Jump to content
  • Announcements

    • Rodion Nagornov

      Долгое сохранение сообщений || Delays while posting   09/20/2017

      По техническим причинам возможно визуально долгое отправление сообщений на форуме. Фактически ваше сообщение публикуется мгновенно - долго отрабатывает графика. В случае подобной ситуации, пожалуйста, сначала обновите страницу (F5) и проверьте, появилось ли ваше сообщение. Не пытайтесь сразу отправить его заново.  || Due to some technical reasons visual delays are possible while message sending. Actually your message is published immediately - just interface works long. In such case, please, do not re-send your message immediately! Press F5 to reload the page and check if your message/topic is published.
dh27564

.exe File in TEMP Folder Reappears after Deletion

Recommended Posts

dh27564   

I was looking through Settings > Protection > Application Control > Manage Applications this morning and found a curious file in the High Restricted group. The file name is 4b55.tmp.exe.  I scanned the file with KIS as well as Malwarebytes and the file came up clean.  The path to the file is C:\Users\David\AppData\Local\Temp.  A bit of research indicates it may belong to something by NirSoft.  In any event, I deleted the file and restarted the computer.  That file was gone but was replaced by a similar file titled 63D5.tmp.exe.  Scanning this file with KIS and MBAM also came up clean.  I uploaded the file to Virus Total and it was identified by 5 of 63 engines as suspicious.

 

It may be nothing at all to worry about.  Just curious more than anything.  I may have had a NirSoft product installed in the past and this may be leftovers.  Just a bit troubling that it recreates itself with a different name.

Share this post


Link to post
Share on other sites
richbuff   

Please see: Kaspersky Lab Forum > English User Forum > Virus-related issues > the second (2nd) pinned topic. 
There, you will find instructions for GSI and AVZ logs.

Please click my user name > send message > please send me the VT link. 

Share this post


Link to post
Share on other sites

Hello,

If you are convenience, Please give me this file by sending a PM. I will try to tell you who create this file.

Regards  

Share this post


Link to post
Share on other sites

Hello,

I analysis the file you sent to me by PM. There is no relation information about How could create it in %temp%. But I give a tool to trace Who create it on windows boot:

Process Monitor: https://download.sysinternals.com/files/ProcessMonitor.zip

1. Extract it to any place and run it (Procmon.exe).

2. Agree the protocol.

3. Set Enable boot Logging in Option.

2017-08-23_212804.png

4. Press OK.

5. Delete all the file in the temp folder.

6. Reboot PC.

7. if os remind process monitor is stopping PC reboot and let you End it, Please ignore this recommend operation and let OS reboot automatically.

8. After OS reboot completed, Run the Process Monitor again. This time, It will remind you save boot log, You need choose a Location to save it.

Notice: This log file is so large more than 100MB+, Please save it on the disk with more spare space.

9. Go to temp folder to see the new create files name and record it.

9. Close existed Process Monitor program and Double-click the log file, Process Monitor will restart and open the log file.

10. Press Filter menu and select Filter... option.

11. Set the following Filter Rule:

Image Path     is     C:\Users\XXX\AppData\Local\Temp\???.exe  include                      

Notice: XXX is your OS user name, ??? is the newest created file's name.

2017-08-23_215404.png

12. Press Add and OK.

13 Process Monitor will filters out the results.

Notice: If this is not return any result, Please zip the log file and upload to any cloud platform and PM a download url, I see the log file to give you some advice.

Regards. 

Share this post


Link to post
Share on other sites
dh27564   

Thank you for the instructions.

The new temp files that were created are C108.tmp.exe and ACA4.tmp.exe.  Process Explorer created 10 log files on my desktop (bootlog-1, bootlog-2, etc.).  I selected bootlog-1 and entered the path to C108.tmp.exe.  Process Monitor created a new log on the desktop (Logfile.PML) that has a HUGE number of C108.tmp.exe entries.  I'm not quite sure what I'm looking for within the log file at this point. I have not performed a similar search for ACA4.tmp.exe.

Edited by dh27564

Share this post


Link to post
Share on other sites
9 hours ago, dh27564 said:

Thank you for the instructions.

The new temp files that were created are C108.tmp.exe and ACA4.tmp.exe.  Process Explorer created 10 log files on my desktop (bootlog-1, bootlog-2, etc.).  I selected bootlog-1 and entered the path to C108.tmp.exe.  Process Monitor created a new log on the desktop (Logfile.PML) that has a HUGE number of C108.tmp.exe entries.  I'm not quite sure what I'm looking for within the log file at this point. I have not performed a similar search for ACA4.tmp.exe.

Hello,

Please send all the log to me by PM. Please zip the log file and upload to any cloud platform and PM a download url, I see the log file to give you some advice.

Regards. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×