mgross333
asked on
Windows/system32/l*.tmp corresponds to what virus or spyware?
After running Webroot Spysweeper (updated) and SmitFix (for SmitFraud threat) all virus/spyware symptoms are gone. But then I install Norton Avtivirus 2006 (updated) and it's AutoProtect program finds Windows/system32/l*.tmp (many variations) where * is 3 or 4 mixed characters and numbers. It says they are all generic Trojan Horse threats and cannot be removed because they are being accessed.
WHAT IS THE CORRECT THREAT NAME? Have you ever seen this? If so, how was it resolved.
Overnight my customer is running NAV 2006 scan and maybe it will remove all during a reboot after scan (which gets around the "being accessed" error). And maybe not. He will call me tomorrow to let me know.
Windows XP Home SP2. Also a HJT log exists and is being analyzed by a Security expert but I did not see anything that stands out in the log. A partial Panda scan log is also being examined,
Mike
WHAT IS THE CORRECT THREAT NAME? Have you ever seen this? If so, how was it resolved.
Overnight my customer is running NAV 2006 scan and maybe it will remove all during a reboot after scan (which gets around the "being accessed" error). And maybe not. He will call me tomorrow to let me know.
Windows XP Home SP2. Also a HJT log exists and is being analyzed by a Security expert but I did not see anything that stands out in the log. A partial Panda scan log is also being examined,
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
rpggamergirl, Malware Huntress,
The customer called back this AM and said
NAV 06 scan said it found threats (he has no more details on how many or what threats)
He clicked the "Fix the problem button" in the NAV Scan window.
He clicked Finish
The NAV 06 Autoprotect Popup about ONE of the 100's of system32/l*.tmp files then disappeared.
He then rebooted and now NAV 06 Autoprotect does not warn continuously about these files. And he did after reboot go to the internet to check his email for a while. NOTE: He uses Mozilla Firefox and does NOT use IE ever. However, I used IE ONCE before the problem started because PandaScan online scan would not run from Mozilla.
Sounds Good.
However I am not convinced at all.
Because NAV 06 Autoprotect said it could not remove because the tmp files (one after the other) were being accessed. So the only way to remove is DURING a reboot before the Spyware that is accessing them has started up. Which ALWAYS means the scanner at the end of fixing things, then pops up a window saying to reboot and a button to reboot WITHIN THE SCANNER APP is presented. That is what Webroot Spysweeper does and what I have seen NAV 06 scan do too in the past. Since the customer swears that did not happen, I do not understand how these were removed UNLESS NAV 06 scan/fix stopped the spyware that was accessing the tmp files and removed them without reboot which I question.
So I am not convinced.
OBVIOUS TEST: Check the system32 folder to see if they are still there (there were 100's of these !!). PROBLEM: Customer is at work and will not be back till this evening.
MY SOLUTION: I told customer to not turn PC back on for any reason. I will return tomorrow Saturday 7/8/06 in afternoon and check myself.
BUT also I want to do more here tommorrow like run SmitFraudFix AGAIN and also online PandaScan to completion this time (per request of Expert at the KRC forum) and post that scan results at KRC AND post here for you the link to the KRC forum post. If KRC is still down, then by email to you and KRC experts.
Also, rpggamergirl,
What do you recommend I do tommorrow BASED ON THE EMAIL WITH 4 LOGS I SENT YOU plus my series of posts above including this one?
Also, PandaScan only runs in IE. Should I not run online PandaScan as then IE will never be used again on this PC (it is not in Start Menu or Start/Programs menu). It is possible that that ONE IE use caused the tmp file problem?? IE being run after Spysweeper and SmitFraudFix were run. The I installed NAV 06 and bingo the NAV popups about the tmp files start. Coincidence ????
Regards,
Mike
Mike
The customer called back this AM and said
NAV 06 scan said it found threats (he has no more details on how many or what threats)
He clicked the "Fix the problem button" in the NAV Scan window.
He clicked Finish
The NAV 06 Autoprotect Popup about ONE of the 100's of system32/l*.tmp files then disappeared.
He then rebooted and now NAV 06 Autoprotect does not warn continuously about these files. And he did after reboot go to the internet to check his email for a while. NOTE: He uses Mozilla Firefox and does NOT use IE ever. However, I used IE ONCE before the problem started because PandaScan online scan would not run from Mozilla.
