Jump to content

S0224A913.TMP


Guest remixed

Recommended Posts

  • Root Admin

Well didn't mean to drop the ball so to speak on this one as I have all the versions so I can track it down I'm sure, but work has bombarded me with way too much work lately. Even worked on Sunday first time in 20 years.

Hopefully next week or so I can get back to looking at this, we know what it is, just need to see when it came up on which version.

Link to post
Share on other sites

  • 3 weeks later...
Guest bugmenot
Well didn't mean to drop the ball so to speak on this one as I have all the versions so I can track it down I'm sure, but work has bombarded me with way too much work lately. Even worked on Sunday first time in 20 years.

Unfortunately we

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Sorry about that. Got busy and forgot all about this post.

Found a little more information on it but still very elusive in nature..

Killed all processes to the file using Unlocker 1.87 then copied it to another folder for review.

File is 48 bytes long. Here is the data from a DOS TYPE command

█∞▲l					╩α╫J

Here is the HEX output from a hex editor

DBEC1E6C0000000000000000000000000000000000000000CAE0D74A000000000000000000000000
0000000000000000

The odd thing was that using FILEMON - the file was recreated by streaming data via EXPLORER.EXE

You can see here where it could not find the file because Unlocker removed it. Then you'll see it is back again

2:54:04 PM	explorer.exe:3968	OPEN	C:\WINDOWS\SBAC9F25C.tmp\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA	NOT FOUND	Options: Open  Access: All	
2:54:04 PM explorer.exe:3968 OPEN C:\WINDOWS\SBAC9F25C.tmp\:QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options: Open Access: All
2:54:04 PM explorer.exe:3968 OPEN C:\WINDOWS\SBAC9F25C.tmp\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options: Open Access: All
2:54:04 PM explorer.exe:3968 OPEN C:\WINDOWS\SBAC9F25C.tmp\:QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options: Open Access: All
2:54:04 PM explorer.exe:3968 OPEN C:\WINDOWS\SBAC9F25C.tmp\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options: Open Access: All
2:54:04 PM explorer.exe:3968 OPEN C:\WINDOWS\SBAC9F25C.tmp\:QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options: Open Access: All
2:54:04 PM explorer.exe:3968 OPEN C:\WINDOWS\SBAC9F25C.tmp\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options: Open Access: All
2:54:04 PM explorer.exe:3968 CLOSE C:\WINDOWS\SBAC9F25C.tmp SUCCESS
2:54:05 PM explorer.exe:3968 QUERY INFORMATION C:\WINDOWS\SBAC9F25C.tmp SUCCESS Attributes: A
2:54:05 PM explorer.exe:3968 OPEN C:\WINDOWS\SBAC9F25C.tmp SUCCESS Options: Open Access: All
2:54:05 PM explorer.exe:3968 SET INFORMATION C:\WINDOWS\SBAC9F25C.tmp SUCCESS FileBasicInformation
2:54:05 PM explorer.exe:3968 READ C:\WINDOWS\SBAC9F25C.tmp SUCCESS Offset: 0 Length: 512
2:54:05 PM explorer.exe:3968 READ C:\WINDOWS\SBAC9F25C.tmp SUCCESS Offset: 0 Length: 8
2:54:05 PM explorer.exe:3968 READ C:\WINDOWS\SBAC9F25C.tmp SUCCESS Offset: 0 Length: 12
2:54:05 PM explorer.exe:3968 CLOSE C:\WINDOWS\SBAC9F25C.tmp SUCCESS
2:54:05 PM explorer.exe:3968 QUERY INFORMATION C:\WINDOWS\SBAC9F25C.tmp SUCCESS Attributes: A
2:54:05 PM explorer.exe:3968 QUERY INFORMATION C:\WINDOWS\SBAC9F25C.tmp SUCCESS Attributes: A

I still need to take the time to do some ADD/REMOVE of versions to see if I can track down 100% that it is from Slysoft and if possible which version enabled this behavior.

    NOTE:
  • This is only for ANALYSIS - no one is accusing Slysoft or CDFreaks of anything improper. At this point it is merely an exercise of educational value on computer behavior only and we may never fully determine what purpose this file serves.

LINKS From other forums so as not to lose them from a user post edit again.

Link on CDFREAKS site about this (since Remix removed his posts)

Hidden file repeatedly accessed

Original thread on CDFREAKS but was closed by a Moderator ! Conspicious Behavior From CloneCD (and possibly other SlySoft apps)

Link on Slysoft site Hidden file or rookit?

Quoted Post from CDFreaks for reference

I was doing some work with virtual-machines today. Since this topic came up earlier today (I don
Link to post
Share on other sites

  • Root Admin

A little more information to show while using Unlocker 1.87 to delete the .tmp file.

