyrobot\Local Settings\Temp will be flagged by MAS and removed just as the original 34.tmp was. Moving this fake tmp file file to other locations will not result in MAS flagging it as a Trojan. MAS will flag any file named "34.tmp" when it exists in your Documents and Settings\User\Local Settings\Temp folder. MAS will not detect this exact file (even the original offending 34.tmp) in any other location nor will any other scanner I have used. At this point I no longer see this as a threat it appears it's just a false positive however I am not a security expert. Beep |
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
i am searching with norton and havent seen it yet?
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
if its coming from party, then why does it matter?
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
I noticed a few weeks ago that this file was requesting internet access upon launching the pp clent. The contents of the file itself also seem to change between each launch.
This may be a stretch, but perhaps it is part of the party client responsible for security monitoring (bot checks, screen scrapes, etc). |
| All times are GMT -4. The time now is 05:43 PM. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2026, vBulletin Solutions Inc.