Random EXE in C:\Temp & 8 Steps Completed

[terrycad]

Windows XP64 SP2 PC in domain with new Watchguard FW, and Win2003 Server. User's Profile on this PC appears to be infected by a spam bot? We were getting flagged on spamcop.net, so I am not sure if it has something to do with the issue or not. Random four digit EXE's would appear in the C:\Temp folder (folder configured for temp files), along with a file-- axss. The EXE's are like this-- 7042.EXE, 4053.EXE... no apparent sequencing per se, just random.

The EXE's & the axss file, when deleted, would automatically re-appear, at the half-hour, on the one's, ie. 10:01a, 10:31a, and so forth. If the PC was disconnected, the EXE's & axss do not appear. If I login under my profile, the EXE's & axss do not appear. Now one time, I manage to grab like a "beginning" EXE (it had a bit larger K in it then the other EXE), that when I saved it to TXT, one sees a bunch of HTML code. Some of the code appears to point to web portal in China?

So after much searching on the Internet, I came upon your wonderful resource here and the 8 steps process. Thus, I ran all 8 steps and attach logs herein. Also, I have attached the text file of the EXE code. Has running the 8 steps thoroughly purged the bot? Should the User's profile be deleted and the re-created?

Thanks!
~Terry

 

[cubyong]

hey, i looked at your mbam log and no actions were taken. you should at least get rid of them. in your superantispyware, looks like you got a vundo.trojan :S for hijackthis, there are lots of processes that have (file missing) and by the way, what's this kurtz thing you got in hijackthis? well just get rid of malicious things in mbam and SAS and later on, one of the techspot members can help you further. you'll probably have to use combofix and sdfix as mflynn will suggest.