Hi,
I have a Dell XPS13 with Windows 10, and I'm getting recurring malware, at least some of which is Chrome related. I first noticed it when my Avira Free AV detected some malware of type "TR/Dldr.Agent.zbthu" and "Crypt.XPACK.Gen3" and quarantined the files. Then I looked at my task manager and realized that everytime I boot up, an executable with the filename gXXXX.tmp.exe will run, where XXXX is some alphanumeric string. I traced this file to C:\Windows\Temp, and also to the Windows registry key HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce.
I tried doing a manual scan of this file with Avira, and it didn't detect it as malware, so it seems I'm dealing with multiple types of malware, of which Avira is only able to detect and quarantine some.
Naturally, I ended the task, deleted the executable, and deleted the registry entry, but everytime I reboot, it will come back again as another filename.
I tried running Process Monitor to see who's writing to the HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce registry key, but it seems the gXXXX.tmp.exe was the one to add itself there. However, I can't seem to figure out who created gXXXX.tmp.exe in C:\Windows\Temp in the first place. The .tmp.exe seem to be be accessing C:\ProgramData\CouponAlert\CouponAlert.dll though, and I can't seem to delete that folder as it's currently being used.
Also, some of the files seem to be tied to Chrome, as I am unable to delete the files (.exe and .tmp) while Chrome was open. Suspecting that it could be an extension, I disabled them 1 by 1 to try and figure out if an extension was causing this, but even when all extensions are disabled, I was still unable to delete the file.
The .tmp files appear to be executables upon inspection with a hex editor as well as IDA Pro, but I'm not about to do a detailed analysis on them. ProcessMonitor showed that they were created by rundll32.exe though.
How do I get rid of the source of the problem that's spawning these malware executables?
I have a Dell XPS13 with Windows 10, and I'm getting recurring malware, at least some of which is Chrome related. I first noticed it when my Avira Free AV detected some malware of type "TR/Dldr.Agent.zbthu" and "Crypt.XPACK.Gen3" and quarantined the files. Then I looked at my task manager and realized that everytime I boot up, an executable with the filename gXXXX.tmp.exe will run, where XXXX is some alphanumeric string. I traced this file to C:\Windows\Temp, and also to the Windows registry key HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce.
I tried doing a manual scan of this file with Avira, and it didn't detect it as malware, so it seems I'm dealing with multiple types of malware, of which Avira is only able to detect and quarantine some.
Naturally, I ended the task, deleted the executable, and deleted the registry entry, but everytime I reboot, it will come back again as another filename.
I tried running Process Monitor to see who's writing to the HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce registry key, but it seems the gXXXX.tmp.exe was the one to add itself there. However, I can't seem to figure out who created gXXXX.tmp.exe in C:\Windows\Temp in the first place. The .tmp.exe seem to be be accessing C:\ProgramData\CouponAlert\CouponAlert.dll though, and I can't seem to delete that folder as it's currently being used.
Also, some of the files seem to be tied to Chrome, as I am unable to delete the files (.exe and .tmp) while Chrome was open. Suspecting that it could be an extension, I disabled them 1 by 1 to try and figure out if an extension was causing this, but even when all extensions are disabled, I was still unable to delete the file.
The .tmp files appear to be executables upon inspection with a hex editor as well as IDA Pro, but I'm not about to do a detailed analysis on them. ProcessMonitor showed that they were created by rundll32.exe though.
How do I get rid of the source of the problem that's spawning these malware executables?
Last edited:
