From: "Fruit2O" <[email protected]>
| Zone Alarm is finding SL7.tmp and sometimes othe SL*.tmp files and is
| asking for my approval to run. I can't fins=d, on Google, if this is
| legitimate or part of some malware. Does anyone know what this is?
| Thanks........
If a TMP is doing something to access the Internet, chances are good it is malware.
Please submit a sample of "SL7.tmp" ( or similare file) to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.
You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN
When you get the report, please post back the exact results.
From: "Fruit2O" <[email protected]>
| Zone Alarm is finding SL7.tmp and sometimes othe SL*.tmp files and is
| asking for my approval to run. I can't fins=d, on Google, if this is
| legitimate or part of some malware. Does anyone know what this is?
| Thanks........
If a TMP is doing something to access the Internet, chances are good it is malware.
Please submit a sample of "SL7.tmp" ( or similare file) to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.
You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN
When you get the report, please post back the exact results.
From: "Fruit2O" <[email protected]>
|
| Well, I provided SL7.tmp and several variations which I found (and get
| once in a while). None of the AV engines found a problem. Do you have
| any suggestions on where I go from here? Thanks.........
You'd have to question what ZoneAlarm is indicating or use Ethereal and see what is
emanating from the PC.
You could also try the Sysinternals utility "Process Explorer" and see what is generating
the *.TMP files.
From: "Fruit2O" <[email protected]>
|
| Well, I provided SL7.tmp and several variations which I found (and get
| once in a while). None of the AV engines found a problem. Do you have
| any suggestions on where I go from here? Thanks.........
You'd have to question what ZoneAlarm is indicating or use Ethereal and see what is
emanating from the PC.
You could also try the Sysinternals utility "Process Explorer" and see what is generating
the *.TMP files.
Installed Ethereal but am not familiar with it. How do I use it?From: "Fruit2O" <[email protected]>
|
| Well, I provided SL7.tmp and several variations which I found (and get
| once in a while). None of the AV engines found a problem. Do you have
| any suggestions on where I go from here? Thanks.........
You'd have to question what ZoneAlarm is indicating or use Ethereal and see what is
emanating from the PC.
Why don't you open it in notepad and see if there's any visible text?
From: "Fruit2O" <[email protected]>
| Installed Ethereal but am not familiar with it. How do I use it?
|
Too complex to explain. It ais a packet decoder and breaks down Ethernet and TCP/IP packets
into the intgral parts.
No offense...
If you have to ask, Ethereal is NOT for you.
Fruit2O said:David, something is generating these SL*.tmp files and I'm pretty sure
they are malicious. How can I find this out for sure? ZA is stopping
them from running (if I deny them) so, Process Explorer won't show them
(unless I DON'T deny them). I'm afraid allowing one of them to run
would be a mistake. ZA says SLF8.tmp is a system file and cannot kill
it - but I can only find this file as a prefetch. I was able to kill
all the other SL*.tmp files with ZA. Haven't noticed any adverse
effects with my system yet. Any other suggestions? Thanks.......
zone alarm may be stopping them from running, but is it stopping them
from being created?
process monitor (by the same folks who made process explorer) should be
able to help you figure out what process is *creating* the files (if
appropriate filters are used - otherwise there's just too much to wade
through)...
by the way, does zone alarm not tell you which process is calling these
files? sunbelt personal firewall (formerly kerio personal firewall) has
an application launch whitelist feature which i assume is similar to
what you're seeing with zone alarm, but it tells me not only what
application is trying to launch but also what process is
calling/launching it...
zone alarm may be stopping them from running, but is it stopping them
from being created?
process monitor (by the same folks who made process explorer) should be
able to help you figure out what process is *creating* the files (if
appropriate filters are used - otherwise there's just too much to wade
through)...
by the way, does zone alarm not tell you which process is calling these
files? sunbelt personal firewall (formerly kerio personal firewall) has
an application launch whitelist feature which i assume is similar to
what you're seeing with zone alarm, but it tells me not only what
application is trying to launch but also what process is
calling/launching it...
zone alarm may be stopping them from running, but is it stopping them
from being created?
process monitor (by the same folks who made process explorer) should be
able to help you figure out what process is *creating* the files (if
appropriate filters are used - otherwise there's just too much to wade
through)...
by the way, does zone alarm not tell you which process is calling these
files? sunbelt personal firewall (formerly kerio personal firewall) has
an application launch whitelist feature which i assume is similar to
what you're seeing with zone alarm, but it tells me not only what
application is trying to launch but also what process is
calling/launching it...
Fruit2O said:Next time an SL*.tmp shows up (via ZA), what should I do to determine
what is launching it? I don't think ZA tells me what is launching it
(but I'll look again). I have process explorer. Should I launch IT
and will it show me the SL*.tmp even if I don't allow it to run with
ZA? What is different about Process Monitor? Where can I get it (I've
forgotten where I got Process Explorer)? Thanks............
process monitor can be gotten from here
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx
what it does is monitor file system and registry access in real-time
(basically telling you what processes are doing rather than about the
processes themselves as process explorer does)
what you'd actually have to do with process monitor is run it *before*
any attempt to launch an SL*.tmp file occurs so that you can find out
which process is trying to create the file... for the filter, i'd try
clearing out all the existing filters and then adding these two: 'path
ends with tmp include' and 'path excludes sl exclude'... that should
show everything to do with sl*.tmp files (and perhaps some other temp
files as well)...
in retrospect, filemon (again, same folks) might have been a better
suggestion since it seems to support wildcards - which would have made
for a more straight forward filter... kinda surprised process monitor
doesn't have conventional wildcard support since it's supposed to be a
melding of filemon and regmon, but oh well...
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.