Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

temp\is-XXXXX.tmp\download.tmp trying to connect to 104.27.135.88


  • Please log in to reply
20 replies to this topic

#1 ddamu

ddamu

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 25 August 2015 - 05:07 PM

So I don't really want to go through the whole rigmarole of getting help with removing this, in fact I like figuring this stuff out myself, and have been doing it for years, although I hardly ever catch any bugs any more. 

 

I don't actually believe I am fully infected yet.  I use a firewall helper and it's blocking the outbound connection attempt.  The temp files delete themselves immediately after failing to connect to the IP address in the subject.  The temp folder's names are random every time.  The program is trying to act like its skype, but according to a virus total search the ip address is related to the domain skype-soft.com, amongst other domains.

 

I have managed to make copies of the temp files before they are deleted and checked the download.tmp in virus total, the file has been scanned a few times, within the last 5 days.  They come up clean except for AVG which thinks it is Luhe.Fiha.A.  Apparently AVG thinks a lot of things are Luhe.Fiha.A, however.  There is 2 folders that pop up every time it tries to connect, the second one seems to be related to inno setup installation builder.

 

I have done several full system scans that came up clean.  I have gone over all the common startup locations.  I have combed through my services list.

 

All I'm hoping to find here at bleeping computer is someone who may be able to point me in the right direction towards solving this on my own, and maybe to help someone else looking for information about the same thing.

 

Thanks for any help and time anyone is willing to give.

 

Edit: Oh! Sorry!  This is on Windows 8.1.


Edited by Chris Cosgrove, 26 August 2015 - 04:27 AM.
Moved from 'General security' to 'Am I infected?'


BC AdBot (Login to Remove)

 


m

#2 ddamu

ddamu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 26 August 2015 - 12:08 PM

Well, considering the lack of response at least I know now that this isn't something common that I overlooked.  I don't know about being in this subforum though, I know I'm infected after all, and this place seems like a good place to get buried.

 

The temp files are still poping up and trying to connect every 30 minutes or so, then deleting themselves.  I'll post back when I figure it out, or if I decide to give up and reinstall my OS.  Thanks for anyone who has read my post.



#3 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:06:18 PM

Posted 26 August 2015 - 12:15 PM

Hello and welcome to BC, 

 

do you still need help? We can do some scaning to see the state and to try to solve problem.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#4 ddamu

ddamu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 26 August 2015 - 12:41 PM

If you can point me in the direction of a scan that might help I would be appreciative.  I have already combed through a Hijackthis! scan(didn't see anything I didn't recognize), done malwarebytes (clean), spybot (clean), spybot rootkit deepcan (didn't see anything I didn't recognize), combed through the autorun list on spybot startup tool, combed through my services for anything out of the ordinary, and Windows Defender (clean).  Mostly I just need to figure out what's running on my computer that isn't evident and continually remaking these temp files. I've even used process monitor to watch the folder but the process that creates them starts up, does it's thing, then shuts down.



#5 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:06:18 PM

Posted 26 August 2015 - 12:46 PM

Remove SpyBot, it is outdated software.

 

Empty your temp folders using TFC (Temporary File Cleaner)

§  Please download TFC by Old Timer and save it to your desktop.
alternate download link

§  Save any unsaved work. (TFC will close ALL open programs including your browser!)

§  Double-click on TFC.exe to run it. (If you are using Vista or above, right-click on the file and choose "Run As Administrator".)

§  Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

§  Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.

-----------

 

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

§  Flush DNS

§  Report IE Proxy Settings

§  Reset IE Proxy Settings

§  Report FF Proxy Settings

§  Reset FF Proxy Settings

§  List content of Hosts

§  List IP configuration

§  List Winsock Entries

§  List Installed Programs

 

Click Go and post the result (MTB.txt). A copy of MTB.txt will be saved in the same directory the tool is run.

-----------

 

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.

There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe
http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
 

§  Double-click on the Rkill desktop icon to run the tool.

§  If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.

§  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

§  If not, delete the file, then download and use the one provided in Link 2.

§  Do not reboot until instructed.

§  If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

-----

 

Kaspersky Virus Removal Tool

Please download Kaspersky Virus Removal Tool from here.

§  Right click on KVRT.exe and select Run as Administrator.

§  Read the EULA, then select Accept.

§  Wait for Kaspersky Virus Removal Tool to initialize.

§  In the main screen, select Change parameters, place a checkmark in System drive, then click OK.

§  Click Start scan.

§  Wait for Kaspersky Virus Removal Tool to complete scanning.

§  When the scan is finished, select Neutralize all for all detected objects.

§  Close Kaspersky Virus Removal Tool when done.

Informe me if something is detected.

-------

 

Please download AdwCleaner by Xplode onto your desktop.

§  Close all open programs and internet browsers.

§  Double click on adwcleaner.exe to run the tool.

§  In EULA window click I agree.

§  In Options uncheck Reset Winsock settings.

§  Click on Scan button.

§  When the scan has finished click on Cleaning button.

§  Your computer will be rebooted automatically. A text file will open after the restart.

§  Please post the contents of that logfile with your next reply.

§  You can find the logfile at C:\AdwCleaner[C1].txt as well.

------------

 

Please download Junkware Removal Tool to your desktop.

§  Shut down your protection software now to avoid potential conflicts.

§  Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

§  The tool will open and start scanning your system.

§  Please be patient as this can take a while to complete depending on your system's specifications.

§  On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

§  Post the contents of JRT.txt into your next message.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#6 ddamu

ddamu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 26 August 2015 - 01:02 PM

Well, thank you for your time.  I'll look into these tools you have mentioned and report back in this thread if I find a solution.

 

Thanks again for your help.

 

edit: .tmp files being created by file %appdata%\Roaming\Skype\download.exe.  Creating a read only dummy file seems to take care of the thing constantly hitting my firewall.  Hope this helps anyone else with this issue.  Still not sure where it's being called from.


Edited by ddamu, 26 August 2015 - 01:46 PM.


#7 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:06:18 PM

Posted 26 August 2015 - 03:33 PM

No problem. If you want to do a check, follow my first post. 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#8 Ravanik

Ravanik

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 26 August 2015 - 04:06 PM

I had the same think occuring on my PC. I went back to check when I installed and after uninstalling a few things it went away. After I uninstalled the Battlefield Hardline helper program, and Desktop Dungeons it went away. I am starting to believe it was the Battlefield Hardline add on.



#9 ddamu

ddamu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 26 August 2015 - 09:19 PM

Glad yours went away.  Uninstalling didn't work for me, this definately came with something I installed, for what it's worth.  An svchost.exe process is still trying to create the skype\download.exe and temp files every hour or so, according to procmon, but the dummy download.exe at least keeps it from doing what it was trying to do.
 
Off topic: it's so weird that there doesn't seem to be any spellcheck in the reply box here.


Edited by ddamu, 26 August 2015 - 09:20 PM.


#10 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:06:18 PM

Posted 27 August 2015 - 02:46 AM

ddamu,

 

If you want help, you will have to follow instructions from my first post and post requested logs. We can't know for sure if we doesn't take a look. 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 PM

Posted 27 August 2015 - 12:34 PM


I have managed to make copies of the temp files before they are deleted and checked the download.tmp in virus total, the file has been scanned a few times, within the last 5 days.  They come up clean except for AVG which thinks it is Luhe.Fiha.A.  Apparently AVG thinks a lot of things are Luhe.Fiha.A, however.  There is 2 folders that pop up every time it tries to connect, the second one seems to be related to inno setup installation builder.

 

Can you post the link to the VirusTotal report for this file?


Edited by Didier Stevens, 27 August 2015 - 12:35 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 Ravanik

Ravanik

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 27 August 2015 - 02:42 PM

Mine returned... and I got this file when I copied the folders.

 

https://www.virustotal.com/en/file/b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3/analysis/1440704420/

 

This is the download.tmp I got.

 

https://www.virustotal.com/en/file/d0b7d564afbd834e13471fa5831f49e7b9ccc12bea7e4bc6d0a79373ea713f44/analysis/1440704595/


Edited by Ravanik, 27 August 2015 - 02:44 PM.


#13 ddamu

ddamu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 27 August 2015 - 03:16 PM

The download.tmp from above is the same one I had.  The first link seems to be from the inno setup installation builder that I was talking about.

 

Here is the link to the scan for %appdata%\Roaming\Skype\download.exe:

 

https://www.virustotal.com/en/file/8e7e93f45cef3e32e3775d49848131df3d666167627fafb11204b07c20b8a314/analysis/1440612454/

 

Thanks severac, I really appreciate your desire to help, I just don't really intend to post my logs on here.  I would definately do it for a worse problem or if I thought it was something I couldn't handle.  In this case I mostly wanted to post to find out if this was something that people already knew about and was obvious, or to help people who were having a similar issue, because I was not having any luck finding information on google. 

 

Maybe this was the wrong site to post on, but it seemed pretty on topic.  I am really not sure why it got moved to this subforum, as I already stated in my original post that I knew it was the start of an infection, but I had already stopped it from going very far.


Edited by ddamu, 27 August 2015 - 03:24 PM.


#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:18 PM

Posted 27 August 2015 - 04:04 PM

The download.tmp from above is the same one I had.  The first link seems to be from the inno setup installation builder that I was talking about.

 

Here is the link to the scan for %appdata%\Roaming\Skype\download.exe:

 

https://www.virustotal.com/en/file/8e7e93f45cef3e32e3775d49848131df3d666167627fafb11204b07c20b8a314/analysis/1440612454/

 

Thanks severac, I really appreciate your desire to help, I just don't really intend to post my logs on here.  I would definately do it for a worse problem or if I thought it was something I couldn't handle.  In this case I mostly wanted to post to find out if this was something that people already knew about and was obvious, or to help people who were having a similar issue, because I was not having any luck finding information on google. 

 

Maybe this was the wrong site to post on, but it seemed pretty on topic.  I am really not sure why it got moved to this subforum, as I already stated in my original post that I knew it was the start of an infection, but I had already stopped it from going very far.

 

Just by looking at the VT report, I see several indicators that this is not a benign file. Maybe not real malware, but certainly not benign.

Its version information indicates it's from Skype, but it has no digital signature, it was modified (Modified by an unpaid evaluation copy of Resource Tuner 2 (www.heaventools.com)), the compilation timestamp is wrong  (1992), ...


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:06:18 PM

Posted 27 August 2015 - 04:51 PM

You can submit suspicious files for analysis to more than one online service:

§  Jotti's virusscan

§  VirSCAN

§  ThreatExpert

§  Metascan Online <- allows large file submissions

§  Anubis - Malware Analysis

§  Malwr Analysis Service

§  Payload Security Hybrid Analysis

§  Comodo


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users