Jump to content

Recommended Posts

The extension is for temp file but strange. What else was going on that day? System wise, install anything? Have you done any other scans? Panda or Jotti's for the file? http://www.virscan.org/

http://virusscan.jotti.org/

We also have file submission here. On main site page

Link to post
Share on other sites

  • Root Admin

Interesting... I've actually looked on about 5 different machines and so far every system I've looked at has a zero-byte file that is being locked by SYSTEM

You can not delete it with normal means and even using a tool to delete it, it is automatically recreated within seconds.

I shut down every service that would allow you to shut it down and then tried to delete it but it was still locked and still recreated if forced deleted.

Currently not sure what is creating it for sure. I just logged onto a few Servers and they don't have it on most but I do have some that have it.

Will do some more investigation tomorrow.

Link to post
Share on other sites

  • Root Admin
The file i refer to is a zero byte file until the application that created it becomes active, at which point it becomes a 24 byte file. When i close the app it returns to zero and dosn't change under any other activity. I suspect it maybe related to the request to check for updates at the application start-up.

I did notice that on one system while I was forcing it to delete with Unlocker. It would reappear as a 24 byte .TMP file then would later be a zero-byte file. I would guess it's normal behavior but now I'm curious as to what is creating it and why.

A bit curious as the 24 byte file size is very common in a lot of Google pages dealing with cryptography, encryption, cracking, reverse engineering, etc.. Since I only dabble in programming I'm not fully sure yet of the importance but it does provide a lot of pages on a Google search.

Link to post
Share on other sites

1; The Exe that Prevx is referring is a 'pre-patched' (hacked) earlier version of CloneCd by PARADOX, hence the term COMP(lete) which not surprisingly contains 'the payback'.

2; Wasn't it Prevx that recently flagged Mbam?

3; Prevx is amongst the online scanners used by VirusTotal which detected nothing.

4; There are no instances of irregular registry keys or mods to existing ones.

Oh.. I didn't read in depth. My mistake. Panda flagged MBAM in one log I was working in the online scan. I know Prevx is one of the online scanners used by VT.

Link to post
Share on other sites

  • 2 weeks later...
Guest bugmenot

That TMP file is created by the ElbyCDIO driver used by some ElaborateBytes/SlySoft applications. See hxxp://club.cdfreaks.com/f18/conspicious-behavior-clonecd-possibly-other-slysoft-apps-234705/ and hxxp://club.cdfreaks.com/f18/hidden-file-repeatedly-accessed-236539/ for more information. It

Edited by JeanInMontana
Mung links
Link to post
Share on other sites

  • Root Admin
Thanks for the interest but it's origin became clear much earlier in the thread. BTW i'm not sure wise to include links to sites which are suspect!

http://www.siteadvisor.com/sites/cdfreaks.com

Well a couple things, at least as I currently view them.

The origin is not that clear to me as in the above post here it attempts to lay blame on a CRACKED version of some version of Slysoft software which is not true. I have been a legal user of the product for many years even before Slysoft bought up the rights from Elby, and I do not have any cracked version of their software.

As for the site advisor listing that could probably even be links from Google Analytics or users posting links on the site.

Even if one does put stock in their advice - They also show that after downloading files and other checks they do not see anything wrong with the site except some potential links to a known bad site which at least for me does not classify or place them in a bad light until or unless something stronger or more direct can be proven that they're doing wrong (I don't know as I've not researched them myself but I don't take site advisor as the end all authority on a sites value either).

However I would think that many of the forum visitors here are a bit more advanced and wish to help bring such issue to light and not hide

stuff (but that's just my opinion and on the contrary maybe most visitors are normal home users with little to no experience with Windows).

As for the links on the cdfreaks site I do plan to visit and post there soon as I think the guy is being crucified by people that are either clueless

or have an agenda, or are just part of what they feel are an elite group of people.

One thing that I've seen over and over now in forums is there is a clique of core people that often stick together

and gang up on other posters when they feel threatened regardless if they're correct or not.

