Malware or no ?

  • Thread starter Thread starter bill
  • Start date Start date
B

bill

XP with SP2

On every startup, a file named "System.dll" (size 10,240 bytes)
is created in my windows default temp directory in a newly created
subdirectory named "nsxx.tmp" (xx = it varies). The creation date &
time reflects when it was placed in the temp sub directory on startup.
There is no other identification even viewing it with a hex viewer.

There are also 4-6 prefetch related entries like
"\windows\prefetch\NS4.TMP-3A84D703.pf"
but putting them up in the hex viewer reveals nothing except they check
the standard system DLLs to hook various functions as obviously
whatever program it is needs them. I'm not experienced enough to ID
the program itself.

AdAware identifies it as "Adware Maxfiles". I have also tried HiJackThis and
many of the other recommeded malware detector/removers without luck.
My AVG free edition anti-virus program does not recognize it as a virus.

A google on it returns numerous hits describing it as malware but no
solutions other than what I've tried already.

Should I be worried about this ? Anyone familiar with it ? Suggestions ?

Bill Mudd
 
Thanks for the reply. The VirusTotal scan all showed "no virus found".
That's a good sign.

I posted here because I thought maybe this "system.dll" was the result of
MS's security programs. For example WGANotify.settings & WGAErrLog.txt
are now a permanent part of my default temp file.

Could it be the "leavings" of some malware boot process that can't use the
XP system.dll so it installs it's own version ?

I also posted to one of the virus groups and have followed all their
suggestions but this file & directory is still created at every startup.

Bill Mudd
Bill,

Scan " System.dll " at this website :
http://www.virustotal.com/en/indexf.html

Please post back with what is detected.

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============
XP with SP2

On every startup, a file named "System.dll" (size 10,240 bytes)
is created in my windows default temp directory in a newly created
subdirectory named "nsxx.tmp" (xx = it varies). The creation date &
time reflects when it was placed in the temp sub directory on startup.
There is no other identification even viewing it with a hex viewer.

There are also 4-6 prefetch related entries like
"\windows\prefetch\NS4.TMP-3A84D703.pf"
but putting them up in the hex viewer reveals nothing except they check
the standard system DLLs to hook various functions as obviously
whatever program it is needs them. I'm not experienced enough to ID
the program itself.

AdAware identifies it as "Adware Maxfiles". I have also tried HiJackThis
and
many of the other recommeded malware detector/removers without luck.
My AVG free edition anti-virus program does not recognize it as a virus.

A google on it returns numerous hits describing it as malware but no
solutions other than what I've tried already.

Should I be worried about this ? Anyone familiar with it ? Suggestions ?

Bill Mudd
Click to expand...
Click to expand...
 
On every startup, a file named "System.dll" (size 10,240 bytes)
Let's be clear on this ... are you stating it creates a subdirectory in
WINDOWS\Temp or, in Documents and Settings\<YourUserAccount>\Local
Settings\Temp ?
Please have the "nsxx.tmp" file scanned at VirusTotal.
For the system.dll, right click it, choose Properties.
Click the Version tab to find out pertinent information of the file.
On my system, system.dll is located in
WINDOWS\Microsoft.NET\Framework\v1.1.4322

Perhaps there is a failed installation of .NET or a .NET update that is
at the root of this issue.

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============

Thanks for the reply. The VirusTotal scan all showed "no virus found".
That's a good sign.

I posted here because I thought maybe this "system.dll" was the result of
MS's security programs. For example WGANotify.settings & WGAErrLog.txt
are now a permanent part of my default temp file.

Could it be the "leavings" of some malware boot process that can't use the
XP system.dll so it installs it's own version ?

I also posted to one of the virus groups and have followed all their
suggestions but this file & directory is still created at every startup.

Bill Mudd

Bill,

Scan " System.dll " at this website :
http://www.virustotal.com/en/indexf.html

Please post back with what is detected.

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============
XP with SP2

On every startup, a file named "System.dll" (size 10,240 bytes)
is created in my windows default temp directory in a newly created
subdirectory named "nsxx.tmp" (xx = it varies). The creation date &
time reflects when it was placed in the temp sub directory on startup.
There is no other identification even viewing it with a hex viewer.

There are also 4-6 prefetch related entries like
"\windows\prefetch\NS4.TMP-3A84D703.pf"
but putting them up in the hex viewer reveals nothing except they check
the standard system DLLs to hook various functions as obviously
whatever program it is needs them. I'm not experienced enough to ID
the program itself.

AdAware identifies it as "Adware Maxfiles". I have also tried HiJackThis
and
many of the other recommeded malware detector/removers without luck.
My AVG free edition anti-virus program does not recognize it as a virus.

A google on it returns numerous hits describing it as malware but no
solutions other than what I've tried already.

Should I be worried about this ? Anyone familiar with it ? Suggestions ?

Bill Mudd
Click to expand...
Click to expand...
Click to expand...
 
