Help random popup weird exe in temp folder

[klop]

Hello,

Since yesterday I have weird popup that appears out of my screen. It's a IE window with altavista, gigablast, wisenut, lycos, google, yahoo or search engine like that.

I'm a Windows power user. I used to repair computers with spywares and virus at my shop.

I scanned with 3 Antivirus (Kaspersky, Norton and NOD32), 2 anti-spyware tools (Ad-aware and SpyBot) and HijackThis. They are all up to date and they found absolutely nothing even Ad-aware no tracking cookies. (I disabled them)

I have Windows XP SP2 with ALL patches and I'm behind a firewall. I disabled all the useless services.

I have random window with search engine that appears out of my screen and then an exe file appears with a random name (Nqchxfzcaj, Tuletbuxgm) in my C:\WINDOWS\Temp folder. They are all the same size (2.60Kb).

Here's my running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\VMware Workstation\vmware-authd.exe

C:\WINDOWS\system32\vmnat.exe

C:\WINDOWS\system32\vmnetdhcp.exe

This is the first time I can't find what's the problem. I never had viruses and spyware on my computers. I need help and I dont want to format... :(

PS: I could attach one of the exe file for scanning if someone want it.

Thank you

[klop]

Wrong section?

[klop]

Anyone?

Is there a program that could tell me what process creates the exe in my temp folder?

[John Veteran]

No, this is the right section.

  Quote

C:\WINDOWS\system32\vmnat.exe

C:\WINDOWS\system32\vmnetdhcp.exe

What are these two? I've not seen them before, but the one above them is VMware, so I'm thinking they might be part of that. Also, the nvsvc32 looks suspicious; it's not a Windows file, and IIRC, nVidia's drivers don't use that file...

[_kane81]

are you using running Trend? Trend antivirus creates a random exe file in the C:\Windows\temp

folder with a little scotish dog icon. this exe is used to stop viruses shutting down trend.

If you delete the file another one will appear.

BTW: Trend will not cause this popup you are talking about. It probably something else.

[klop]

vmnat.exe and vmnetdhcp.exe are VMware services.

nvsvc32.exe is NVIDIA Driver Helper Service.

I'm not using Trend. There's no icon on the EXE and if I execute it, a popup appears out of my screen.

[klop]

I scanned with McAfee no virus. Scan with MS AntiSpyware no spyware...

4 antivirus, 3 antispyware, found nothing and still have popups...

[Tommy Vercetti]

Hi,

I can understand your situation, same thing happened with me, tried everything to no avail, the bst bet is to format and a new installation. By the way you can still check the Registry or the startup list to check what services are being loaded up during bootup.

[klop]

I checked everything I disabled everything but I will find it. I don't want to format. Format is too easy. And if the problem appears again I will have to format again. So if I find it and have the same problem later I will be able to repair it.

[hornett]

Perhaps you should submit the exe to an antivirus / spyware company ... that is a very wierd problem. :/

[GleaM]

?Hi everyone! This is my very first post on this forum:DD

I have had some problems with spyware, and when no utility seems to find it, I use Nt File Monitor (Filemon.exe) from Sysinternals:

http://www.sysinternals.com/ntw2k/source/filemon.shtml

FileMon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. FileMon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters. >

I find it some times too much full of info, but once you start to filter what you are looking, it helps (it helped me much in the past). You should try to force the Pop-Up with Filemon running and monitor Iexplore.exe, for example, or just simple clear log just before opening Iexplore.

Hope it helps you as much as it has helped me;)).

(I've heard this forums are good, I'll check them often)

[uniacidz]

What happens when you click on the Tools/Manage Add-Ins? See something out of the ordinary there?

[klop]

  hornett said:

Perhaps you should submit the exe to an antivirus / spyware company ... that is a very wierd problem. :/

585292120[/snapback]

Yeah maybe I kept them all I have 36 random name exe file with the same size.

I scanned with Norton, McAfee, Nod32, Kaspersky (all up to date) -> found nothing

I scanned with Ad-Aware, HijackThis, Spybot S&D, Microsoft AntiSpyware -> found nothing

I still have random popup that appears out of my screen.

This is the first time I cant remove a spyware or virus. I used to work in a shop and I did this a lot of time.

I looked everywhere in my registry. I monitored processes, open dll, and even audits on Temp folder...

  GleaM said:

?Hi everyone! This is my very first post on this forum:DD

I have had some problems with spyware, and when no utility seems to find it, I use Nt File Monitor (Filemon.exe) from Sysinternals:

http://www.sysinternals.com/ntw2k/source/filemon.shtml

FileMon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. FileMon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters. >

I find it some times too much full of info, but once you start to filter what you are looking, it helps (it helped me much in the past). You should try to force the Pop-Up with Filemon running and monitor Iexplore.exe, for example, or just simple clear log just before opening Iexplore.

Hope it helps you as much as it has helped me;)).

(I've heard this forums are good, I'll check them often)

585292131[/snapback]

Thanks I'll give a try.

  Davey said:

What happens when you click on the Tools/Manage Add-Ins? See something out of the ordinary there?

585292147[/snapback]

There's only two things Shockwave and Acrobat.