Weird Folder

[Wijono]

In one of the WinXP SP2 PC I found a really weird folder as follows:

C:\Documents and Settings\UserName\Local Settings\Temp\908176366

Whenever I deleted that “908176366” folder, in few seconds it will be recreated.

What could that be? Virus? Trojan?

Please help ….

Edited October 19, 2006 by Wijono

[nitroshift]

The solution to find out might be to scan your pc for viruses / malware / spyware, isn't it?

[daedalus123]

Thats a trojan, a friend of mine had the same thing, just have good antivirus run a scan. ZA SS can remove it.

[cluberti]

If you want to see the executable name that is creating the folder, run filemon (from sysinternals) and then delete the folder. When it is recreated, you will see what process created the file - that will help you figure out which virus/trojan/malware app caused it, as you can then search that .exe file in google to see what it belongs to.

[Wijono]

Thank you all guys.

Cluberti, could you brief me a bit more on filemon (from sysinternals).

Thanks.

[LLXX]

What's in it?

[Wijono]

About two weeks ago this PC got a lot of virus, but they were caught right away by TrendMicro OfficeScan. Ewido also found “dialer.generic” but also deleted. Current situation nothing is found by OfficeScan, ewido as well as Ad-Aware and Spybot.

Meanwhile besides the weird folder “908176366” I also found a weird file in the folder <C:\Documents and Settings\UserName\Local Settings\Temp> called “CEX?.tmp”, where the “?” can be any number 1-9 and keeps on changing after reboot, i.e., one time is e.g., CEX4.tmp, next time CEX8.tmp etc., this file cannot be deleted, cause being used by another person or program. Nothing strange is shown in the Processes of Task Manager though. As such I cannot find out what program that may use it. The file size is always the same 1.70 MB. Looking into it shows a contents like this (certificate related?):

-------------------------------------------------------------------------

Validity ‹òÆ ú,s}Next€óÆ ´Òÿ0ƒ :¬0ƒ 9“ 0

.

041106144701Z0 NØ×Ý

041106144756Z0 Q ë=

041109192057Z0 Q ë

.

o9OØ ô ÁDc°yÛ*–J䆇 ÞTVP²oh€Aè½Ou¾F¬Å˜¥

Q2ýQñØö ñ¯KºK íÌÇ®ÐàGËž†i·JuÔ#‚Ë«àÒUÂpÁ2£äþ:“Invisible

-------------------------------------------------------------------------

Now about the contents of the folder “908176366”, whenever IE6 opens a website that has login name and password fields, like this forum, then a file is generated in that folder, the name has the same pattern of 4 numerals plus tmp, e.g., 3548.tmp. It contains something like an HTML file. That sort of file will not be created if the same website is opened by Firefox!! I can be wrong, but I have the feeling it is an attempt the steal the password!!

Any clue to the solution of this weird and challenging problem will be highly appreciated.

[cluberti]

The web page for filemon should have all of the info you should need to get started.

http://www.sysinternals.com/utilities/filemon.html

[LLXX]

Looks like a possible variant of Backdoor-CEX: http://vil.nai.com/vil/content/v_125317.htm

HiJackThis log please?

It's probably disguised as some legitimate process name.

[Wijono]

Thank you all guys.

Additional information: TrendMicro Officescan, ewido, Spybot and Ad-Aware did not find anything wrong.

But after manual search I found following abnormalities in the registry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lgn1216a

HKLM\SYSTEM\CurrentControlSet\Services\mm77lgn\

also some modification in the:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\

To my knowledge it is some sort of Trojan Haxdoor.

I manually deleted those registry keys and rebooted, it seems that symptoms are gone now, or at least for the time being. But as I did not physically deleted following files (not there anymore after reboot):

C:\WINNT\system32\lgn1216a.dll

C:\WINNT\system32\mm77lgn.sys

So I am afraid the generator of those files is still hiden somewhere. Am I right?

[Jeremy]

Additional information: TrendMicro Officescan, ewido, Spybot and Ad-Aware did not find anything wrong.

Why do people run anti-spyware programs instead of anti-virus when they have a virus?

Wijono, download, install, update and do a full system scan with Kaspersky AntiVirus or NOD32, please. Also, good freeware anti-virus is Avast or AntiVir.

Do you scans in safe mode, as well.

[cluberti]

Correct me if I'm wrong, but I believe TrendMicro OfficeScan is an antivirus product.

[LLXX]

...and aprobably dismal one at that

I manually deleted those registry keys and rebooted, it seems that symptoms are gone now, or at least for the time being. But as I did not physically deleted following files (not there anymore after reboot):

C:\WINNT\system32\lgn1216a.dll

C:\WINNT\system32\mm77lgn.sys

So I am afraid the generator of those files is still hiden somewhere. Am I right?

If the files are gone, and they don't come back (or other similar randomly-named ones), you can assume there's no more of it left.

[TravisO]

Spybot & Trend Micro Online are crap when it comes to being secure, prevention is the best medicine.

I have an idea, run a good AV/AS app (hint, it's NOD32 or Kaspersky). Both of which have great virus and great spyware prevention. Then throw Windows Defender in the mix which has great prevention as well and run your internet apps (ex: browsers, Usenet, IM) in a non admin mode via RunAs or using DropMyRights.

You can read my guide about this at: http://rhelik.lehost.net/help/security/

Edited October 26, 2006 by travisowens

[nitroshift]

I use NOD32 and SpywareBlaster on my pc + common sense when browsing the internet. Never had any problems. IMHO, common sense (ie: don't click on any button that says "Download" or "Click here to claim your prize") values more than av software.