I know from experience from the site I'm an Administrator on, and from one I moderate on as well.

Link to post
Share on other sites

  • Root Admin
Yup... it has been my experience when a file gets no hits at all on Google it is malware. Seems this is no exception.

Hi Jean

Just thought I would bring up that in this case the file name is seemingly random (though not really - there is rhyme and reason for the name) but with a vastly varying name and an extension that ends in .TMP makes it almost impossible to query on sites like Google, Yahoo, Live, etc because they also filter and present classes of predetermined entries (if one had full SQL query rights and had experience then you could probably find many entries for such files)

Also in this case I really think it boils down to some programming method (good or bad unknown at this time) and is almost certainly not malware related.

Though as you say there are many cases where your assumption is probably spot on.

Thanks for all your input and support in the Anti-Malware community.

Link to post
Share on other sites

Guest bugmenot

I too noticed that CDFreaks is flagged by SiteAdvisor. As mentioned it is indeed because of the advertising on the main page. The reviews on SiteAdvisor are good and even the negative one said it is useful. The forums are clean though and are a rich source of optical-disc related information, which is why I registered there back then.

The two threads I posted above have thorough research and analysis on the file, including how the filename is determined, although the actual contents of the file remain unknown. Perhaps compiling a collection of such files from various sources could lead to reversing it (it does not seem to be random, there may very well be some valid information in there).

As for the response to the investigation, it has been quite unpleasant over there. Perusing some other threads on that board reveal a strong pro-SlySoft bias where anyone who complains in the least is quickly shot down by the SS lovers (pun intended). :) There’s a few members there that probably work for the company.

I haven’t checked yet, but I’ll take a look at some of the other leading CDVD forums (CDRLabs, CDRInfo) to see if the members there are more objective.

Link to post
Share on other sites

The origin is not that clear to me as in the above post here it attempts to lay blame on a CRACKED version of some version of Slysoft software which is not true. I have been a legal user of the product for many years even before Slysoft bought up the rights from Elby, and I do not have any cracked version of their software.

There are often legal and cracked versions of all sorts of software. I too came across references to the cracked programs containing malware and this is very common. You have a legal version and it is clean.

I will agree SiteAdvisor is not always the best source and I have been a critic of their ratings system more than once. I have seen bad sites listed as good and good sites listed as bad. There is no criteria for who gets to be a reviewer and the reviewer ratings are based on popular vote. This means in theory, anyone can rate sites and all their friends can also and they can give each other great scores and none of them have a clue as to what constitutes a bad site.

I have also seen a file be both ways. One instance it is bad in another it is fine. I suspect this is the case with this file.

Link to post
Share on other sites

  • Root Admin

Well I'm actually in contact with the author of the posts on CDFreaks and will work with him to see if we can determine when this started happening and if possible why. I'm a big fan of Slysoft myself and I'm not saying they're doing anything bad. At this point its more of a quest to see if we can find out when and why. I'm not trying to accuse Slysoft of anything wrong or underhanded, just seems an odd behavior when there are so many other ways to code things.

I just thought it was unwarranted replies to his discovery and postings.

Link to post
Share on other sites

Well I'm actually in contact with the author of the posts on CDFreaks and will work with him to see if we can determine when this started happening and if possible why. I'm a big fan of Slysoft myself and I'm not saying they're doing anything bad. At this point its more of a quest to see if we can find out when and why. I'm not trying to accuse Slysoft of anything wrong or underhanded, just seems an odd behavior when there are so many other ways to code things.

I just thought it was unwarranted replies to his discovery and postings.

When a program gets cracked it is not the authors fault. This happens all the time. The program gets cracked, a trojan inserted and its put on a shady site for download. There are numerous sites devoted to nothing but warez or cracked software. It's all illegal and none of the authors are involved.

