Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this a false positive?


  • Please log in to reply
4 replies to this topic

#1 Alan Christiansen

Alan Christiansen

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 16 October 2009 - 12:20 AM

I started down this road with a friends computer known to have malware on it.
That had also had major software stuffup with updating.
(it attempts to contact a known malware indicative Domain name.)
personal firewall blocked it, but only because Im paranoid enough to make iexplore
ask everytime it wants to use the net.

Thats not the problem.

Ok I started at major Geeks, using a procedure they outlined.
To initially verify that my system is still clean, as I rebuilt friends computer here.
part of that major Geeks procedure was to tun combofix.
up to that point nothing had found any malware, or any left over bits, nor anything suspicious.
(I run a very tight ship, (real FWs, openBSD, the whole nine yards) no viruses, trojans, etal 10+ yrs and counting)

However:
Combofix, found two files in my system32 directory. named tmp67.tmp and tmp68.tmp
FileAlyser identifies them as identical (MD5), I dont like them because a hex dump shows
they have a standard looking DLL front end. makes me suspicious as they have .tmp fiel extensions.

FileAlyser further identifies them as claiming to be
Company name CreativeLabs Inc. version 2,0,6,0 Product name OpenAL installer.

That would be fine. (I dont like that I cant find any way they could have got them selves run.)
but My system works fine with them removed.
(paranoid mode on) hmmm thinks I perhaps the damngerous bit is still there hiding and so I looks.

My system works fine with them removed because something else put them back!
Now Im really pissed, but still paranoid.
FileAlyser identifes these new ones as identical in content to the files I removed. (same MD5) different but related filenames

So I run ComboFix again. (remeber Im paranoid, and crazy people do the same thing again,
expecting a different result. Paranoid people do it to check if it is different.)

Sure enough this time combofix does not mind that I have those files, this time they are called
tmp14AA.tmp and tmp14AB.tmp and although whats in them is identical to before combofix doesnt mind them at all.

These files are identical to tmp67.tmp and tmp68.tmp

So which time was comboFix right?

When it removed them or when it left them there?

Also if its not some bizzare part of OpenAL WTF is it, and wheres the bastard thing that reinstalls them hiding. :thumbsup:

I do 'appear' have the OpenAL and wrap_OAL DLLs, but I am not sure which bit of software installed them.

All questions welcome, I got more data and logs than you can reasonably want to see.

Alan

BC AdBot (Login to Remove)

 


#2 Alan Christiansen

Alan Christiansen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 17 October 2009 - 02:18 AM

The silence prompted yet mnore reading and i found.

"The use of Combofix or any other high level removal tool is not for this area. If your log shows indications of the use of these tools,
there is a high probability your post will be ignored. "

If this is the problem where ought I post my problem. The guide does not say.

If there is no where, am I forever condemed not to get help identifying the file tmp67.tmp, because I once ran combofix?

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:01:51 PM

Posted 17 October 2009 - 09:14 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 Alan Christiansen

Alan Christiansen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 18 October 2009 - 09:09 AM

First let me say, I have identified the files tmp67.tmp tmp68.tmp tmp14AA.tmp and tmp14AB.tmp.

Although it makes little sense, they are identical files and all identical to a file named OalinstGridRelease.exe
which seemingly is part of the game Grid(codemasters). That file from clues on the net is a special release of
the more normally named file Oalinst.exe. It was version 2.0.6.0.
There is now a version 2.0.7.0, and when i installed the newer version, whatever it was that used to
put those worrying temp files in my system 32 directory stopped.
Thus I am confident that my computer is symptom free.

My computer (as monitored by an OPEN BSD firewall, also does not appear send any unauthorised packets anywhere
but I will log those for several hours a day for the next week or so.)

However having asked for help it seemed rude to not do as asked.
hence I have tried to run rootrepeal as requested, and failed.
(failing worries me again a bit.)

I ran the downloaded file, and it ran for several hours and it uses 16% of the cpu or so....
does not sound to be thrashing the disk,.... it seems stuck.
Killed that rebooted and tried again renaming and running tatertot.scr
again nothign happens for several hours. Well nothign except 16% of the CPU is doing something.

The instructions
"Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
"
doesnt seem to make sense.
If it fails to run in the way it failed for me, there is no visual display elements just rectangular region that never gets 'paint'ed
. Thus there is no 'Settings' to click.
Is the settings referred to on the Rootrepeal GUI, if so i cant see the gui as it failed to execute/run at all.

FYI I am using, XP professional, SP3, Intel quad core, nvidia GTX 295, N disks circa terrabyte, multiboot,
XOSL, win2K and SUSE on other partitions, AVG, zonelarm, OpenVPN, stdish comodity mice and keyboards

For my own peace of mind,
I will try more things to get rootrepeal to run, such as safe mode but Im happy to call it a day here,
and leave this post around incase anyone else wonders about those tmp??.tmp files.
To help them find this post.

Size: 805400
Version: 2.0.6.0
CRC-32: D9B26F55
MD5: 60BD14D7E2B924F56785DED69056D886
SHA1: 223B34B267CF3763BC87BCFDE25FF7CB9C7D94E3
are the MD5s etc of tmp????.tmp in system32 has which have the same MD5 as
OalinstGridRelease.exe
Size: 805400
Version: 2.0.6.0
CRC-32: D9B26F55
MD5: 60BD14D7E2B924F56785DED69056D886
SHA1: 223B34B267CF3763BC87BCFDE25FF7CB9C7D94E3

Which in this posters view appears to be legitimate (if somewhat clunkily implemented) part of
GRID a game by codemasters. The clunky OalinstGridRelease.exe can be replaced by
creatives 2.0.7.0 Oslinst.exe, and grid seems to work and the system32/tmp????.tmp files are no
longer generated

Alan

#5 Alan Christiansen

Alan Christiansen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 18 October 2009 - 09:56 AM

I said:
> The instructions
> "Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High"
> doesnt seem to make sense.

and they do not make sense with the failure to run that i got. I got no GUI.

I have sucessfully run root repeal on another computer in this house, and yes there is a 'settings' to click on on the rootrepeal GUI

On this computer, I dont even get the GUI.

==============
On a positive note I have verified in some sense that the system32/tmp files are not using a root kit to make themselves merely looklike their contents are the same as OalinstGridRelease.exe
I have run md5sum of the files in their NTFS folder, but run it from SUSE where presumably the XP rootkit (if I had one) is not able to lie.
On a negative note, the other computer which also has GRID installed and still has the OalinstGridRelease.exe installed, but it does not have the same issue with odd system/tmp files being generated. Odd. It is Plausible that the OalinstGridRelease.exe only behaves badly on this box. I had no end of trouble getting the GX295 graphics card to seem to work right.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users