Solved

Windows/system32/l*.tmp corresponds to what virus or spyware?

Posted on 2006-07-06
10
678 Views
Last Modified: 2013-12-04
After running Webroot Spysweeper (updated) and SmitFix (for SmitFraud threat) all virus/spyware symptoms are gone. But then I install Norton Avtivirus 2006 (updated) and it's AutoProtect program finds Windows/system32/l*.tmp (many variations) where * is 3 or 4 mixed characters and numbers. It says they are all generic Trojan Horse threats and cannot be removed because they are being accessed.

WHAT IS THE CORRECT THREAT NAME? Have you ever seen this? If so, how was it resolved.

Overnight my customer is running NAV 2006 scan and maybe it will remove all during a reboot after scan (which gets around the "being accessed" error). And maybe not. He will call me tomorrow to let me know.

Windows XP Home SP2. Also a HJT log exists and is being analyzed by a Security expert but I did not see anything that stands out in the log. A partial Panda scan log is also being examined,

Mike
0
Comment
Question by:mgross333
  • 6
  • 4
10 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 17056930
ld***.tmp
l****.tmp
hp****.tmp

are all smitfraud files. So SmitfraudFix.exe was already run? Maybe some files are still left behind.
SpywareQuake and SpyAxe smitfraud variants also tends to come back if you don't clear your zones.

Can we see the Hijackthis logfile? Just upload the log somewhere and only post the link here.
0
 

Author Comment

by:mgross333
ID: 17057811
rpggamergirl,

Thanks for your reply. I cannot upload the log to anywhere. I usually post in the KRC forum but it is down for upgrades right now and I am communicating with the KRC site principals by email. See last paragraph below in this post for my SOLUTION to that problem.

Also I did not create an HJT log after NAV 06 was installed, updated and then it started pop-ing up about this threat. Because all user-observable symptoms had disappeared after the Spysweeper Run and the SmitFix run (both done in Safe mode.)

BTW Webroot Spysweeper found the following threats (partial list): Anti Virus Gold Components (which Webroot said was related to SpyAxe and Spyware Strike), 180/zango, trojan-downloader-zlob, Spywarequake, popuper, trojan-digikeygen, spyfalcon fakealert, and zedo cookie. And removed ALL of these (to the best of its ability which is considerable; it is the top-rated Spyware scanner in the PC World Magazine article a few months ago).

It is possible that these l*.tmp files were not there during the SpySweeper scan or maybe Spysweeper did not recognize them as threats. Again I am hopeful NAV 06 (much improved for spyware over NAV 05) will remove every l*.tmp file during a reboot that NAV 06 will recommend at the end of it's run. I have not yet heard back from my customer yet as to whether it did that PLUS whether NAV 06 continues to warn about these files after its run and removal. NAV 06 ITSELF is no slouch with respect to Spyware BTW (again per the same PC World Security survey a few monthws back).

I WILL NOW EMAIL YOU ALL THE LOGS I HAVE (BUT A **CURRENT** HJT LOG IS MISSING per the above): Spysweeper log (showing all threats found in detail), HJT log as described three paragraphs above, Rapport.txt (from SmitFix run) and a partial online PandaScan log (thru 60,000 files). Note: Most of what Pandascan finds is in the first 5 minutes (as it searches the likely places first) so I often do not run it to completion.

Mike

0
 

Author Comment

by:mgross333
ID: 17058666
rpggamergirl, Malware Huntress,

The customer called back this AM and said
NAV 06 scan said it found threats (he has no more details on how many or what threats)
He clicked the "Fix the problem button" in the NAV Scan window.
He clicked Finish

The NAV 06 Autoprotect Popup about ONE of the 100's of system32/l*.tmp files then disappeared.

He then rebooted and now NAV 06 Autoprotect does not warn continuously about these files. And he did after reboot go to the internet to check his email for a while. NOTE: He uses Mozilla Firefox and does NOT use IE ever. However, I used IE ONCE before the problem started because PandaScan online scan would not run from Mozilla.

Sounds Good.

However I am not convinced at all.

Because NAV 06 Autoprotect said it could not remove because the tmp files (one after the other) were being accessed. So the only way to remove is DURING a reboot before the Spyware that is accessing them has started up.  Which ALWAYS means the scanner at the end of fixing things, then pops up a window saying to reboot and a button to reboot WITHIN THE SCANNER APP is presented. That is what Webroot Spysweeper does and what I have seen NAV 06 scan do too in the past. Since the customer swears that did not happen, I do not understand how these were removed UNLESS NAV 06 scan/fix stopped the spyware that was accessing the tmp files and removed them without reboot which I question.

So I am not convinced.

OBVIOUS TEST: Check the system32 folder to see if they are still there (there were 100's of these !!). PROBLEM: Customer is at work and will not be back till this evening.

MY SOLUTION: I told customer to not turn PC back on for any reason. I will return tomorrow Saturday 7/8/06 in afternoon and check myself.

BUT also I want to do more here tommorrow like run SmitFraudFix AGAIN and also online PandaScan to completion this time (per request of Expert at the KRC forum) and post that scan results at KRC AND post here for you the link to the KRC forum post. If KRC is still down, then by email to you and KRC experts.