Link to post
Share on other sites

  • Root Admin
When a program gets cracked it is not the authors fault. This happens all the time. The program gets cracked, a trojan inserted and its put on a shady site for download. There are numerous sites devoted to nothing but warez or cracked software. It's all illegal and none of the authors are involved.

Jean thank you and yes I agree and understand. I have this behavior though and I do not have any cracked version. My downloads are directly from the Slysoft website. I think that might also be part of the issue here in that I think maybe some people just want to ignore it and assume it's from cracked software. Well if it is from cracked software then Slysoft has the cracked version on their website (they don't - just making a point). I can not speak for anyone else except for my own systems and they're not running and never have run a cracked version, yet I too have this .TMP file on my systems.

Link to post
Share on other sites

Guest bugmenot
Jean thank you and yes I agree and understand. I have this behavior though and I do not have any cracked version. My downloads are directly from the Slysoft website. I think that might also be part of the issue here in that I think maybe some people just want to ignore it and assume it's from cracked software. Well if it is from cracked software then Slysoft has the cracked version on their website (they don't - just making a point). I can not speak for anyone else except for my own systems and they're not running and never have run a cracked version, yet I too have this .TMP file on my systems.

That

Link to post
Share on other sites

Guest bugmenot
Sorry if i have offended anyone, it is clear that posts in this thread have all been with positive intentions. In reference to the zero byte .tmp file belonging to

Slysoft's CloneCD, i can confirm a number of facts;

2, I uninstalled the app and completely removed all traces (registry/application data etc) from the P.C. The .tmp uinstalled along with CloneCD (not typical of

malware).

3, I installed CloneCD on a different P.C using the same registration details. On installation CloneCD created a .tmp file with a different prefix, S6A912191.

4, I reinstalled CloneCD on the original P.C. The behavoir of the installer suggested that of a fresh install rather than a reinstall.

5, The application created the .tmp file with exactly the same prefix as in my original post.

6, At this point i am inclined to conclude that the file is a genuine part (good or bad) of the application and not as suggested a malicious entry generated by a 'crack' or 'patch'.

7, That the name of the .tmp file relates not to the version of the application or the content of the registration details or the date of installation but to a 'handshake' I.D with a specific P.C ( perhaps including elements of the above mentioned details). When i have time i will do an install on a 3rd P.C at which point i will be able to reveal what data determines the files unique identity and subsequently it's likely purpose.

8, It should be pretty clear already as to it's purpose (highlighted by the absence of any genuine clarification from the manufacturer) which is why the same .tmp is probably replicated in hacked versions of the software as well.

9, Unfortunately, it is often the case that the harder a software developer works to protect it's property from hackers the more it reveals about that protection.

(2) - Interesting that it actually remembered to remove the tmp file.

(3-7) - As mentioned in the two threads at CDFreaks, the filename is of the format SX.tmp where X is an eight-digit hexadecimal number that is calculated as follows: take the serial number of C:\ and XOR it with 8af15bc6. (It may not be C:\, but rather the boot drive; someone who has Windows installed on a different drive letter would have to confirm.) remixed, the serial number of your C:\ drive is E060-7A57. :)

The filename does not really identify the system in any reliably unique way since the serial number changes when you format the drive (and can be manually changed too), not to mention that two drives can have the same number (it is after all just a 64-bit number). Besides, the number rarely changes, and certainly not every 10 seconds.

(8) - From what I can tell, the contents of the file can and do change. Analysis of various files from different sources, and even the same sources at different points would be required to determine what is in it.

(9) - True, and what’s worse is that a company founded on cracking other people’s protections tries so hard to protect it’s own product. :|

Link to post
Share on other sites

Sorry if i have offended anyone, it is clear that posts in this thread have all been with positive intentions. In reference to the zero byte .tmp file belonging to

Slysoft's CloneCD, i can confirm a number of facts;

I can only speak for me, I am certainly not offended. I am finding this whole discussion extremely interesting. I see no reason anyone should be offended. Everyone has offered up their best knowledge/ideas and we have been shown some curious facts.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.