Sounds Good.
However I am not convinced at all.
Because NAV 06 Autoprotect said it could not remove because the tmp files (one after the other) were being accessed. So the only way to remove is DURING a reboot before the Spyware that is accessing them has started up. Which ALWAYS means the scanner at the end of fixing things, then pops up a window saying to reboot and a button to reboot WITHIN THE SCANNER APP is presented. That is what Webroot Spysweeper does and what I have seen NAV 06 scan do too in the past. Since the customer swears that did not happen, I do not understand how these were removed UNLESS NAV 06 scan/fix stopped the spyware that was accessing the tmp files and removed them without reboot which I question.
So I am not convinced.
OBVIOUS TEST: Check the system32 folder to see if they are still there (there were 100's of these !!). PROBLEM: Customer is at work and will not be back till this evening.
MY SOLUTION: I told customer to not turn PC back on for any reason. I will return tomorrow Saturday 7/8/06 in afternoon and check myself.
BUT also I want to do more here tommorrow like run SmitFraudFix AGAIN and also online PandaScan to completion this time (per request of Expert at the KRC forum) and post that scan results at KRC AND post here for you the link to the KRC forum post. If KRC is still down, then by email to you and KRC experts.
Also, rpggamergirl,
What do you recommend I do tommorrow BASED ON THE EMAIL WITH 4 LOGS I SENT YOU plus my series of posts above including this one?
Also, PandaScan only runs in IE. Should I not run online PandaScan as then IE will never be used again on this PC (it is not in Start Menu or Start/Programs menu). It is possible that that ONE IE use caused the tmp file problem?? IE being run after Spysweeper and SmitFraudFix were run. The I installed NAV 06 and bingo the NAV popups about the tmp files start. Coincidence ????
Regards,
Mike
Mike
ASKER
rpggamergirl,
I should note that one of the principals at the KRC Spyware Forum has now emailed me EXACT and explicit instructions on what to do next: Rerun SmitFraudFix, Option 2, do NOT omit DiskCleanup, say yes to Clean Registry. The do a Complete Panda Scan and post logs from both runs. And she also says "As As Webroot found AntiVirusGold, I am also going to be looking for Razeware files--as those are not covered by the tool.
If the symptoms are still there after all of the above, and I do not find anything in any of the logs, it is super-hidden and we'll run a WinPFind."
The KRC principal assists me in REAL TIME BTW. I mean she is checking for my posts (or emails if the KRC forum remains down) and replies quickly and also we talk on the phone while I am doing this. I pay her for this help and she is effectively a partner in my business.
The POINT of this post is that you SHOULD NOT FEEL OBLIGATED to provide a complete list of instructions on what to do next. If you recommend something NOT INCLUDED above in my listing of what she recommends, then it WOULD be appreciated if you would post that ADDITIONAL recommendation HERE.
To be completely clear, the only reason I posted in EE was she did not immediately last nite recognize what threat the l*.tmp files corresponded to. But it is now clear to both of us (PARTLY FROM YOUR REPLY) that they are SmitFraud.
Regards-Mike
I should note that one of the principals at the KRC Spyware Forum has now emailed me EXACT and explicit instructions on what to do next: Rerun SmitFraudFix, Option 2, do NOT omit DiskCleanup, say yes to Clean Registry. The do a Complete Panda Scan and post logs from both runs. And she also says "As As Webroot found AntiVirusGold, I am also going to be looking for Razeware files--as those are not covered by the tool.
If the symptoms are still there after all of the above, and I do not find anything in any of the logs, it is super-hidden and we'll run a WinPFind."
The KRC principal assists me in REAL TIME BTW. I mean she is checking for my posts (or emails if the KRC forum remains down) and replies quickly and also we talk on the phone while I am doing this. I pay her for this help and she is effectively a partner in my business.
The POINT of this post is that you SHOULD NOT FEEL OBLIGATED to provide a complete list of instructions on what to do next. If you recommend something NOT INCLUDED above in my listing of what she recommends, then it WOULD be appreciated if you would post that ADDITIONAL recommendation HERE.
