Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

_@##.TMP Folders  ( _@10.tmp _@22.tmp etc )

Posted on 2011-02-26
9
Medium Priority
?
765 Views
Last Modified: 2013-12-05
We have a Windows 2000 server that has the folder _@##.tmp appearing in the root of one of the drives.  This folder cannot be deleted by normal means and we use zap.exe to get rid of it. It then reappears with the number, represented by the  ## incremented.

I've seen this problem before on another Windows server some years back and used one of the virus scanners of the day to remove the malware causing the folder to appear and reappear.

In this case we have run VIPER, PREVX, Spybot, Malwarebytes, Superantispyware etc., with no ultimate resolution. It is suspected that it may be caused by a variant of Win32/Agent trogen.  

Was wondering if anyone has some new information re this problem and it's ultimate resolution.

Thanks - Al      
0
Comment
Question by:Alyork
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 34991732
For a Server OS, you might want to try Hitman Pro 64 Bit -
http://www.surfright.nl/en/downloads/

I'll look around and see if I can find out more about this malware.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34991839
I just confirmed that 'McAfee Stinger' is good for Server OS use and you should try it:
http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx

0
 
LVL 31

Accepted Solution

by:
moorhouselondon earned 750 total points
ID: 34992316
Is it possible to "down" the server for a period to eradicate the problem?  If so, there are three suggestions I would make:-

(1) Use a virus checker that is capable of being run in Safe Mode.  AVG will do the trick.

(2) Use a virus checker on a CD that has its own built in OS to look across at the drive and eradicate it like that.  I recommend the BitDefender CD which is hosted on a Linux OS.  Boot off the CD and let it run, the OS can be a bit fussy about certain hardware though.

(3) Take the drive out, bung it in another pc as a slave drive and run a conventional virus scan on the drive.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Alyork
ID: 34992606
Unfortunately the server in question is in the boonies and I'm having to do this via remote support. And they have no tech person there to assist. I may have to go there if it's not able to be resoved and will detach the drives and do a scan from another computer.

One of the anomalies is that, although Explorer and the Command box both see the "_@xx.tmp" folder, Windows search does not. Supposedly Windows 2000 search was before MS decided what we can and can't search for. I should check the registry to see if the "FilterFilesWithUnknownExtensions" is present.  

Thank you for your responses and will do what more I can remotely and let you know what happens.

Thanks - Al
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 750 total points
ID: 34992620
Both of my suggestions can be attempted by a non-technical person.
Just send them the links and talk them through it.

One of the drawbacks to 'Safe Mode' or 'Slave Scans' is that various malware processes will not be running in either instance.

The truly effective anti-malware applications need the system running in full "Normal Mode" to effect the repairs.
0
 

Author Comment

by:Alyork
ID: 35053363
The _@xx.tmp file just happened to be recreating itself on a partition that had never been used. Deleting  and recreating the partition along with the malware scans, seems to have eliminated the culprit.

Interesting note: Searching for  *.tmp  didn't find the  _@xx.tmp   file, however a search for  _*.tmp  did.  
0
 

Author Closing Comment

by:Alyork
ID: 35053388
The solution was only fully effective after a drive partion was deleted and recreated as if there was some connection to the drives structure.

The last product that was run was VIPRE from Sunbelt Software.
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 35054086
>Searching for  *.tmp  didn't find the  _@xx.tmp   file, however a search for  _*.tmp  did.  

Out of interest: was Windows Explorer being used to perform the search?  If so then what *other* things is Windows Explorer not showing us?  This could be a very serious problem for those of us who think we've done a complete copy of something from one place to another, only to find that things are missing.  

I wonder whether _@xx.tmp was chosen because of this advantage (to them) of being hidden?

Thank you for the points.
0
 

Author Comment

by:Alyork
ID: 35054199
The search was done with the Windows 2000 Search, which I'm assuming is part of Windows Explorer  as no third party search product was installed..  
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article I discuss my selections of the Top Four free Outlook OST File Viewers available. Open, view and read even damaged OST files by using these tools. They all provide a clear preview of all data such as emails, notes, tasks, calendars, e…
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question