Microsoft Anti-Spyware just found trojan.backdoor.small.fb - Page 3

goodguy_1 · #21 01-31-2006, 01:17 PM

scanned the temp file and my whole system with TrendMicro's sysclean and it's clean.

[ QUOTE ]
It may just be erroneously reporting it from a heuristic scan and have to do with some image posted on oot, or some poker site's temp file.

[/ QUOTE ]

well searching about twoplustwo.com the offending temp file hasnt shown up.

scrub · #22 01-31-2006, 01:29 PM

It came back for me once, but has not come back again. I ran this malware removal protocol after it came back the first time.

Spybot found something called Zonemap.Ranges when it was scanning in Safe Mode after I had cleaned out all of my temp files and stuff. It was able to remove it, but it needed to run first thing on restart to get rid of some things that were in memory. I haven't been able to find good information about it, either, but since I got rid of it, disabled system restore, restarted, and reenabled system restore, the MAS problem has not come back. If it is any of the things with similar sounding names described by other antivirus vendors, it changes a bunch of security settings to make your machine more vulnerable to other attacks, and possibly acts as a downloader or phones the monthership to let it know you're infected.

I spent a lot of time looking for information about the original MAS infection, but I wasn't able to find anything useful. The closest thing I found was a listing for it on the F-Secure world map thing. Unfortunately, the link to more information did not mention the name of our problem specifically, nor was it particularly helpful or comforting.

I've done a lot of scans at this point, and my HJT log looks v. clean, and a wide variety of scanners, including some rootkit and trojan-specific tools, come back clean. I'm hoping that getting rid of the two things I did took care of the problem, but I may still get paranoid and reinstall my operating system.

I tried to get Evan to replicate the scans I performed to see if he had the same problem, but he was masturbating with his credit report and therefore useless.

scrub

goodguy_1 · #23 01-31-2006, 01:30 PM

BINGO

34.tmp is loaded when you log on to Party Poker. It also can not be deleted when the Party client is open.

We should ask Party about this file... whether it is necesary component of their client or not.. if not it may be a real threat.

goodguy_1 · #24 01-31-2006, 01:36 PM

first off what was the location of the trojan when you had it? was it located in the same place mine is (C:\Documents and Settings\USERNAME\Local Settings\Temp\34.tmp

also if you havent logged back into Party since you cleaned your system you may have only found another virus on your system not this one.

Try logging on to Party see if 34.tmp is created and run MAS-for me 34.tmp was the offending file.

I just changed my password aslo...Excellent call krimson..getting closer to a resolution hopefully.

scrub · #25 01-31-2006, 01:47 PM

[ QUOTE ]
first off what was the location of the trojan when you had it? was it located in the same place mine is (C:\Documents and Settings\USERNAME\Local Settings\Temp\34.tmp

also if you havent logged back into Party since you cleaned your system you may have only found another virus on your system not this one.

Try logging on to Party see if 34.tmp is created and run MAS-for me 34.tmp was the offending file.

I just changed my password aslo...Excellent call krimson..getting closer to a resolution hopefully.

[/ QUOTE ]

My original MAS problem was located at 34.tmp.

It is not coming back every time I use Party.

scrub

goodguy_1 · #26 01-31-2006, 01:53 PM

[ QUOTE ]
My original MAS problem was located at 34.tmp.

It is not coming back every time I use Party.

scrub

[/ QUOTE ]

you sure try again now.. logon to Party and look again for 34.tmp?..I hope you are right.I'm going to try the scanner you mentioned..

scrub · #27 01-31-2006, 01:57 PM

[ QUOTE ]
[ QUOTE ]
My original MAS problem was located at 34.tmp.

It is not coming back every time I use Party.

scrub

[/ QUOTE ]

you sure try again now.. logon to Party and look again for 34.tmp?..I hope you are right.I'm going to try the scanner you mentioned..

[/ QUOTE ]

I just did. Logged onto Party. Scanned with MAS. Clean. No 34.tmp was created in the directory.

Then logged into Party, logged off of Party, scanned with MAS. Clean. No 34.tmp was created in the directory.

Follow that whole protocol page I linked to--SypBot did not find any problems until I had restarted in Safe Mode and run CCleaner first.

scrub

Terry · #28 01-31-2006, 04:07 PM

Opening the 34.tmp file on my computer shows it is a security certificate, probably from Thawte.

I don't usually use Microsoft stuff ... downloaded the Antispyware program yesterday and the scan didn't find anything even though 34.tmp is on my computer. I tried it again today and there is a new update ... still doesn't show any problems for me.

It's possible you guys are getting a false positive ... try scanning with the new update.

If it's still showing up after the update, don't assume it's a false positive, though. I only mention it as a possibility.

goodguy_1 · #29 01-31-2006, 04:43 PM

Using majorgeeks I ran all the scans in safe mode w/ system restore off-didnt find much other than one browser hijacker :about.blank and CCleaner clears out log files,.tmp files all sorts of crap you dont need.

Great link scrub most helpful!

LazyRobot · #30 01-31-2006, 08:26 PM

I can't create the tmp file logging into Party. My original 34.tmp file was created on Jan 05, 2006. Scanning the original file with NOD32, Norton, and a trojan scanner found nothing.

I just logged into Absolute, UB, Party (Beta), Paradise, Bodog, Stars, FullTilt and TGC. None of them created a new 34.tmp file. This temp folder is not used by IE or Firefox so I am assuming it has to be created by an application are you still able to produce this file goodguy_1?