What I mean by default temp directory is neither WINDOWS\Temp nor Documents
and Settings\<YourUserAccount>\Local > Settings\Temp It's the one we use to
put in the autoexec.bat file under SET TMP and SET TMPDIR. It's the
directory most program installers look for to place their temporary install
related files. Most good program installers clean these up after but some
don't. Many use the "tmp" extension to ID it as a temporary file or
directory.

re: Mastertech's post
I'm quite aware that prefetch files are not executables. I used my hex
viewer on them to try and ID the executable they are related to but I wasn't
able to. I know deleting prefetch files accomplishes nothing in terms of
stopping a program from executing and in most cases new prefetch files will
quickly be re-created. But in this case it has been 3 days since I deleted
them ( 8 no less ) and they have not been re-created yet.

Is there a way to log executables and/or DLLs loaded during startup? That
may help. I've discovered that
E:\TEMP\nsxx.tmp\System.dll
is created after Log-On in the starup process.

I also am hoping that this is a harmless thing like a NET related issue as
you mentioned. I have NET 2.0 installed and active. I see no indication
in the NET related logs that the installation failed or the service has gone
bad but I'd be happy to re-install it if you think that would help ?

Thanks for your help,

Bill
On every startup, a file named "System.dll" (size 10,240 bytes)
Click to expand...

Let's be clear on this ... are you stating it creates a subdirectory in
WINDOWS\Temp or, in Documents and Settings\<YourUserAccount>\Local
Settings\Temp ?
Please have the "nsxx.tmp" file scanned at VirusTotal.
For the system.dll, right click it, choose Properties.
Click the Version tab to find out pertinent information of the file.
On my system, system.dll is located in
WINDOWS\Microsoft.NET\Framework\v1.1.4322

Perhaps there is a failed installation of .NET or a .NET update that is at
the root of this issue.

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============

Thanks for the reply. The VirusTotal scan all showed "no virus found".
That's a good sign.

I posted here because I thought maybe this "system.dll" was the result of
MS's security programs. For example WGANotify.settings & WGAErrLog.txt
are now a permanent part of my default temp file.

Could it be the "leavings" of some malware boot process that can't use
the
XP system.dll so it installs it's own version ?

I also posted to one of the virus groups and have followed all their
suggestions but this file & directory is still created at every startup.

Bill Mudd

Bill,

Scan " System.dll " at this website :
http://www.virustotal.com/en/indexf.html

Please post back with what is detected.

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============

XP with SP2

On every startup, a file named "System.dll" (size 10,240 bytes)
is created in my windows default temp directory in a newly created
subdirectory named "nsxx.tmp" (xx = it varies). The creation date &
time reflects when it was placed in the temp sub directory on startup.
There is no other identification even viewing it with a hex viewer.

There are also 4-6 prefetch related entries like
"\windows\prefetch\NS4.TMP-3A84D703.pf"
but putting them up in the hex viewer reveals nothing except they check
the standard system DLLs to hook various functions as obviously
whatever program it is needs them. I'm not experienced enough to ID
the program itself.

AdAware identifies it as "Adware Maxfiles". I have also tried HiJackThis
and
many of the other recommeded malware detector/removers without luck.
My AVG free edition anti-virus program does not recognize it as a virus.

A google on it returns numerous hits describing it as malware but no
solutions other than what I've tried already.

Should I be worried about this ? Anyone familiar with it ? Suggestions ?

Bill Mudd
Click to expand...
Click to expand...
Click to expand...
 
I took a look at the Event Viewer and also enabled a boot log at startup.
Event Viewer shows 18 "Failure Audit"s over that last 2 hours and 49
for yesterday during a 9 hour time period. Most of them show one of
the following 2 entries

1) Logon Failure:
Reason Unknown user name or bad password
Logon Process: Advapi
Authentication Package: Negotiate

2) Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

The boot log (\WINDOWS\ntbtlog.txt).is huge but all it shows is what loaded
and what didn't. I don't really know what to look for. There were no entries
for NET or Advapi but I have no idea what files are related to these things.
Any clues would be appreciated.

It's also fairly common knowledge that WGA is causing problems among many
users.I wish I'd never allowed it to be installed but it's too late now.
I understand it's impossible to get rid of ?

I can't afford to spend much more time on this. Just have to trust in MS
security and my anti-virus/malware programs. If you guys ever figure out
what it is let me know.

Regards,

Bill Mudd
 
Thanks MowGreen.
I believe that MSKB explains it.
Cheers,
Bill Mudd
Also, see this MSKB, Bill :
Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/kb/305822

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============

If they are not being recreated then that mean Prefetching is probably
disabled or broken, you can easily fix it by running the Prefetcher Fix
file and rebooting located 'here'
(http://mywebpages.comcast.net/SupportCD/OptimizeXP.html#Tweaks).

Also try submitting the file being created to 'VirusTotal'
(http://www.virustotal.com/en/indexf.html) and see if it finds
anything.
Click to expand...
Click to expand...
 
bill said:
Just have to trust in MS security and my anti-virus/malware programs. If you guys ever figure out what it is let me know.
Regards, Bill Mudd
::Cleared out spacing to save space and increase readability of my post::
Click to expand...

"trust MS security" ??? That seems like a HUGE mistake given their track record with security problems (and lack of interest and effort to really get a fire under themselves to actually FIX them).
 
Back
Top