Alyork
asked on
_@##.TMP Folders ( _@10.tmp _@22.tmp etc )
We have a Windows 2000 server that has the folder _@##.tmp appearing in the root of one of the drives. This folder cannot be deleted by normal means and we use zap.exe to get rid of it. It then reappears with the number, represented by the ## incremented.
I've seen this problem before on another Windows server some years back and used one of the virus scanners of the day to remove the malware causing the folder to appear and reappear.
In this case we have run VIPER, PREVX, Spybot, Malwarebytes, Superantispyware etc., with no ultimate resolution. It is suspected that it may be caused by a variant of Win32/Agent trogen.
Was wondering if anyone has some new information re this problem and it's ultimate resolution.
Thanks - Al
I've seen this problem before on another Windows server some years back and used one of the virus scanners of the day to remove the malware causing the folder to appear and reappear.
In this case we have run VIPER, PREVX, Spybot, Malwarebytes, Superantispyware etc., with no ultimate resolution. It is suspected that it may be caused by a variant of Win32/Agent trogen.
Was wondering if anyone has some new information re this problem and it's ultimate resolution.
Thanks - Al
I just confirmed that 'McAfee Stinger' is good for Server OS use and you should try it:
http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx
http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Unfortunately the server in question is in the boonies and I'm having to do this via remote support. And they have no tech person there to assist. I may have to go there if it's not able to be resoved and will detach the drives and do a scan from another computer.
One of the anomalies is that, although Explorer and the Command box both see the "_@xx.tmp" folder, Windows search does not. Supposedly Windows 2000 search was before MS decided what we can and can't search for. I should check the registry to see if the "FilterFilesWithUnknownExt
Thank you for your responses and will do what more I can remotely and let you know what happens.
Thanks - Al
One of the anomalies is that, although Explorer and the Command box both see the "_@xx.tmp" folder, Windows search does not. Supposedly Windows 2000 search was before MS decided what we can and can't search for. I should check the registry to see if the "FilterFilesWithUnknownExt
Thank you for your responses and will do what more I can remotely and let you know what happens.
Thanks - Al
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The _@xx.tmp file just happened to be recreating itself on a partition that had never been used. Deleting and recreating the partition along with the malware scans, seems to have eliminated the culprit.
Interesting note: Searching for *.tmp didn't find the _@xx.tmp file, however a search for _*.tmp did.
Interesting note: Searching for *.tmp didn't find the _@xx.tmp file, however a search for _*.tmp did.
ASKER
The solution was only fully effective after a drive partion was deleted and recreated as if there was some connection to the drives structure.
The last product that was run was VIPRE from Sunbelt Software.
The last product that was run was VIPRE from Sunbelt Software.
>Searching for *.tmp didn't find the _@xx.tmp file, however a search for _*.tmp did.
Out of interest: was Windows Explorer being used to perform the search? If so then what *other* things is Windows Explorer not showing us? This could be a very serious problem for those of us who think we've done a complete copy of something from one place to another, only to find that things are missing.
I wonder whether _@xx.tmp was chosen because of this advantage (to them) of being hidden?
Thank you for the points.
Out of interest: was Windows Explorer being used to perform the search? If so then what *other* things is Windows Explorer not showing us? This could be a very serious problem for those of us who think we've done a complete copy of something from one place to another, only to find that things are missing.
I wonder whether _@xx.tmp was chosen because of this advantage (to them) of being hidden?
Thank you for the points.
ASKER
The search was done with the Windows 2000 Search, which I'm assuming is part of Windows Explorer as no third party search product was installed..
http://www.surfright.nl/en/downloads/
I'll look around and see if I can find out more about this malware.