As soon as I delete the contents of the temp directory, it starts filling up again! I did a virus scan, but it came up empty. I can't use my computer because the hard drive keeps thrashing (as it is copying files constantly).

Has anyone seen this before and what can be done?

Thanks.

 |  IP: Logged

It creates a folder in Windows/temp called 'sys32' and proceedes to fill it up with random junk it copies from other folders. It also wants to connect to the net, and when you do that it starts downloading random files and places these in there as well.

If you delete the sys32 folder, the process stops immediately...until you reboot, wherein the process starts all over again (and it wants to connect to the net, etc).

Everything seems to work fine - nothing is damaged.

No virus definitions I have found correspond to this.

Jerry's suggestion was great - taskinfo found the culprit. There's a file called explorer.scr that starts running whenever I boot the machine. I imagine .scr is some kind of script?

What else would I have to delete so that it doesn't execute this script upon booting?

Thanks, Jerry!

EDIT: Ah, got it! Everything in the system folder starts upon booting (makes sense I guess). You also cannot delete stuff from the system folder once you have booted since that file is in use...so I booted from a floppy and...it worked!

Now, the only question that remains is this: who would write such a horrible program and to what avail?

To attempt to answer some of your questions; .SCR extensions are supposedly Windows screensavers, which by my crotchity definition are close to viruses even when properly made. Windows will execute a program labelled with an .SCR extension, as you found. This can fool some people into downloading a file that they think is innocent, whereas they might not download and .EXE or .COM extension.

What is it doing? My guess is that it is looking to send the information it finds to some remote computer, as a hack or for some nefarious purpose. The code is probably written by some script-kiddie and that is why it crashes your computer rather than sending the files.

Virus definition files are a weak point in anti-viruses, as you just found. You may find that some virus databases like NAV will find a virus when another like MaCaffe will totally miss it. New viruses can be totally missed.

Look for virus and trojan problems to get much much worse in the coming years. DOS was built simply and viruses had few places to hide. Multitasking operating systems provide many places and obscure names where a virus can hide without being detected.

Now that you've dispatched the main program, I would suggest using the My_Computer/File/Find dialog box to find any files that contain the word "explorer.scr" Most script kiddies don't know how to parse out a name, and you will most likely find a mother file or program ready to reinstall this POS. I would be curious to know the name of that program. If you have the file, you might send a copy to Symantec or the other anti-virus companies.

 |  IP: Logged

 |  IP: Logged

 |  IP: Logged

If this is "checked", you won't see the file extensions for known file types... so if I send you a file like "greatpic.jpg.exe" you will only see the "greatpic.jpg" filename, and we all know a .jpg file is relatively safe to open... except it's really a program (and undoubtedly evil: there is no reason to hide a friendly program). This camouflage is used by many "social engineering" virus distributions.
There are dozens of known file extensions that are "executable" and can carry a virus payload. Any file with a double extension (like *.jpg.vbs) or any unknown (to you) extension should NEVER be opened. Doing a google search for the extension will usually tell you the function or parent program involved if you're curious.

If someone is specifically trying to hack your machine, the little zit-laden moron using his script kiddie programs will give up quickly if he finds you are using a firewall. This kind of reminds of that statistic in how most cars that get stolen were unlocked. Many computers that get hacked are hacked partly as a fault of the user not "locking the doors".

I get a list of all the potential threats it picks up, and it traces back to find out details of the source. It links to their website to explain what each type of attack is doing, and even tells you whether the OS (wink 2k in my case, also recomeded) or BlackIce blocked the attck. You can easily set up filters to block/allow certain types of connection. And it now prevents unauthorised software running and/or connecting to the network with minimal configuration required. It even noticed that I had upgraded windows explorer and asked me before letting it run again.

 |  IP: Logged

 |  IP: Logged