Jump to content

Seda145

Honorary Members
  • Posts

    22
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I have a procmon log file, on which I'm browsing the internet using firefox. Firefox creates a mozilla-temp-files folder in the TEMP, then Explorer.exe reads C:\Windows\System32\TaskFlowDataEngine.dll for some reason, then avgsvc (avg antivirus) creates the BCLTMP folder in TEMP. operations used on the BCLTMP folder include QueryNetworkOpenInformationFile , QueryRemoteProtocolInformation and many others. the .txt file included should be renamed to .PML Avast also creates the BCLTMP. I noticed a firewall rule in my custom software firewall about the BCLTMP folder months ago that I did not create. Looks like my data is send over the internet. Any attempts to look for it with Wireshark failed. Logfile - Copy.txt
  2. Alright, will try the articles and the software. I've used procmon in the past, which showed BCLTMP is made by explorer.exe, couldn't find another process creating it.
  3. deleted the previous BCLTMP folder, another one appeared again in TEMP, this time including a subfolder named Edge. It's empty. No idea where it could be coming from
  4. The folders that keep returning like BCLTMP are always in %TEMP%
  5. I have used the fix and rebooted. The BCLTMP folder has returned within hours. no tempaddons in the TEMP. *Edit* I noticed the folder returned each time after we did something to the browser. Normally it might have taken a day or a week before the folder would return.
  6. I removed Firefox and rebooted. There are still many traces of the firefox and (very old) chrome installation in the FRST files. I included the files of FRST. I took my laptop with me to the office today, which also created the BCLTMP and mentioned folders after connecting to their network . It might be a lot easier to make a FRST log on the laptop as it doesn't have much software installed on it and the device is new. Roguekiller found browser(malware) results on the laptop which doesn't show up(anymore) on the desktop. Addition.txt FRST.txt
  7. Everything is back, StructuredQuery.log, the tmpaddon files, empty mozilla-temp-files folder and BCLTMP. All in TEMP folder. BCLTMP contains a subfolder edge and firefox, with files places.sqlite and search.json.mozlz4 . They contain searches, visited urls and bookmarks in some kind of table format. I haven't installed any software since I reset my browsers (also no addons), and did not change any browser settings. I am certain this data could be used by malware to steal my identity, passwords or other data. I tried to log which process made the BCLTMP folder, it just shows explorer.exe , and I can't find out if it's being sent over the network at all. What can I do? My laptop got it by just connecting to the home network..
  8. tmpaddon-*.* files just appeared in TEMP on which "Date modified" shows 10 minutes ago, when they weren't there. included them in the message.. It has some readable data. I had to set the extension to .txt as it didn't have one. Files are the same size. *Edit* found out they are just data containers, without the .txt extension I could open them in 7Zip which shows multiple dll files (and more) like gmpopenh264.dll and widevinecdm.dll . these tmp files deleted themselves after 10 minutes, opposite to the usual tmp addon files that fill my TEMP folder. tmpaddon.txt tmpaddon-3d75b0.txt
  9. I remember I used Google Chrome for a while and didn't have Firefox installed, BCLTMP would still show up but had a Chrome subfolder. Sometimes it has a Edge subfolder too but I don't even use Edge. Then I uninstalled Chrome and started using Firefox but the problems remained. It feels like a Trojan that for some reason puts my readable browsers data in the TEMP
  10. when I reset internet explorer, I got a second StructuredQuery.log in TEMP. Then I reset Edge and Firefox, nothing new in the TEMP, only an empty folder called something like "mozilla-temp-files". BCLTMP hasn't returned yet, that one is created at random times it seems.
  11. The other file that keeps returning was created a day after the last BCLTMP creation around the same time. I added it to the message. StructuredQuery.log
  12. the search for BCLTMP returned the following files, added the log to this message. I can easily read the contents of them. Some of the files describe browser settings and temporary addons, which can often be found in TEMP with extension .xpi Search for StructuredQuery returned way too many files, not useful. Note, my laptop which creates the same strange files and folders didn't have any software installed and had no connection to my pc , only to my home network. Other laptops connected to my network show the same behaviour afterwards, which makes this a really strange case. Report BCLTMP search.txt
  13. I'm running a search inside of all files on the hard disk on words "BCLTMP" and "structuredQuery" with the tool AgentRansack (it searches inside of almost all file extensions with high speed and returns results without changing anything). Just to gather more info
  14. Interesting, the BCLTMP folder has already returned to TEMP including browser files (places.sqlite, search.json.mozlz4)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.