To be completely clear, the only reason I posted in EE was she did not immediately last nite recognize what threat the l*.tmp files corresponded to. But it is now clear to both of us (PARTLY FROM YOUR REPLY) that they are SmitFraud.
Regards-Mike
Mike,
I'm surprised that the KRC forum expert did not recognized smitfraud files straightaway, smitfraud has many variants and many files but those 3 smilar looking l****.tmp are the most obvious telltale signs of smitfraud infection.
I haven't received any emails from you yet, which email address did you send it too?
I also would like to mention that resolving a question via email is not allowed at EE I'm sorry but it is against EE guidelines.
https://www.experts-exchange.com/help.jsp#hi99
If you have logs that we can look at please upload it and only post the link here. You can uploads logs at --> http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.
OR: just paste any logs to this site:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
Do you have the link to the KRC forum where you posted your problem? If you like to post it here, I would like to see and read the whole thread, thanks.
I will give more recommendations after I see those logs you mentioned, as of now I could only think of clearing your zones to make sure that the infection won't come back.
Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
rightclick on the file and select "Install".
After the zones are cleared, if your client has Spywareblaster he then needs to re-enable all protection.
If he has Spybot S&D, he then needs to re-immunize.
Please keep us updated.
I'm surprised that the KRC forum expert did not recognized smitfraud files straightaway, smitfraud has many variants and many files but those 3 smilar looking l****.tmp are the most obvious telltale signs of smitfraud infection.
I haven't received any emails from you yet, which email address did you send it too?
I also would like to mention that resolving a question via email is not allowed at EE I'm sorry but it is against EE guidelines.
https://www.experts-exchange.com/help.jsp#hi99
If you have logs that we can look at please upload it and only post the link here. You can uploads logs at --> http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.
OR: just paste any logs to this site:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
Do you have the link to the KRC forum where you posted your problem? If you like to post it here, I would like to see and read the whole thread, thanks.
I will give more recommendations after I see those logs you mentioned, as of now I could only think of clearing your zones to make sure that the infection won't come back.
Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
rightclick on the file and select "Install".
After the zones are cleared, if your client has Spywareblaster he then needs to re-enable all protection.
If he has Spybot S&D, he then needs to re-immunize.
Please keep us updated.
ASKER
rpggamergirl ,
Regarding
> I could only think of clearing your zones to make sure that the infection won't come back.
Sorry but because KRC was down, Lisa's usual cut and paste technique for instructions failed and her emailed instructions did NOT include (after Option 2 and Yes to Clean Registries) then Option 3- Delete Trusted Zones which is likely to be the entire reason the problem came back. And now we know and will run SmitFraudFix again including Option 3.
Regarding
> Do you have the link to the KRC forum where you posted your problem?
As mentioned by me above, the KRC forum is down and so I have not posted there.
As you will not accept logs by email, providing the email address I used will not forward the solution, right?? BTW I got it by clicking your EE name in your reply. You can do that and see the email address listed there along with your many certifications and points.
Mike
Regarding
> I could only think of clearing your zones to make sure that the infection won't come back.
Sorry but because KRC was down, Lisa's usual cut and paste technique for instructions failed and her emailed instructions did NOT include (after Option 2 and Yes to Clean Registries) then Option 3- Delete Trusted Zones which is likely to be the entire reason the problem came back. And now we know and will run SmitFraudFix again including Option 3.
Regarding
> Do you have the link to the KRC forum where you posted your problem?
As mentioned by me above, the KRC forum is down and so I have not posted there.
As you will not accept logs by email, providing the email address I used will not forward the solution, right?? BTW I got it by clicking your EE name in your reply. You can do that and see the email address listed there along with your many certifications and points.
Mike
Mike,
Not being able to clear the trusted zone could be the reason or could be a new variant.
New variants of smitfraud is showing up every week, maybe she has a new variant that smitfraud is not updated yet.
When you get the rapport.txt(smitfraudfix log) it will say something along the line of "Shared Task scheduler" similar to the one below: Can you post the result here?
SharedTaskScheduler:
%SYSTEM%\posem.dll
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Expl orer\Share dTaskSched uler]
"{aeabe83d-672b-4717-9154- 45bd6283c6 10}"="apor ocactus"
>>BTW I got it by clicking your EE name in your reply. <<
I haven't got any email from you, I don't know what happen to the one you sent.
