Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: FP? (Win32.Viking.j) C:\WINDOWS\system32\dllcache\arp.exe.tmp and at.exe.tmp

  1. #1
    Junior Member
    Join Date
    Jun 2007
    Posts
    8

    Default FP? (Win32.Viking.j) C:\WINDOWS\system32\dllcache\arp.exe.tmp and at.exe.tmp

    My OS is Windows XP Home SP2 with all critical updates installed through the last "Patch Tuesday" (June 12) release from Microsoft.

    I downloaded the June 20 Spybot updates today and proceeded to "check for problems".

    When I returned to my computer an hour later, I was surprised to discover Spybot had detected the "Win32.Viking.j" worm infected the following files.

    Win32.Viking.j: Data (File, nothing done)
    C:\WINDOWS\system32\dllcache\arp.exe.tmp

    Win32.Viking.j: Data (File, nothing done)
    C:\WINDOWS\system32\dllcache\at.exe.tmp
    I think this is a FP for several reasons.
    • There is/are June 20, 2007 Spybot S&D definition(s) added for Win32.Viking.j
    • I regularly scan my computer with several reputable anti-malware apps (both AV and AS and occasionally anti-rootkit).
    • The files are located in a Windows protected system files folder and they are the same size as their counterparts that exist in the same folder without the .tmp extension (arp.exe and at.exe).
    • The files also have the same "Modified" date as the .exe files that don't have the .tmp extension.
    • The files' Properties indicate they are Microsoft files.
    • There are several other .exe.tmp files in my dllcache folder with corresponding .exe files that don't have a .tmp extension..
    • I uploaded both files to Jotti's Online Scan and both appear clean according to Jotti.
      (The Jotti Results are shown below.)

    ==========
    Jotti's Online Scan Results

    File: at.exe.tmp
    Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    MD5: 9bdf13167fbef8da3a4e9a558b169e5e
    Packers detected:
    -
    Bit9 reports: No threat detected (more info)

    Scanner results
    Scan taken on 21 Jun 2007 02:24:00 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    Fortinet Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Rising Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing

    ==========

    File: arp.exe.tmp
    Status: OK
    MD5: 33f9b0e02d9d93f920605d02fb53f3fd
    Packers detected:
    -
    Bit9 reports: No threat detected (more info)

    Scanner results
    Scan taken on 21 Jun 2007 02:27:53 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    Fortinet Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Rising Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing

    ==========

    I suspect if anyone else compares the MD5 hash values for those files in the C:\WINDOWS\system32\dllcache\ folder of their own Windows XP Home SP2 box, they will find the hash values match. It would be nice to have confirmation however.
    Last edited by Kinobe; 2007-06-21 at 08:05.

  2. #2
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hi,

    this could be a false positie, unfortunately I have no access to a Windows XP Home Edition system to confirm your post.
    Normally the dllcache folder contains the backups of other systemfiles. With Windows XP Professional and Windows 2000 there are no files with exe.tmp in the dllcache folder.


    It would be best if you could also post the md5 of the files without the double fileextension or just sent all four of them to detections-at-spybot.info (replace -at- with @).
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  3. #3
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    From another Windows XP Home system:

    Neither of these two files exist on my system:
    • C:\WINDOWS\system32\dllcache\arp.exe.tmp
    • C:\WINDOWS\system32\dllcache\at.exe.tmp

    I do have the following in dllcache:
    • C:\WINDOWS\system32\dllcache\arp.exe

      Size: 19456
      Version: 5.1.2600.0
      CRC-32: 098BD888
      MD5: 33F9B0E02D9D93F920605D02FB53F3FD
      SHA1: 4A22E401AD5ADB7B3DE8F819E86D8461D764D195

      Time stamp: Wednesday, July 16, 2003 4:24:20 PM
      Creation: Wednesday, July 16, 2003 4:24:20 PM
      Last access: Thursday, June 21, 2007 4:21:54 AM
      Last write: Wednesday, July 16, 2003 4:24:20 PM

      File version: 5.1.2600.0 (xpclient.010817-1148)
      Company name: Microsoft Corporation
      Internal name: arp.exe
      Comments:
      Legal copyright: © Microsoft Corporation. All rights reserved.
      Legal trademarks:
      Original filename: arp.exe
      Product name: Microsoft® Windows® Operating System
      Product version: 5.1.2600.0
      File description: TCP/IP Arp Command

    The arp.exe and at.exe from C:\WINDOWS\system32\:
    • C:\WINDOWS\system32\arp.exe

