Microsoft Anti-Spyware just found trojan.backdoor.small.fb

[goodguy_1]

no not anymore. i'll post if I see it again.

[DQPaulie]

I bet when we see it again, we will all see it at the same time. If it was Party, they must have put it there on all our systems the same day, yes or no? Maybe it was some kind of scan they did for something?

DQ

[Unabridged]

i have 34.tmp and bunch of other files that are exactly the same, but the scan only said 34.tmp had the trojan. also when i read about the trojan it said it is based on some exploit that was patched over a year ago. maybe this is some kind of error in the scanner

[Moneyline]

[ QUOTE ]
i have 34.tmp and bunch of other files that are exactly the same, but the scan only said 34.tmp had the trojan. also when i read about the trojan it said it is based on some exploit that was patched over a year ago. maybe this is some kind of error in the scanner

[/ QUOTE ]

Unabridged,

I strongly recommend that you download Crap Cleaner. There is a link for it somewhere else in the thread. Whatever placed 34.tmp on our computers seems to have placed other files as well. Since 34.tmp regenerated itself on many people's computers, it is important to get rid of all of the other files. Crap Cleaner will do this for you, and no one who has run it has had 34.tmp regenerate.

[scrub]

[ QUOTE ]
[ QUOTE ]
i have 34.tmp and bunch of other files that are exactly the same, but the scan only said 34.tmp had the trojan. also when i read about the trojan it said it is based on some exploit that was patched over a year ago. maybe this is some kind of error in the scanner

[/ QUOTE ]

Unabridged,

I strongly recommend that you download Crap Cleaner. There is a link for it somewhere else in the thread. Whatever placed 34.tmp on our computers seems to have placed other files as well. Since 34.tmp regenerated itself on many people's computers, it is important to get rid of all of the other files. Crap Cleaner will do this for you, and no one who has run it has had 34.tmp regenerate.

[/ QUOTE ]

For the record, Evan finally ran the scans on the page I linked to tonight. It turned out he had a ton of stuff on his computer that normal MAS scanning wasn't picking up.

If you found this file, it's worth taking the time to make sure your system is OK.

scrub

[El Diablo]

All,

I had it as well. Have not gone through the whole protocol yet.

[LazyRobot]

It's late, I am tired and have a headache but here here is what I learned:

Party is creating these tmp files once you login (I am using the beta). The file "34.tmp" has a md5 sum of 73bb6ac0e80583a43e5875590c95af98. It's 28,672 bytes big. Deleting this file with Microsoft AntiSpyware (MAS) will result in it enumerating the file number; I got 37.tmp and then 3a.tmp, 3F.tmp etc. upon each subsequent Party login. These files do not get flagged via MAS nor any other scanner I have used. (NortonAV, NOD32, A-squared, Spybot, and a few others). They all md5 sum to 73bb6ac0e80583a43e5875590c95af98 and are 28KB(28,672b) so it's clearly the same file Party is creating each time.

Creating a 728kb bmp file and renaming it to "34.tmp" and placing into C:\Documents and Settings\Lazyrobot\Local Settings\Temp will be flagged by MAS and removed just as the original 34.tmp was. Moving this fake tmp file file to other locations will not result in MAS flagging it as a Trojan. MAS will flag any file named "34.tmp" when it exists in your Documents and Settings\User\Local Settings\Temp folder. MAS will not detect this exact file (even the original offending 34.tmp) in any other location nor will any other scanner I have used.

At this point I no longer see this as a threat it appears it's just a false positive however I am not a security expert.

Beep

[KaneKungFu123]

i am searching with norton and havent seen it yet?

[KaneKungFu123]

if its coming from party, then why does it matter?

[fatherofmany]

I noticed a few weeks ago that this file was requesting internet access upon launching the pp clent. The contents of the file itself also seem to change between each launch.

This may be a stretch, but perhaps it is part of the party client responsible for security monitoring (bot checks, screen scrapes, etc).