Also, rpggamergirl,
What do you recommend I do tommorrow BASED ON THE EMAIL WITH 4 LOGS I SENT YOU plus my series of posts above including this one?

Also, PandaScan only runs in IE. Should I not run online PandaScan as then IE will never be used again on this PC (it is not in Start Menu or Start/Programs menu). It is possible that that ONE IE use caused the tmp file problem??  IE being run after Spysweeper and SmitFraudFix were run. The I installed NAV 06 and bingo the NAV popups about the tmp files start. Coincidence ????

Regards,
   Mike
  Mike
0
 

Author Comment

by:mgross333
ID: 17058936
rpggamergirl,

I should note that one of the principals at the KRC Spyware Forum has now emailed me EXACT and explicit instructions on what to do next: Rerun SmitFraudFix, Option 2, do NOT omit DiskCleanup, say yes to Clean Registry. The do a Complete Panda Scan and post logs from both runs. And she also says "As As Webroot found AntiVirusGold, I am also going to be looking for Razeware files--as those are not covered by the tool.

If the symptoms are still there after all of the above, and I do not find anything in any of the logs, it is super-hidden and we'll run a WinPFind."

The KRC principal assists me in REAL TIME BTW. I mean she is checking for my posts (or emails if the KRC forum remains down) and replies quickly and also we talk on the phone while I am doing this. I pay her for this help and she is effectively a partner in my business.

The POINT of this post is that you SHOULD NOT FEEL OBLIGATED to provide a complete list of instructions on what to do next. If you recommend something NOT INCLUDED above in my listing of what she recommends, then it WOULD be appreciated if you would post that ADDITIONAL recommendation HERE.

To be completely clear, the only reason I posted in EE was she did not immediately last nite recognize what threat the l*.tmp files corresponded to. But it is now clear to both of us (PARTLY FROM YOUR REPLY) that they are SmitFraud.

Regards-Mike
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17060103
Mike,
I'm surprised that the KRC forum expert did not recognized smitfraud files straightaway, smitfraud has many variants and many files but those 3 smilar looking l****.tmp are the most obvious telltale signs of smitfraud infection.

I haven't received any emails from you yet, which email address did you send it too?
I also would like to mention that resolving a question via email is not allowed at EE I'm sorry but it is against EE guidelines.
http://www.experts-exchange.com/help.jsp#hi99

If you have logs that we can look at please upload it and only post the link here. You can uploads logs at --> http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


OR: just paste any logs to this site:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

Do you have the link to the KRC forum where you posted your problem? If you like to post it here, I would like to see and read the whole thread, thanks.
I will give more recommendations after I see those logs you mentioned, as of now I could only think of clearing your zones to make sure that the infection won't come back.

Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
rightclick on the file and select "Install".

After the zones are cleared, if your client has Spywareblaster he then needs to re-enable all protection.
If he has Spybot S&D, he then needs to re-immunize.

Please keep us updated.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:mgross333
ID: 17062357
rpggamergirl ,

Regarding
> I could only think of clearing your zones to make sure that the infection won't come back.

Sorry but because KRC was down, Lisa's usual cut and paste technique for instructions failed and her emailed instructions did NOT include (after Option 2 and Yes to Clean Registries) then Option 3- Delete Trusted Zones which is likely to be the entire reason the problem came back. And now we know and will run SmitFraudFix again including Option 3.

Regarding
> Do you have the link to the KRC forum where you posted your problem?

As mentioned by me above, the KRC forum is down and so I have not posted there.

As you will not accept logs by email, providing the email address I used will not forward the solution, right?? BTW I got it by clicking your EE name in your reply. You can do that and see the email address listed there along with your many certifications and points.

Mike
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17063352
Mike,
Not being able to clear the trusted zone could be the reason or could be a new variant.
New variants of smitfraud is showing up every week, maybe she has a new variant that smitfraud is not updated yet.

When you get the rapport.txt(smitfraudfix log) it will say something along the line of "Shared Task scheduler" similar to the one below: Can you post the result here?

SharedTaskScheduler:

%SYSTEM%\posem.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{aeabe83d-672b-4717-9154-45bd6283c610}"="aporocactus"


>>BTW I got it by clicking your EE name in your reply. <<
I haven't got any email from you, I don't know what happen to the one you sent.
0
 

Author Comment

by:mgross333
ID: 17065540
Regarding email, perhaps your Spam filter (or you ISP's email server) filtered it out. Your ISP may have filtered it out because the email was so long.

I will post the Shared Task Scheduler part of the SmitFraudFix log when I have it in about 1/2 hour.

Thanks again for your help.

Mike
0
 

Author Comment

by:mgross333
ID: 17065652
rpggamergirl,

The log does not have the entry you described. Below is the ENTIRE SmitFraudFix.exe log (run in Safe mode) after Option 2 and after Reigistry cleaning is complete. Option 3 has not been run yet and will be done next after a reboot into safe mode per my instructions.

Mike

-----------------------------
Rapport.txt

---------------------------
SmitFraudFix v2.68b

Scan done at 14:52:03.56, Sat 07/08/2006
Run from C:\Documents and Settings\Ati\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17077741
Mike,

The Smitfraudfix log looks great! there is no new SharedTaskScheduler's entry that it couldn't recognized or removed.

How is the pc going?
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now