      Size: 19456
      Version: 5.1.2600.0
      CRC-32: 098BD888
      MD5: 33F9B0E02D9D93F920605D02FB53F3FD
      SHA1: 4A22E401AD5ADB7B3DE8F819E86D8461D764D195

      Time stamp: Wednesday, July 16, 2003 4:24:20 PM
      Creation: Wednesday, July 16, 2003 4:24:20 PM
      Last access: Thursday, June 21, 2007 4:28:46 AM
      Last write: Wednesday, July 16, 2003 4:24:20 PM

      File version: 5.1.2600.0 (xpclient.010817-1148)
      Company name: Microsoft Corporation
      Internal name: arp.exe
      Comments:
      Legal copyright: © Microsoft Corporation. All rights reserved.
      Legal trademarks:
      Original filename: arp.exe
      Product name: Microsoft® Windows® Operating System
      Product version: 5.1.2600.0
      File description: TCP/IP Arp Command

    • C:\WINDOWS\system32\at.exe

      Size: 25088
      Version: 5.1.2600.2180
      CRC-32: 74C88633
      MD5: 9BDF13167FBEF8DA3A4E9A558B169E5E
      SHA1: 9093ADAC07776A7C71B8B795B46A5D9F13F41E95

      Time stamp: Wednesday, August 04, 2004 12:56:48 AM
      Creation: Wednesday, July 16, 2003 4:24:26 PM
      Last access: Thursday, June 21, 2007 4:29:56 AM
      Last write: Wednesday, August 04, 2004 12:56:48 AM

      File version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
      Company name: Microsoft Corporation
      Internal name: AT.EXE
      Comments:
      Legal copyright: © Microsoft Corporation. All rights reserved.
      Legal trademarks:
      Original filename: AT.EXE
      Product name: Microsoft® Windows® Operating System
      Product version: 5.1.2600.2180
      File description: Schedule service command line interface

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  4. #4
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    thanks md usa spybot fan,

    since the md5 of the corresponding files are identical we will treat this as a false positive and will remove it from detection with the next update.

    though I am still wondering why there is a backup of a backup
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  5. #5
    Junior Member
    Join Date
    Jun 2007
    Posts
    8

    Default

    Thanks for your prompt feedback, folks. I will do some investigating and let you know what I discover (or not). In any case, I will follow-up to let you know. I really want to get to the bottom if this anomaly if I can.

    Quote Originally Posted by Yodama View Post
    though I am still wondering why there is a backup of a backup
    I am wondering also. It's also interesting that Google searches for those file names (arp.exe.tmp and at.exe.tmp) came up with no results.

    Spybot S&D flagged the double-extension files but did not flag the arp.exe and at.exe files in the same folder. Could the double-extensions be related somehow to the way the new (June 20) Spybot definitions for Win32.Viking.j are used to detect the trojan?

    There are other double-extension files in my dllcache folder (.sys.tmp) that were not flagged by Spybot but that is a possible concern as well. (The arp.exe.tmp and at.exe.tmp files are the only double-extension .exe.tmp files in my dllcache folder.)

    I also have perused my dllcache folder on several occasions in the past and I don't recall noticing double extensions there before (which are also hidden as well as the normally-hidden dllcache files).

    My first hunch is those files may have been duplicated when I recently used the CA online virus scanner. Internet Explorer stopped responding on both occasions during the scan (after the ActiveX component had installed and components/definitions were downloaded) so I had to kill the IE process via System Internals' Process Explorer/Windows Task Manager. (I normally use IE only when I have to and I have IE configured to warn me any time an ActiveX component may be downloaded or installed. Firefox 2.0.0.4. is my default browser.)

    My first course of action will be to reboot and check to see if the tmp files have disappeared. Then I will run Windows' System File Checker (Start > Run > sfc /scannow) to see if that gives me any useful information in Event Viewer. After that, who knows what I'll think of to try next? If anyone has any suggestions, I'm all ears.

    Again, I will investigate this and see what I can discover and I will post a follow-up.

    Thanks again!
    Last edited by Kinobe; 2007-06-22 at 04:52.

  6. #6
    Junior Member
    Join Date
    Jun 2007
    Posts
    8

    Default

    BTW, I stated in my first post,
    There are several other .exe.tmp files in my dllcache folder with corresponding .exe files that don't have a .tmp extension..
    That statement is incorrect.

    arp.exe.tmp and at.exe.tmp are the only .exe.tmp files in my dllcache folder. In fact, they are the only .exe.tmp files on both of my hard drives.

