Seda145
Honorary Members-
Posts
22 -
Joined
-
Last visited
Reputation
0 NeutralRecent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
-
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
I have a procmon log file, on which I'm browsing the internet using firefox. Firefox creates a mozilla-temp-files folder in the TEMP, then Explorer.exe reads C:\Windows\System32\TaskFlowDataEngine.dll for some reason, then avgsvc (avg antivirus) creates the BCLTMP folder in TEMP. operations used on the BCLTMP folder include QueryNetworkOpenInformationFile , QueryRemoteProtocolInformation and many others. the .txt file included should be renamed to .PML Avast also creates the BCLTMP. I noticed a firewall rule in my custom software firewall about the BCLTMP folder months ago that I did not create. Looks like my data is send over the internet. Any attempts to look for it with Wireshark failed. Logfile - Copy.txt -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
Alright, will try the articles and the software. I've used procmon in the past, which showed BCLTMP is made by explorer.exe, couldn't find another process creating it. -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
deleted the previous BCLTMP folder, another one appeared again in TEMP, this time including a subfolder named Edge. It's empty. No idea where it could be coming from -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
The folders that keep returning like BCLTMP are always in %TEMP% -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
I have used the fix and rebooted. The BCLTMP folder has returned within hours. no tempaddons in the TEMP. *Edit* I noticed the folder returned each time after we did something to the browser. Normally it might have taken a day or a week before the folder would return. -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
I removed Firefox and rebooted. There are still many traces of the firefox and (very old) chrome installation in the FRST files. I included the files of FRST. I took my laptop with me to the office today, which also created the BCLTMP and mentioned folders after connecting to their network . It might be a lot easier to make a FRST log on the laptop as it doesn't have much software installed on it and the device is new. Roguekiller found browser(malware) results on the laptop which doesn't show up(anymore) on the desktop. Addition.txt FRST.txt -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
Everything is back, StructuredQuery.log, the tmpaddon files, empty mozilla-temp-files folder and BCLTMP. All in TEMP folder. BCLTMP contains a subfolder edge and firefox, with files places.sqlite and search.json.mozlz4 . They contain searches, visited urls and bookmarks in some kind of table format. I haven't installed any software since I reset my browsers (also no addons), and did not change any browser settings. I am certain this data could be used by malware to steal my identity, passwords or other data. I tried to log which process made the BCLTMP folder, it just shows explorer.exe , and I can't find out if it's being sent over the network at all. What can I do? My laptop got it by just connecting to the home network.. -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
tmpaddon-*.* files just appeared in TEMP on which "Date modified" shows 10 minutes ago, when they weren't there. included them in the message.. It has some readable data. I had to set the extension to .txt as it didn't have one. Files are the same size. *Edit* found out they are just data containers, without the .txt extension I could open them in 7Zip which shows multiple dll files (and more) like gmpopenh264.dll and widevinecdm.dll . these tmp files deleted themselves after 10 minutes, opposite to the usual tmp addon files that fill my TEMP folder. tmpaddon.txt tmpaddon-3d75b0.txt -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
I remember I used Google Chrome for a while and didn't have Firefox installed, BCLTMP would still show up but had a Chrome subfolder. Sometimes it has a Edge subfolder too but I don't even use Edge. Then I uninstalled Chrome and started using Firefox but the problems remained. It feels like a Trojan that for some reason puts my readable browsers data in the TEMP -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
when I reset internet explorer, I got a second StructuredQuery.log in TEMP. Then I reset Edge and Firefox, nothing new in the TEMP, only an empty folder called something like "mozilla-temp-files". BCLTMP hasn't returned yet, that one is created at random times it seems. -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
The other file that keeps returning was created a day after the last BCLTMP creation around the same time. I added it to the message. StructuredQuery.log -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
Will try it tomorrow! -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
the search for BCLTMP returned the following files, added the log to this message. I can easily read the contents of them. Some of the files describe browser settings and temporary addons, which can often be found in TEMP with extension .xpi Search for StructuredQuery returned way too many files, not useful. Note, my laptop which creates the same strange files and folders didn't have any software installed and had no connection to my pc , only to my home network. Other laptops connected to my network show the same behaviour afterwards, which makes this a really strange case. Report BCLTMP search.txt -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
I'm running a search inside of all files on the hard disk on words "BCLTMP" and "structuredQuery" with the tool AgentRansack (it searches inside of almost all file extensions with high speed and returns results without changing anything). Just to gather more info -
BCLTMP in temp folder, possible spyware.
Seda145 replied to Seda145's topic in Resolved Malware Removal Logs
Interesting, the BCLTMP folder has already returned to TEMP including browser files (places.sqlite, search.json.mozlz4)