30 replies to this topic

[JeanInMontana]

The extension is for temp file but strange. What else was going on that day? System wise, install anything? Have you done any other scans? Panda or Jotti's for the file? http://www.virscan.org/

http://virusscan.jotti.org/



We also have file submission here. On main site page

[JeanInMontana]

Yup... it has been my experience when a file gets no hits at all on Google it is malware. Seems this is no exception.

[JeanInMontana]

Umm yeah and Prevx labels it malware as do several others. http://spywarefiles.prevx.com/spywarefiles...XC=DGJD13704910

[AdvancedSetup]

Interesting... I've actually looked on about 5 different machines and so far every system I've looked at has a zero-byte file that is being locked by SYSTEM

You can not delete it with normal means and even using a tool to delete it, it is automatically recreated within seconds.
I shut down every service that would allow you to shut it down and then tried to delete it but it was still locked and still recreated if forced deleted.

Currently not sure what is creating it for sure. I just logged onto a few Servers and they don't have it on most but I do have some that have it.

Will do some more investigation tomorrow.

[AdvancedSetup]

remixed, on Feb 14 2008, 07:46 PM, said:

The file i refer to is a zero byte file until the application that created it becomes active, at which point it becomes a 24 byte file. When i close the app it returns to zero and dosn't change under any other activity. I suspect it maybe related to the request to check for updates at the application start-up.

I did notice that on one system while I was forcing it to delete with Unlocker. It would reappear as a 24 byte .TMP file then would later be a zero-byte file. I would guess it's normal behavior but now I'm curious as to what is creating it and why.

A bit curious as the 24 byte file size is very common in a lot of Google pages dealing with cryptography, encryption, cracking, reverse engineering, etc.. Since I only dabble in programming I'm not fully sure yet of the importance but it does provide a lot of pages on a Google search.

[JeanInMontana]

remixed, on Feb 14 2008, 04:06 PM, said:

1; The Exe that Prevx is referring is a 'pre-patched' (hacked) earlier version of CloneCd by PARADOX, hence the term COMP(lete) which not surprisingly contains 'the payback'.
2; Wasn't it Prevx that recently flagged Mbam?
3; Prevx is amongst the online scanners used by VirusTotal which detected nothing.
4; There are no instances of irregular registry keys or mods to existing ones.

Oh.. I didn't read in depth. My mistake. Panda flagged MBAM in one log I was working in the online scan. I know Prevx is one of the online scanners used by VT.

[AdvancedSetup]

Well have had a few urgent issues come up at work so have not had time to look into this just yet.
Still on the list of things to check on.

[AdvancedSetup]

remixed, on Mar 6 2008, 06:11 PM, said:

Thanks for the interest but it's origin became clear much earlier in the thread. BTW i'm not sure wise to include links to sites which are suspect!
http://www.siteadvis...es/cdfreaks.com

Well a couple things, at least as I currently view them.

The origin is not that clear to me as in the above post here it attempts to lay blame on a CRACKED version of some version of Slysoft software which is not true. I have been a legal user of the product for many years even before Slysoft bought up the rights from Elby, and I do not have any cracked version of their software.

As for the site advisor listing that could probably even be links from Google Analytics or users posting links on the site.
Even if one does put stock in their advice - They also show that after downloading files and other checks they do not see anything wrong with the site except some potential links to a known bad site which at least for me does not classify or place them in a bad light until or unless something stronger or more direct can be proven that they're doing wrong (I don't know as I've not researched them myself but I don't take site advisor as the end all authority on a sites value either).

However I would think that many of the forum visitors here are a bit more advanced and wish to help bring such issue to light and not hide
stuff (but that's just my opinion and on the contrary maybe most visitors are normal home users with little to no experience with Windows).

As for the links on the cdfreaks site I do plan to visit and post there soon as I think the guy is being crucified by people that are either clueless
or have an agenda, or are just part of what they feel are an elite group of people.
One thing that I've seen over and over now in forums is there is a clique of core people that often stick together
and gang up on other posters when they feel threatened regardless if they're correct or not.
I know from experience from the site I'm an Administrator on, and from one I moderate on as well.

[AdvancedSetup]

JeanInMontana, on Feb 14 2008, 12:14 PM, said:

Yup... it has been my experience when a file gets no hits at all on Google it is malware. Seems this is no exception.

Hi Jean

Just thought I would bring up that in this case the file name is seemingly random (though not really - there is rhyme and reason for the name) but with a vastly varying name and an extension that ends in .TMP makes it almost impossible to query on sites like Google, Yahoo, Live, etc because they also filter and present classes of predetermined entries (if one had full SQL query rights and had experience then you could probably find many entries for such files)

Also in this case I really think it boils down to some programming method (good or bad unknown at this time) and is almost certainly not malware related.

Though as you say there are many cases where your assumption is probably spot on.

Thanks for all your input and support in the Anti-Malware community.

[JeanInMontana]

Quote

The origin is not that clear to me as in the above post here it attempts to lay blame on a CRACKED version of some version of Slysoft software which is not true. I have been a legal user of the product for many years even before Slysoft bought up the rights from Elby, and I do not have any cracked version of their software.

There are often legal and cracked versions of all sorts of software. I too came across references to the cracked programs containing malware and this is very common. You have a legal version and it is clean.

I will agree SiteAdvisor is not always the best source and I have been a critic of their ratings system more than once. I have seen bad sites listed as good and good sites listed as bad. There is no criteria for who gets to be a reviewer and the reviewer ratings are based on popular vote. This means in theory, anyone can rate sites and all their friends can also and they can give each other great scores and none of them have a clue as to what constitutes a bad site.

I have also seen a file be both ways. One instance it is bad in another it is fine. I suspect this is the case with this file.

[AdvancedSetup]

Well I'm actually in contact with the author of the posts on CDFreaks and will work with him to see if we can determine when this started happening and if possible why. I'm a big fan of Slysoft myself and I'm not saying they're doing anything bad. At this point its more of a quest to see if we can find out when and why. I'm not trying to accuse Slysoft of anything wrong or underhanded, just seems an odd behavior when there are so many other ways to code things.

I just thought it was unwarranted replies to his discovery and postings.

[JeanInMontana]

AdvancedSetup, on Mar 7 2008, 11:58 AM, said:

Well I'm actually in contact with the author of the posts on CDFreaks and will work with him to see if we can determine when this started happening and if possible why. I'm a big fan of Slysoft myself and I'm not saying they're doing anything bad. At this point its more of a quest to see if we can find out when and why. I'm not trying to accuse Slysoft of anything wrong or underhanded, just seems an odd behavior when there are so many other ways to code things.

I just thought it was unwarranted replies to his discovery and postings.

When a program gets cracked it is not the authors fault. This happens all the time. The program gets cracked, a trojan inserted and its put on a shady site for download. There are numerous sites devoted to nothing but warez or cracked software. It's all illegal and none of the authors are involved.