    I also have three .sys.tmp files in my dllcache folder.
    • C:\WINDOWS\system32\dllcache\arp1394.sys.tmp
    • C:\WINDOWS\system32\dllcache\asyncmac.sys.tmp
    • C:\WINDOWS\system32\dllcache\atapi.sys.tmp


    I searched my hard drives for *.exe.tmp and *.sys.tmp and the five files I have identified in this thread are the only ones found.

    Since all five of the double-extension files identified in this thread begin with "a", that fact seems to further substantiate my suspicion they might have been created during the CA online virus scans. That may be as far as the CA scan proceeded when IE crashed.

    My hunch also seems to make sense because it seems a virus scanner would have to create copies of files currently in use to access them properly with their detection routines.

    I will look in Event Viewer to see what details I might find about the IE crash events.
    Last edited by Kinobe; 2007-06-22 at 05:25.

  7. #7
    Junior Member
    Join Date
    Jun 2007
    Posts
    8

    Default

    I found only two other double-extension dllcache .tmp files (before shutting down the computer) via searching for *.tmp on my C:\ drive.
    • C:\WINDOWS\system32\dllcache\asctrls.ocx.tmp <--I expect this is an ActiveX control.
    • C:\WINDOWS\system32\dllcache\asferror.dll.tmp


    Then I shut down the computer and booted.

    All the aforementioned double extension *.tmp files apparently disappeared from my dllcache folder. My search for *.tmp turned up nothing in the dllcache folder. I suppose that's good.

    However, I realized (too late) maybe I should have saved renamed copies of all those files before shutting down. Yodama, I also forgot to send them to spybot. I'm very sorry.

    Anyway, I ran sfc /scannow after booting and there are no problems listed in Event Viewer's "System" section between "Windows File Protection" Event 64016 (SFC started) and Event 64017 (SFC finished).

    Then I ran the CA online virus scan again to see if I could reproduce the IE crash and double-extension .tmp files in my dllcache folder.

    Fortunately, IE7 did crash again so it appears I can consistently reproduce the IE7 crash and further investigate that issue if I wish.

    However, the IE7 crash did NOT produce any .tmp files in my dllcache folder. Therefore, it appears it may remain a mystery about how those .tmp files ended up there in the first place.

    Looks like we might have to just chalk this issue up as a "glitch: cause unknown". I will do some Googling on the filenames to see if I can discover anything.

    I am still very curious about why Spybot flagged those two files I named in the title of this thread. Therefore, if someone familiar with the inner workings of Spybot S&D can provide some details, I would greatly appreciate it. If that is privileged information, I will understand that too.
    Quote Originally Posted by Kinobe
    Spybot S&D flagged the double-extension files but did not flag the arp.exe and at.exe files in the same folder. Could the double-extensions be related somehow to the way the new (June 20) Spybot definitions for Win32.Viking.j are used to detect the trojan?
    If I discover what caused those double-extension files to appear in my dllcache folder, then I'll post a follow-up about it.


    BTW, here are the Event Viewer Application error details for the identical IE7 crashes I mentioned earlier (and tonight's crash) in case the information might be useful for someone.

    ==========

    Internet Explorer Crash (during CA online virus scan) Events:

    Event Type: Error
    Event Source: Application Hang
    Event Category: (101)
    Event ID: 1002
    Date: 6/19/2007
    Time: 9:18:19 PM
    User: N/A
    Computer: KINOBE
    Description:
    Hanging application iexplore.exe, version 7.0.6000.16473, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 41 70 70 6c 69 63 61 74 Applicat
    0008: 69 6f 6e 20 48 61 6e 67 ion Hang
    0010: 20 20 69 65 78 70 6c 6f iexplo
    0018: 72 65 2e 65 78 65 20 37 re.exe 7
    0020: 2e 30 2e 36 30 30 30 2e .0.6000.
    0028: 31 36 34 37 33 20 69 6e 16473 in
    0030: 20 68 75 6e 67 61 70 70 hungapp
    0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
    0040: 20 61 74 20 6f 66 66 73 at offs
    0048: 65 74 20 30 30 30 30 30 et 00000
    0050: 30 30 30 000

    ==========

    Here's what Microsoft's "Help and Support Center at http://go.microsoft.com/fwlink/events.asp" had to say.