Using Process Monitor v1.33 from Sysinternals (now owned by Microsoft)

No files shown that are directly related to Slysoft. However if this is implemented as a boot level driver then I'm sure it's filtered out.

Oddly though IceSword 1.22 can not forcefully delete the file either.

So, next step should be to remove all versions of Slysoft software and ensure the file is no longer present.

Sequence: 80186

Date & Time: 6/4/2008 1:07:56 PM

Event Class: File System

Operation: CreateFile

Result: SUCCESS

Path: C:\WINDOWS\SBAC9F25C.tmp

TID: 4028

Duration: 0.0000178

Desired Access: Delete

Disposition: Open

Options: Delete On Close

Attributes: n/a

ShareMode: Read, Write, Delete

AllocationSize: n/a

OpenResult: Opened

Description: n/a

Company: n/a

Name: Unlocker.exe

Version: n/a

Path: C:\Program Files\Unlocker\Unlocker.exe

Command Line: "C:\Program Files\Unlocker\Unlocker.exe" "C:\WINDOWS\SBAC9F25C.tmp"

PID: 2288

Parent PID: 2808

Session ID: 0

Architecture: 32-bit

Virtualized: n/a

Integrity: n/a

Started: 6/4/2008 1:06:43 PM

Ended: 6/4/2008 1:07:57 PM

Modules:

Unlocker.exe 0x400000 0x1C000 C:\Program Files\Unlocker\Unlocker.exe

UnlockerHook.dll 0x12A0000 0x4000 C:\Program Files\Unlocker\UnlockerHook.dll

normaliz.dll 0x1590000 0x9000 C:\WINDOWS\system32\normaliz.dll

PGPhk.dll 0x10000000 0x9000 C:\WINDOWS\system32\PGPhk.dll

MSOHEV.DLL 0x325C0000 0x12000 C:\Program Files\Microsoft Office\OFFICE11\MSOHEV.DLL

iertutil.dll 0x46300000 0x45000 C:\WINDOWS\system32\iertutil.dll

wininet.dll 0x46A70000 0xD0000 C:\WINDOWS\system32\wininet.dll

riched20.dll 0x48EF0000 0x71000 C:\WINDOWS\system32\riched20.dll

msctf.dll 0x4B3C0000 0x50000 C:\WINDOWS\system32\msctf.dll

msctfime.ime 0x4DC30000 0x2E000 C:\WINDOWS\system32\msctfime.ime

hnetcfg.dll 0x5F270000 0x5A000 C:\WINDOWS\system32\hnetcfg.dll

mslbui.dll 0x60970000 0xA000 C:\WINDOWS\system32\mslbui.dll

wshtcpip.dll 0x71AE0000 0x8000 C:\WINDOWS\system32\wshtcpip.dll

mswsock.dll 0x71B20000 0x41000 C:\WINDOWS\system32\mswsock.dll

uxtheme.dll 0x71B70000 0x36000 C:\WINDOWS\system32\uxtheme.dll

ws2help.dll 0x71BF0000 0x8000 C:\WINDOWS\system32\ws2help.dll

ws2_32.dll 0x71C00000 0x17000 C:\WINDOWS\system32\ws2_32.dll

netapi32.dll 0x71C40000 0x57000 C:\WINDOWS\system32\netapi32.dll

cryptui.dll 0x75360000 0x7E000 C:\WINDOWS\system32\cryptui.dll

apphelp.dll 0x75E60000 0x27000 C:\WINDOWS\system32\apphelp.dll

browseui.dll 0x75EB0000 0xFF000 C:\WINDOWS\system32\browseui.dll

msasn1.dll 0x76190000 0x12000 C:\WINDOWS\system32\msasn1.dll

crypt32.dll 0x761B0000 0x93000 C:\WINDOWS\system32\crypt32.dll

imm32.dll 0x76290000 0x1D000 C:\WINDOWS\system32\imm32.dll

comdlg32.dll 0x762B0000 0x49000 C:\WINDOWS\system32\comdlg32.dll

cscdll.dll 0x76520000 0x1D000 C:\WINDOWS\system32\cscdll.dll

linkinfo.dll 0x768E0000 0x8000 C:\WINDOWS\system32\linkinfo.dll

ntshrui.dll 0x768F0000 0x25000 C:\WINDOWS\system32\ntshrui.dll

userenv.dll 0x76920000 0xC2000 C:\WINDOWS\system32\userenv.dll

psapi.dll 0x76B70000 0xB000 C:\WINDOWS\system32\psapi.dll

wintrust.dll 0x76BB0000 0x2B000 C:\WINDOWS\system32\wintrust.dll

imagehlp.dll 0x76C10000 0x28000 C:\WINDOWS\system32\imagehlp.dll

dnsapi.dll 0x76ED0000 0x2A000 C:\WINDOWS\system32\dnsapi.dll

wldap32.dll 0x76F10000 0x2E000 C:\WINDOWS\system32\wldap32.dll

secur32.dll 0x76F50000 0x13000 C:\WINDOWS\system32\secur32.dll

winrnr.dll 0x76F70000 0x7000 C:\WINDOWS\system32\winrnr.dll

rasadhlp.dll 0x76F80000 0x5000 C:\WINDOWS\system32\rasadhlp.dll

comres.dll 0x77010000 0xC6000 C:\WINDOWS\system32\comres.dll

setupapi.dll 0x770E0000 0x108000 C:\WINDOWS\system32\setupapi.dll

user32.dll 0x77380000 0x91000 C:\WINDOWS\system32\user32.dll

comctl32.dll 0x77420000 0x103000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll

