Video Screencast Help

Endpoint 12.1 Insight reporting ****.tmp.exe in appdata/temp

Created: 23 Oct 2013 • Updated: 24 Oct 2013 | 7 comments
This issue has been solved. See solution.

We have a couple of client machines regularly popping up reporting ****.tmp.exe in %username%/appdata/temp we remove the file, clearedr the temp folder and have scanned the machine for malware with all sorts but it still pops up regularly.

We are overly cautious at the minute with Cryptolocker in the wild. 

Can anyone shed any light on whats going on?

Thanks.

Jim

Operating Systems:

Comments 7 CommentsJump to latest comment

.Brian's picture

Are you using the ADC component? If so, you can try the advice here:

https://www-secure.symantec.com/connect/forums/cry...

Did you submit the file?

http://www.symantec.com/security_response/submitsa...

I would also suggest you submit to virustotal, anubis, and threat expert (owned by Symantec) for analysis:

https://www.virustotal.com/

http://www.threatexpert.com/

http://anubis.iseclab.org/

Did a scan reveal anything?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Is it showing up in the SEPm reprot or during the scan by SEP client?

Orbits's picture

thanks for the quick reply both. We are not using the ADC component, I could try using it but will need to roll it out steadily or just apply it to those 2 clients for now.

 

I haven;t submitted the file, I will do that next time it appears.

A scan with Symantec hasn't picked anything up but Malwarebytes found a trojan in Appdata/Local/Adobe earlier. Cleared that out and it hasn't reappeared in scans with MB and Hitman.

Its the Insight component finding it which suggests it's being downloaded but not borwsers etc are open.

.Brian's picture

it can also come into play during user/admin defined scans as well, not just with downloads. See here:

http://www.symantec.com/docs/TECH169282

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Orbits's picture

I would say its an active scan then as I've been watching the folder and it flags it almost as soon as it appears in the temp folder.

Orbits's picture

Just an update. I spoke with Symantec and it turns out we had a varient of the Cylex?? Cylar?? virus that wsasn;t in the defs until midnight last night. Fortunately I cam in today, updated all clients and it picked it up and touch wood all fine since.

Thanks for your help.

SOLUTION