    Product: Windows Operating System
    ID: 1002
    Source: Application Hang
    Version: 5.2
    Symbolic Name: ER_HANG_LOG
    Message: Hanging application %1, version %2, hang module %3, version %4, hang address 0x%5.

    Explanation
    The indicated program stopped responding. The message contains details on which program and module stopped responding. A matching event with EventID 1001 might also appear in the event log. This matching event displays information about the specific error that occurred.

    User Action
    No user action is required.

    ==========

    There were not any EventID 1001 ERRORS listed in Event Viewer near the times of these two consecutuve Application errors.

    The closest "EventID 1001" event prior to those IE crashes is

    Event Type: Information
    Event Source: UPHClean
    Event Category: None
    Event ID: 1001
    Date: 6/19/2007
    Time: 8:09:01 PM
    User: N/A
    Computer: KINOBE
    Description:
    User profile hive cleanup service version 1.6.30.0 started successfully.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    ==========

    As I suspected would be the case, the information provided by Microsoft's "Help and Support Center" does not help me understand the IE7 crashes much.
    Last edited by Kinobe; 2007-06-22 at 08:34.

  8. #8
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    thanks for all your info.
    don't mind that you did not sent the files, with the info you and md usa spybotfan provided were enough to tell that this was a false positive.

    the false positive was a result of a to generously made detection rule

    about the IE7 issue,
    for the time beeing I am afraid I can't say much about that
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  9. #9
    Junior Member
    Join Date
    Jun 2007
    Posts
    8

    Default

    Yodama, thanks for your follow-up! I am relieved.

    I was going to try copying the at.exe and arp.exe files into my dllcache folder with the .exe.tmp extensions and scan with Spybot to see if I could reproduce the FP. Turns out I didn't have to do that because all 7 of the double-extension files I described earlier are back in my dll cache! They all have MD5 and SHA-1 hash values that match the files without the double-extensions so it appears they are identical in every way apart from the file name. (And, yes, Spybot S&D with the June 20 definitions flagged the same two files.)

    I booted my computer today so perhaps that will help me figure out what causes those double-extension files to be placed in my dllcache. I can recall a little better what I have done since the boot. I'll try to repeat those actions to see if I can nail the culprit.

    If I discover the trigger, I'll follow up.

    ==========

    BTW, md usa spybot fan, I like the format of your hash value results and the helpful additional details provided.

    I use Karen's Hasher to compute hash values. When I paste a Karen's Hasher report into a forum post, I have to edit the post to make the results look clean. Here is how the Karen's Hasher output looks when I paste from my clipboard.
    Karen's Hasher v2.3
    http://www.karenware.com

    Date: 6/26/2007 7:50:50 PM
    Computer: KINOBE
    User: me

    Files Hashed: 4

    File Name MD5 Hash SHA-1 Hash
    C:\WINDOWS\system32\dllcache\arp.exe 33F9B0E02D9D93F920605D02FB53F3FD 4A22E401AD5ADB7B3DE8F819E86D8461D764D195
    C:\WINDOWS\system32\dllcache\arp.exe.tmp 33F9B0E02D9D93F920605D02FB53F3FD 4A22E401AD5ADB7B3DE8F819E86D8461D764D195
    C:\WINDOWS\system32\dllcache\at.exe 9BDF13167FBEF8DA3A4E9A558B169E5E 9093ADAC07776A7C71B8B795B46A5D9F13F41E95
    C:\WINDOWS\system32\dllcache\at.exe.tmp 9BDF13167FBEF8DA3A4E9A558B169E5E 9093ADAC07776A7C71B8B795B46A5D9F13F41E95
    Does your hash utility automatically format hash reports as shown in your post above or did you manually format your post after pasting the report?

    If your hasher automatically formats your results as you have shown, please let me know what utility you use.
    Last edited by Kinobe; 2007-06-27 at 03:09.

  10. #10
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Quote Originally Posted by Kinobe View Post
    BTW, md usa spybot fan, I like the format of your hash value results and the helpful additional details provided.

    ...

    Does your hash utility automatically format hash reports as shown in your post above or did you manually format your post after pasting the report?

    If your hasher automatically formats your results as you have shown, please let me know what utility you use.
    It is an edited version of the output but most of the formating is already done. The program is Patrick Kolla's FileAlyzer, from:

    This item:
    • FileAlyzer 1.5.5.0 - product description
      md5: 5B6A85F0B84A1979BF00A81095D4F148

      A tool to analyse and display file contents.
      For advanced users.

    Direct download:

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •