|
|
#41
02-01-2006, 10:19 AM
|
|||
|
|||
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
It's late, I am tired and have a headache but here here is what I learned: Party is creating these tmp files once you login (I am using the beta). The file "34.tmp" has a md5 sum of 73bb6ac0e80583a43e5875590c95af98. It's 28,672 bytes big. Deleting this file with Microsoft AntiSpyware (MAS) will result in it enumerating the file number; I got 37.tmp and then 3a.tmp, 3F.tmp etc. upon each subsequent Party login. These files do not get flagged via MAS nor any other scanner I have used. (NortonAV, NOD32, A-squared, Spybot, and a few others). They all md5 sum to 73bb6ac0e80583a43e5875590c95af98 and are 28KB(28,672b) so it's clearly the same file Party is creating each time. Creating a 728kb bmp file and renaming it to "34.tmp" and placing into C:\Documents and Settings\Lazyrobot\Local Settings\Temp will be flagged by MAS and removed just as the original 34.tmp was. Moving this fake tmp file file to other locations will not result in MAS flagging it as a Trojan. MAS will flag any file named "34.tmp" when it exists in your Documents and Settings\User\Local Settings\Temp folder. MAS will not detect this exact file (even the original offending 34.tmp) in any other location nor will any other scanner I have used. At this point I no longer see this as a threat it appears it's just a false positive however I am not a security expert. Beep [/ QUOTE ] [img]/images/graemlins/cool.gif[/img] 
|
|
#42
02-01-2006, 12:44 PM
|
|||
|
|||
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
Neither of my computers' MAS picked up on this, however, yesterday my avast did snag a trojan that was in that directory I believe, so that might've been the same thing.
|
|
#43
02-01-2006, 01:17 PM
|
|||
|
|||
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
i read 2+2 regularly, and i have signed in at party recently at work.
ran a manual scan with mas: clean logged into party and clicked around a bit ran another manual scan with mas: clean file/updated defintions from 5749 to 5801 ran another manual scan with mas: clean changed preferences to do a 'full system scan' instead of an 'intelligent quick scan' ran another manual scan with mas: clean
|
|
#44
02-01-2006, 04:39 PM
|
|||
|
|||
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
For those of us who are on the 3rd grade reading level in terms of computer literacy, can you all go through exactly what I should do to:
a. Rid myself of this (I have it. Found it with the microsoft) b. What I should do on a weekly/daily basis to keep my baby clean. Thanks. edit: How do I work crap cleaner. Just leave the defaults and then let it clean or what?
|
|
#45
02-01-2006, 05:06 PM
|
|||
|
|||
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
i read 2+2 regularly, and i have signed in at party recently at work. ran a manual scan with mas: clean logged into party and clicked around a bit ran another manual scan with mas: clean file/updated defintions from 5749 to 5801 ran another manual scan with mas: clean changed preferences to do a 'full system scan' instead of an 'intelligent quick scan' ran another manual scan with mas: clean [/ QUOTE ] Have you ever installed the Beta client on that machine? scrub
|
|
#47
02-01-2006, 08:48 PM
|
|||
|
|||
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
scrub, I have never installed the beta client and I don't think I've opened Party client in weeks. [/ QUOTE ] El Diablo, The installation date that some people had from this file was January 5th. Have you opened the Party client since then?
|
|
#48
02-01-2006, 09:39 PM
|
|||
|
|||
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
jm,
Hmm, can't remember. Is there any way to check when I last opened it? When I look at file properties of the executable, it updates it to when I look at the file props (ie: right now), not when I actually opened it.
|
|
#50
02-01-2006, 10:49 PM
|
|||
|
|||
|
Re: Microsoft Anti-Spyware just found trojan.backdoor.small.fb
[ QUOTE ]
[ QUOTE ] scrub, I have never installed the beta client and I don't think I've opened Party client in weeks. [/ QUOTE ] El Diablo, The installation date that some people had from this file was January 5th. Have you opened the Party client since then? [/ QUOTE ] I had this file too, it was also as of Jan 5th. I also had a billion other files, starting with 10.tmp and ending with 105.tmp or so. All these files have the creation date as of Jan 5 and are all identical. They are also all a .dll file in essence and all have accessed internet at some point (as evidenced by ZoneAlarm logs). I deleted them all and will try to find out what creates them. It is NOT Party Poker client, although the client did create a 62.tmp file when launched, it was not a .dll and had nothing in common with other files.
|
 |
|
|
Linear Mode
