SL7.tmp found by Zone Alarm

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Zone Alarm is finding SL7.tmp and sometimes othe SL*.tmp files and is
asking for my approval to run.  I can't fins=d, on Google, if this is
legitimate or part of some malware.  Does anyone know what this is?
Thanks........

Re: SL7.tmp found by Zone Alarm


| Zone Alarm is finding SL7.tmp and sometimes othe SL*.tmp files and is
| asking for my approval to run.  I can't fins=d, on Google, if this is
| legitimate or part of some malware.  Does anyone know what this is?
| Thanks........

If a TMP is doing something to access the Internet, chances are good it is
malware.


Please submit a sample of  "SL7.tmp" ( or similare file)  to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.  In addition,
unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: SL7.tmp found by Zone Alarm

On Sat, 28 Jul 2007 17:37:33 GMT, "David H. Lipman"

Quoted text here. Click to load it

Thank you - let's see what they find!!!!!!!!!

Re: SL7.tmp found by Zone Alarm

On Sat, 28 Jul 2007 17:37:33 GMT, "David H. Lipman"

Quoted text here. Click to load it

David, I ran the file I mentioned and all the variations.  None was
positive.  Do you have any other suggestions?  Thanks.........

Re: SL7.tmp found by Zone Alarm

On Sat, 28 Jul 2007 17:37:33 GMT, "David H. Lipman"

Quoted text here. Click to load it

Well, I provided SL7.tmp and several variations which I found (and get
once in a while).  None of the AV engines found a problem.  Do you have
any suggestions on where I go from here?  Thanks.........

Re: SL7.tmp found by Zone Alarm



|
| Well, I provided SL7.tmp and several variations which I found (and get
| once in a while).  None of the AV engines found a problem.  Do you have
| any suggestions on where I go from here?  Thanks.........

You'd have to question what ZoneAlarm is indicating or use Ethereal and see what
is
emanating from the PC.

You could also try the Sysinternals utility "Process Explorer" and see what is
generating
the *.TMP files.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: SL7.tmp found by Zone Alarm

On Sun, 29 Jul 2007 02:14:45 GMT, "David H. Lipman"

Quoted text here. Click to load it

Not familiar with Ethereal.

Quoted text here. Click to load it

I have Process Explorer - will try this and let you know.

Re: SL7.tmp found by Zone Alarm

On Sun, 29 Jul 2007 02:14:45 GMT, "David H. Lipman"

Quoted text here. Click to load it

I'll Google Ethereal.
Quoted text here. Click to load it

To use Process Explorer, wouldn't I have to allow the SL*.tmp file to
run?  This would concern me if it is malware.

Re: SL7.tmp found by Zone Alarm

On Sun, 29 Jul 2007 02:14:45 GMT, "David H. Lipman"

Quoted text here. Click to load it
Installed Ethereal but am not familiar with it.  How do I use it?

Quoted text here. Click to load it

Re: SL7.tmp found by Zone Alarm



| Installed Ethereal but am not familiar with it.  How do I use it?
|
Quoted text here. Click to load it

Too complex to explain.  It ais a packet decoder and breaks down Ethernet and
TCP/IP packets
into the intgral parts.

No offense...
If you have to ask, Ethereal is NOT for you.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: SL7.tmp found by Zone Alarm

On Tue, 31 Jul 2007 20:31:22 GMT, "David H. Lipman"

Quoted text here. Click to load it

David, something is generating these SL*.tmp files and I'm pretty sure
they are malicious.  How can I find this out for sure?  ZA is stopping
them from running (if I deny them) so, Process Explorer won't show them
(unless I DON'T deny them).  I'm afraid allowing one of them to run
would be a mistake.  ZA says SLF8.tmp is a system file and cannot kill
it - but I can only find this file as a prefetch.  I was able to kill
all the other SL*.tmp files with ZA.  Haven't noticed any adverse
effects with my system yet.  Any other suggestions?  Thanks.......

Re: SL7.tmp found by Zone Alarm



|
| David, something is generating these SL*.tmp files and I'm pretty sure
| they are malicious.  How can I find this out for sure?  ZA is stopping
| them from running (if I deny them) so, Process Explorer won't show them
| (unless I DON'T deny them).  I'm afraid allowing one of them to run
| would be a mistake.  ZA says SLF8.tmp is a system file and cannot kill
| it - but I can only find this file as a prefetch.  I was able to kill
| all the other SL*.tmp files with ZA.  Haven't noticed any adverse
| effects with my system yet.  Any other suggestions?  Thanks.......

Process Explorer is what will identify wehat is creating the TMP files.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: SL7.tmp found by Zone Alarm

Fruit2O wrote:
Quoted text here. Click to load it

zone alarm may be stopping them from running, but is it stopping them
from being created?

process monitor (by the same folks who made process explorer) should be
able to help you figure out what process is *creating* the files (if
appropriate filters are used - otherwise there's just too much to wade
through)...

by the way, does zone alarm not tell you which process is calling these
files? sunbelt personal firewall (formerly kerio personal firewall) has
an application launch whitelist feature which i assume is similar to
what you're seeing with zone alarm, but it tells me not only what
application is trying to launch but also what process is
calling/launching it...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: SL7.tmp found by Zone Alarm

wrote:

Quoted text here. Click to load it

Next time an SL*.tmp shows up (via ZA), what should I do to determine
what is launching it?  I don't think ZA tells me what is launching it
(but I'll look again).  I have process explorer.  Should I launch IT
and will it show me the SL*.tmp even if I don't allow it to run with
ZA?  What is different about Process Monitor?  Where can I get it (I've
forgotten where I got Process Explorer)?  Thanks............

Re: SL7.tmp found by Zone Alarm

Fruit2O wrote:
[snip]
Quoted text here. Click to load it

process monitor can be gotten from here
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx

what it does is monitor file system and registry access in real-time
(basically telling you what processes are doing rather than about the
processes themselves as process explorer does)

what you'd actually have to do with process monitor is run it *before*
any attempt to launch an SL*.tmp file occurs so that you can find out
which process is trying to create the file... for the filter, i'd try
clearing out all the existing filters and then adding these two: 'path
ends with tmp include' and 'path excludes sl exclude'... that should
show everything to do with sl*.tmp files (and perhaps some other temp
files as well)...

in retrospect, filemon (again, same folks) might have been a better
suggestion since it seems to support wildcards - which would have made
for a more straight forward filter... kinda surprised process monitor
doesn't have conventional wildcard support since it's supposed to be a
melding of filemon and regmon, but oh well...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: SL7.tmp found by Zone Alarm

wrote:

Quoted text here. Click to load it

Thanks again - I'll try these filters.

Re: SL7.tmp found by Zone Alarm

wrote:

Quoted text here. Click to load it



OK, I now have Process Monitor AND Process Explorer installed.  What
would be appropriate filters for Process Monitor?

Re: SL7.tmp found by Zone Alarm

wrote:

Quoted text here. Click to load it

OK, in the hope of finding the process that is trying to launch
SL*.tmp, I am going to leave Process Monitor and Process Explorer
running all the time.  Please help me use these tools to find the
culprit - tell me what to do.  Thank you.........

Re: SL7.tmp found by Zone Alarm

Quoted text here. Click to load it

I ran into the same problem. Smart Computing was finally able to help
determine that the program involved was Windows updating. I allowed
the program to run and all worked well. When I kept denying, Windows
Installer kept re-trying to install the update over and over,
apparently creating different file names at times.


Site Timeline