ole32.dll 0x77670000 0x139000 C:\WINDOWS\system32\ole32.dll

clbcatq.dll 0x777B0000 0x83000 C:\WINDOWS\system32\clbcatq.dll

shdocvw.dll 0x77980000 0x173000 C:\WINDOWS\system32\shdocvw.dll

cscui.dll 0x77B00000 0x54000 C:\WINDOWS\system32\cscui.dll

version.dll 0x77B90000 0x8000 C:\WINDOWS\system32\version.dll

msvcrt.dll 0x77BA0000 0x5A000 C:\WINDOWS\system32\msvcrt.dll

gdi32.dll 0x77C00000 0x48000 C:\WINDOWS\system32\gdi32.dll

rpcrt4.dll 0x77C50000 0x9F000 C:\WINDOWS\system32\rpcrt4.dll

oleaut32.dll 0x77D00000 0x8B000 C:\WINDOWS\system32\oleaut32.dll

shlwapi.dll 0x77DA0000 0x52000 C:\WINDOWS\system32\shlwapi.dll

kernel32.dll 0x77E40000 0x102000 C:\WINDOWS\system32\kernel32.dll

advapi32.dll 0x77F50000 0x9B000 C:\WINDOWS\system32\advapi32.dll

ntdll.dll 0x7C800000 0xC0000 C:\WINDOWS\system32\ntdll.dll

shell32.dll 0x7C8D0000 0x7FF000 C:\WINDOWS\system32\shell32.dll

0 fltmgr.sys fltmgr.sys + 0x24ca 0xf734c4ca C:\WINDOWS\System32\Drivers\fltmgr.sys

1 fltmgr.sys fltmgr.sys + 0x3f2a 0xf734df2a C:\WINDOWS\System32\Drivers\fltmgr.sys

2 fltmgr.sys fltmgr.sys + 0x120ad 0xf735c0ad C:\WINDOWS\System32\Drivers\fltmgr.sys

3 fltmgr.sys fltmgr.sys + 0x125cc 0xf735c5cc C:\WINDOWS\System32\Drivers\fltmgr.sys

4 ntoskrnl.exe ntoskrnl.exe + 0x40153 0x80840153 C:\WINDOWS\system32\ntoskrnl.exe

5 ntoskrnl.exe ntoskrnl.exe + 0x12e806 0x8092e806 C:\WINDOWS\system32\ntoskrnl.exe

6 ntoskrnl.exe ntoskrnl.exe + 0x12c37a 0x8092c37a C:\WINDOWS\system32\ntoskrnl.exe

7 ntoskrnl.exe ntoskrnl.exe + 0x12d79b 0x8092d79b C:\WINDOWS\system32\ntoskrnl.exe

8 ntoskrnl.exe ntoskrnl.exe + 0xf547f 0x808f547f C:\WINDOWS\system32\ntoskrnl.exe

9 ntoskrnl.exe ntoskrnl.exe + 0x33bdf 0x80833bdf C:\WINDOWS\system32\ntoskrnl.exe

10 Unlocker.exe Unlocker.exe + 0x10620 0x410620 C:\Program Files\Unlocker\Unlocker.exe

11 Unlocker.exe Unlocker.exe + 0x106aa 0x4106aa C:\Program Files\Unlocker\Unlocker.exe

12 Unlocker.exe Unlocker.exe + 0x114dd 0x4114dd C:\Program Files\Unlocker\Unlocker.exe

13 Unlocker.exe Unlocker.exe + 0x13a3f 0x413a3f C:\Program Files\Unlocker\Unlocker.exe

14 Unlocker.exe Unlocker.exe + 0x13a77 0x413a77 C:\Program Files\Unlocker\Unlocker.exe

.

Link to post
Share on other sites

  • 4 weeks later...
  • 6 months later...
Guest bugmenot

Hey,

I just wanted to point out that at some point, they changed the driver (ELBYCDIO) so that it no longer reads the file two times every second in an infinite loop. They also changed the filename so that it is 16 bytes long (I have not figured out what algorithm is used to derive the name), and there is no temp extension (although the contents of the file are still unknown).

HTH

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.