Not being able to clear the trusted zone could be the reason or could be a new variant.
New variants of smitfraud is showing up every week, maybe she has a new variant that smitfraud is not updated yet.
When you get the rapport.txt(smitfraudfix log) it will say something along the line of "Shared Task scheduler" similar to the one below: Can you post the result here?
SharedTaskScheduler:
%SYSTEM%\posem.dll
[HKEY_LOCAL_MACHINE\SOFTWA
"{aeabe83d-672b-4717-9154-
>>BTW I got it by clicking your EE name in your reply. <<
I haven't got any email from you, I don't know what happen to the one you sent.
ASKER
Regarding email, perhaps your Spam filter (or you ISP's email server) filtered it out. Your ISP may have filtered it out because the email was so long.
I will post the Shared Task Scheduler part of the SmitFraudFix log when I have it in about 1/2 hour.
Thanks again for your help.
Mike
I will post the Shared Task Scheduler part of the SmitFraudFix log when I have it in about 1/2 hour.
Thanks again for your help.
Mike
ASKER
rpggamergirl,
The log does not have the entry you described. Below is the ENTIRE SmitFraudFix.exe log (run in Safe mode) after Option 2 and after Reigistry cleaning is complete. Option 3 has not been run yet and will be done next after a reboot into safe mode per my instructions.
Mike
-------------------------- ---
Rapport.txt
-------------------------- -
SmitFraudFix v2.68b
Scan done at 14:52:03.56, Sat 07/08/2006
Run from C:\Documents and Settings\Ati\Desktop\Smitf raudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
The log does not have the entry you described. Below is the ENTIRE SmitFraudFix.exe log (run in Safe mode) after Option 2 and after Reigistry cleaning is complete. Option 3 has not been run yet and will be done next after a reboot into safe mode per my instructions.
Mike
--------------------------
Rapport.txt
--------------------------
SmitFraudFix v2.68b
Scan done at 14:52:03.56, Sat 07/08/2006
Run from C:\Documents and Settings\Ati\Desktop\Smitf
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Mike,
The Smitfraudfix log looks great! there is no new SharedTaskScheduler's entry that it couldn't recognized or removed.
How is the pc going?
The Smitfraudfix log looks great! there is no new SharedTaskScheduler's entry that it couldn't recognized or removed.
How is the pc going?
ASKER
Thanks for your reply. I cannot upload the log to anywhere. I usually post in the KRC forum but it is down for upgrades right now and I am communicating with the KRC site principals by email. See last paragraph below in this post for my SOLUTION to that problem.
Also I did not create an HJT log after NAV 06 was installed, updated and then it started pop-ing up about this threat. Because all user-observable symptoms had disappeared after the Spysweeper Run and the SmitFix run (both done in Safe mode.)
BTW Webroot Spysweeper found the following threats (partial list): Anti Virus Gold Components (which Webroot said was related to SpyAxe and Spyware Strike), 180/zango, trojan-downloader-zlob, Spywarequake, popuper, trojan-digikeygen, spyfalcon fakealert, and zedo cookie. And removed ALL of these (to the best of its ability which is considerable; it is the top-rated Spyware scanner in the PC World Magazine article a few months ago).
It is possible that these l*.tmp files were not there during the SpySweeper scan or maybe Spysweeper did not recognize them as threats. Again I am hopeful NAV 06 (much improved for spyware over NAV 05) will remove every l*.tmp file during a reboot that NAV 06 will recommend at the end of it's run. I have not yet heard back from my customer yet as to whether it did that PLUS whether NAV 06 continues to warn about these files after its run and removal. NAV 06 ITSELF is no slouch with respect to Spyware BTW (again per the same PC World Security survey a few monthws back).
I WILL NOW EMAIL YOU ALL THE LOGS I HAVE (BUT A **CURRENT** HJT LOG IS MISSING per the above): Spysweeper log (showing all threats found in detail), HJT log as described three paragraphs above, Rapport.txt (from SmitFix run) and a partial online PandaScan log (thru 60,000 files). Note: Most of what Pandascan finds is in the first 5 minutes (as it searches the likely places first) so I often do not run it to completion.
Mike