Wijono Posted October 18, 2006 Share Posted October 18, 2006 (edited) In one of the WinXP SP2 PC I found a really weird folder as follows:C:\Documents and Settings\UserName\Local Settings\Temp\908176366Whenever I deleted that “908176366” folder, in few seconds it will be recreated.What could that be? Virus? Trojan?Please help …. Edited October 19, 2006 by Wijono Link to comment Share on other sites More sharing options...
nitroshift Posted October 18, 2006 Share Posted October 18, 2006 The solution to find out might be to scan your pc for viruses / malware / spyware, isn't it? Link to comment Share on other sites More sharing options...
daedalus123 Posted October 18, 2006 Share Posted October 18, 2006 Thats a trojan, a friend of mine had the same thing, just have good antivirus run a scan. ZA SS can remove it. Link to comment Share on other sites More sharing options...
cluberti Posted October 18, 2006 Share Posted October 18, 2006 If you want to see the executable name that is creating the folder, run filemon (from sysinternals) and then delete the folder. When it is recreated, you will see what process created the file - that will help you figure out which virus/trojan/malware app caused it, as you can then search that .exe file in google to see what it belongs to. Link to comment Share on other sites More sharing options...
Wijono Posted October 19, 2006 Author Share Posted October 19, 2006 Thank you all guys.Cluberti, could you brief me a bit more on filemon (from sysinternals).Thanks. Link to comment Share on other sites More sharing options...
LLXX Posted October 19, 2006 Share Posted October 19, 2006 What's in it? Link to comment Share on other sites More sharing options...
Wijono Posted October 19, 2006 Author Share Posted October 19, 2006 About two weeks ago this PC got a lot of virus, but they were caught right away by TrendMicro OfficeScan. Ewido also found “dialer.generic” but also deleted. Current situation nothing is found by OfficeScan, ewido as well as Ad-Aware and Spybot.Meanwhile besides the weird folder “908176366” I also found a weird file in the folder <C:\Documents and Settings\UserName\Local Settings\Temp> called “CEX?.tmp”, where the “?” can be any number 1-9 and keeps on changing after reboot, i.e., one time is e.g., CEX4.tmp, next time CEX8.tmp etc., this file cannot be deleted, cause being used by another person or program. Nothing strange is shown in the Processes of Task Manager though. As such I cannot find out what program that may use it. The file size is always the same 1.70 MB. Looking into it shows a contents like this (certificate related?):-------------------------------------------------------------------------Validity ‹òÆ ú,s}Next€óÆ ´Òÿ0ƒ :¬0ƒ 9“ 0.041106144701Z0 NØ×Ý 041106144756Z0 Q ë= 041109192057Z0 Q ë .o9OØ ô ÁDc°yÛ*–J䆇 ÞTVP²oh€Aè½Ou¾F¬Å˜¥Q2ýQñØö ñ¯KºK íÌÇ®ÐàGËž†i·JuÔ#‚Ë«àÒUÂpÁ2£äþ:“Invisible-------------------------------------------------------------------------Now about the contents of the folder “908176366”, whenever IE6 opens a website that has login name and password fields, like this forum, then a file is generated in that folder, the name has the same pattern of 4 numerals plus tmp, e.g., 3548.tmp. It contains something like an HTML file. That sort of file will not be created if the same website is opened by Firefox!! I can be wrong, but I have the feeling it is an attempt the steal the password!!Any clue to the solution of this weird and challenging problem will be highly appreciated. Link to comment Share on other sites More sharing options...
cluberti Posted October 19, 2006 Share Posted October 19, 2006 The web page for filemon should have all of the info you should need to get started.http://www.sysinternals.com/utilities/filemon.html Link to comment Share on other sites More sharing options...
LLXX Posted October 20, 2006 Share Posted October 20, 2006 Looks like a possible variant of Backdoor-CEX: http://vil.nai.com/vil/content/v_125317.htmHiJackThis log please?It's probably disguised as some legitimate process name. Link to comment Share on other sites More sharing options...
Wijono Posted October 23, 2006 Author Share Posted October 23, 2006 Thank you all guys.Additional information: TrendMicro Officescan, ewido, Spybot and Ad-Aware did not find anything wrong.But after manual search I found following abnormalities in the registry:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lgn1216aHKLM\SYSTEM\CurrentControlSet\Services\mm77lgn\ also some modification in the:HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ To my knowledge it is some sort of Trojan Haxdoor.I manually deleted those registry keys and rebooted, it seems that symptoms are gone now, or at least for the time being. But as I did not physically deleted following files (not there anymore after reboot):C:\WINNT\system32\lgn1216a.dllC:\WINNT\system32\mm77lgn.sysSo I am afraid the generator of those files is still hiden somewhere. Am I right? Link to comment Share on other sites More sharing options...
Jeremy Posted October 23, 2006 Share Posted October 23, 2006 Additional information: TrendMicro Officescan, ewido, Spybot and Ad-Aware did not find anything wrong.Why do people run anti-spyware programs instead of anti-virus when they have a virus?Wijono, download, install, update and do a full system scan with Kaspersky AntiVirus or NOD32, please. Also, good freeware anti-virus is Avast or AntiVir.Do you scans in safe mode, as well. Link to comment Share on other sites More sharing options...
cluberti Posted October 23, 2006 Share Posted October 23, 2006 Correct me if I'm wrong, but I believe TrendMicro OfficeScan is an antivirus product. Link to comment Share on other sites More sharing options...
LLXX Posted October 24, 2006 Share Posted October 24, 2006 ...and aprobably dismal one at that I manually deleted those registry keys and rebooted, it seems that symptoms are gone now, or at least for the time being. But as I did not physically deleted following files (not there anymore after reboot):C:\WINNT\system32\lgn1216a.dllC:\WINNT\system32\mm77lgn.sysSo I am afraid the generator of those files is still hiden somewhere. Am I right?If the files are gone, and they don't come back (or other similar randomly-named ones), you can assume there's no more of it left. Link to comment Share on other sites More sharing options...
TravisO Posted October 26, 2006 Share Posted October 26, 2006 (edited) Spybot & Trend Micro Online are crap when it comes to being secure, prevention is the best medicine.I have an idea, run a good AV/AS app (hint, it's NOD32 or Kaspersky). Both of which have great virus and great spyware prevention. Then throw Windows Defender in the mix which has great prevention as well and run your internet apps (ex: browsers, Usenet, IM) in a non admin mode via RunAs or using DropMyRights.You can read my guide about this at: http://rhelik.lehost.net/help/security/ Edited October 26, 2006 by travisowens Link to comment Share on other sites More sharing options...
nitroshift Posted October 26, 2006 Share Posted October 26, 2006 I use NOD32 and SpywareBlaster on my pc + common sense when browsing the internet. Never had any problems. IMHO, common sense (ie: don't click on any button that says "Download" or "Click here to claim your prize") values more than av software. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now