Jump to content

Recommended Posts

Hey guys,

I noticed a strange folder in my temp folder called BCLTMP containing subfolders with the names of my browsers. Inside of these folders are files that contain my saved favourites, visited urls and searches. After deletion of the BCLTMP folder it appears again after a while, sometimes after a day, a week or a month. After scanning my PC with all the tools I have (which didn't find much and didn't stop the folder appearing) I decided it might be normal.. Then I bought a new laptop which showed the same behavior within the same week I bought it. Nothing was installed on the laptop, no usb used, it had only been connected to my router. I have connected other laptops to my network in the past which showed the same behavior. Could this BCLTMP folder which seems to track my browser history be spyware/malware? No one else seems to have the folder. I am using Windows 10 pro on both devices. I tried scanning with malwarebytes, roguekiller, adwcleaner, eset sysrescue, exterminate it, spydllremover (which reports hidden rootkit, with processID, hidden), superantispyware. tdsskiller won't boot (redownloaded, same result) and comodo CCE crashes the computer and then refuses to boot. Note that the laptop with the BCLTMP folder is a clean windows 10 install with no installed software. My router reports synflood attacks from within and outside of my network, and it's firmware has been reinstalled by the isp just to be sure. Not much else to see there.

How can I figure out what is happening to my devices, and what this folder is for?

 

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know.

 

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.
    image.png
  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.
    image.png
  4. Click Start Scan

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.
    _frst_scan.jpg.d10e66dc03e35ede4fdcba12b
  3. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply and Follow this topic to get notified when an expert has replied. Click "Reveal Hidden Contents" below for details.

Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

_mb_attach.jpg.a0465aaafd6cae688aa38ab16

 

After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post.

_mb_follow.jpg.7868cc281f66ac22e919c2c48

_mb_follow_options.jpg.dcb79fc10aa35beb0

Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

Share this post


Link to post
Share on other sites

Okay, it's pretty late so I'll be heading out soon but let me have you run the following and I'll check back on your logs tomorrow.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Please run the following fix. This will remove some unwanted items as well as clean temp files and run a Full disk check.

NOTE: The full disk check can take several hours to complete depending on the size of the hard drive and the speed of your computer. Please let it complete.


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

After the reboot and disk check, look at downloading and running this tool to see if it can correct your VSS errors.

 


Acronis VSS Doctor

Free tool for diagnosing and repairing Volume Shadow Copy Service issues
https://www.acronis.com/en-us/personal/vss-diagnostic-free-tool/

 

 

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Hi Ron,

Thanks for helping me. I used the FIX function and included a fixlog with the message. Some fixes have failed. Diskcheck has completed.

I remember one other folder/file(StructuredQuery.log) that returns every time in the TEMP folder, just like BCLTMP. Should I add them to my reply when they do?

When I get home I will run the Acronis VSS Doctor.

 

Fixlog.txt

Share this post


Link to post
Share on other sites

Interesting, the BCLTMP folder has already returned to TEMP including browser files (places.sqlite, search.json.mozlz4)

Share this post


Link to post
Share on other sites

I'm running a search inside of all files on the hard disk on words "BCLTMP" and "structuredQuery" with the tool AgentRansack (it searches inside of almost all file extensions with high speed and returns results without changing anything). Just to gather more info

Share this post


Link to post
Share on other sites

the search for BCLTMP returned the following files, added the log to this message. I can easily read the contents of them. Some of the files describe browser settings and temporary addons, which can often be found in TEMP with extension .xpi

Search for StructuredQuery returned way too many files, not useful.

Note, my laptop which creates the same strange files and folders didn't have any software installed and had no connection to my pc , only to my home network. Other laptops connected to my network show the same behaviour afterwards, which makes this a really strange case.

Report BCLTMP search.txt

Share this post


Link to post
Share on other sites

Based on your last log I'd say it has to be something from Firefox as an extension or plugin. Please do the following.

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Microsoft Edge
How to Reset Microsoft Edge in Windows 10

Firefox
Click on Help / Troubleshooting Information then click on the Refresh Firefox button.

Chrome
Reset Chrome back to defaults to completely clear out issues with Chrome.

  • First, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
  • Scroll down until you see the  reset_chrome_sync.png "reset sync" button to clear your data from the server and remove your passphrase.
  • Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
  • Press the Windows key + R at the same time, to bring up the run dialog box.
    • run_command.png
  • Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\
  1. Press Ctrl + A to select all the files and folders.
  2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
  3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
  4. Example of all files and folders selected, except Bookmarks

chrome_files_folders.png

 

Look in the Temp folder and delete the folder   BCLTMP

Then reboot the computer and recheck if that folder has returned without running any browser or other programs yet.

 

 

Share this post


Link to post
Share on other sites

when I reset internet explorer, I got a second StructuredQuery.log in TEMP. Then I reset Edge and Firefox, nothing new in the TEMP, only an empty folder called something like "mozilla-temp-files". BCLTMP hasn't returned yet, that one is created at random times it seems.

Share this post


Link to post
Share on other sites

I remember I used Google Chrome for a while and didn't have Firefox installed, BCLTMP would still show up but had a Chrome subfolder. Sometimes it has a Edge subfolder too but I don't even use Edge. Then I uninstalled Chrome and started using Firefox but the problems remained. It feels like a Trojan that for some reason puts my readable browsers data in the TEMP

Share this post


Link to post
Share on other sites

tmpaddon-*.* files just appeared in TEMP on which "Date modified" shows 10 minutes ago, when they weren't there. included them in the message.. It has some readable data. I had to set the extension to .txt as it didn't have one. Files are the same size. *Edit* found out they are just data containers, without the .txt extension I could open them in 7Zip which shows multiple dll files (and more) like gmpopenh264.dll and widevinecdm.dll . these tmp files deleted themselves after 10 minutes, opposite to the usual tmp addon files that fill my TEMP folder.

tmpaddon.txt

tmpaddon-3d75b0.txt

Edited by Seda145

Share this post


Link to post
Share on other sites

Search online shows they appear to be part of Firefox. Not sure there is a big issue here as it seems at least semi normal for some.

 

Share this post


Link to post
Share on other sites

Everything is back, StructuredQuery.log, the tmpaddon files, empty mozilla-temp-files folder and BCLTMP. All in TEMP folder.

BCLTMP contains a subfolder edge and firefox, with files places.sqlite and search.json.mozlz4 . They contain searches, visited urls and bookmarks in some kind of table format.

I haven't installed any software since I reset my browsers (also no addons), and did not change any browser settings.

I am certain this data could be used by malware to steal my identity, passwords or other data.

I tried to log which process made the BCLTMP folder, it just shows explorer.exe , and I can't find out if it's being sent over the network at all.

What can I do? My laptop got it by just connecting to the home network..

 

 

 

Share this post


Link to post
Share on other sites

Let's go ahead then backup your bookmarks for Firefox. Then uninstall it and use either IE or Edge for now and once you've removed Firefox and rebooted then send me a new updated FRST set of logs

 

Thanks

Ron

 

Share this post


Link to post
Share on other sites

I removed Firefox and rebooted. There are still many traces of the firefox and (very old) chrome installation in the FRST files. I included the files of FRST.

I took my laptop with me to the office today, which also created the BCLTMP and mentioned folders after connecting to their network .

It might be a lot easier to make a FRST log on the laptop as it doesn't have much software installed on it and the device is new.

Roguekiller found browser(malware) results on the laptop which doesn't show up(anymore) on the desktop.

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Then after the reboot run IE, Edge, Chrome and see if those file names return without Firefox

 

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.