I got a message this morning saying shockwave player had an update so I installed it but then it started saying GLB3.tmp wanted internet access, is it safe or should I have been more careful?
ps my computer booted up to the login screen but the mouse and keyboard wouldn’t respond so I had to manually restart, does anyone know what could have caused this and would restarting manually at the login screen corrupt any data?
Firstly I’m surprised you have a .tmp file trying to gain internet access, that to me is strange as a .tmp file type you wouldn’t associate with an executable requiring internet access.
Lots of hits on google and not good, http://www.google.com/search?q=GLB3.tmp.
See http://spywaredlls.prevx.com/RRBGGB141676/GLB3.TMP.html.
You should upload the sample to VirusTotal and send to avast also before dealing with it.
I don’t know if this, the shockwave player update notification was a ruse to get you to install something or not, but if I got such a notification I would check out the site and not simply click on a link to update, you have no idea what that link might be.
If I have sent the right file to virustotal.com then it says its clear, also adaware appears to confirm this but what should I do to double check?
A message from whom/where?
I’ve seen ‘Storm’ e-mails claim I needed a Flash update to view an e-card- the ‘update’ was a zhelatin/Tibs variant of course.
Were you following a link in an e-mail?
I think David is right to suspect that this was some sort of ruse.
It was a installation screen on boot up, I’m kicking myself now for being stupid, I hope its genuine
I’ve got this msg too from ZoneAlarm when I’ve installed shockwave player and YM. I’ve grant access for it to connected to internet and it don’t cause me any trouble. I think it’s safe…
sanctuary24,
You can congratulate yourself for having a Firewall installed and spotting the suspicious attempt to connect. If you blocked it, you can go further and give yourself a pat on the back rather than a kick. If you didn’t block it, well at least we know it’s there…
I suspect this must be some sort of Trojan downloader. Run the usual scanners:
AVG Anti-Spyware Free (Requires Win2k/XP)
Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free
a-Squared Free
Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.
Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.
I would also suggest you post a HijackThis! log.
MeDIeVaL, I’m not so sure. See here:
http://virusinfo.prevx.com/pxparall.asp?PXC=3f7219204403
I think we should check it out anyway. Can you see in your log where the file was trying to connect to? Or can you adjust your firewall settings so that your firewall tells you the IP address next time.?
Below is the entry from my logs
Date/Time :2007-09-20 14:15:52Severity :HighReporter :Application MonitorDescription: Suspicious Behaviour (GLB3.tmp)Application: C:\Documents and Settings\USER\Local Settings\Temp\GLB3.tmpParent: C:\Documents and Settings\USER\Local Settings\Temp\setup.exeProtocol: UDP OutDestination: 212.139.132.25::dns(53)Details: C:\Documents and Settings\USER\Local Settings\Temp\GLB3.tmp is an invisible application
I noticed it mentions setup, this could be from the shockwave installation but that doesn’t mean its genuine
Now I know what is it. Sorry Frank, it’s not possible to say where it connect to. In ZoneAlarm log I’ve just found this. Used when installed YM. There’s more but don’t find any in ZoneAlarm log. Futhermore, no security application inside my system give a single warning 'bout it except ZoneAlarm. And I can’t upload it anywhere cause I’ve clean my Temp folder regularly. Maybe sanctuary24 can… just find it in your C:\WINDOWS\Temp folder.
sanctuary24,
Well, it looks like an innocent DNS request to me- but my knowledge of these things is very limited.
It wasn’t an attempt to access a site in Ukraine anyway.
(Apologies to any users in the Ukraine, but a lot of bad servers are found there.)
MeDIeVaL,
It might be something innocent, and not the PrevX nasty at all, but worth checking out.
I don’t know what is it really are but anyway, thanx Frank for remind me. But the real prob here when the threat come along with trusted program ???
Just tried to find it and it appears to have vanished yet it has a prefetch file named after it
That’s not worrying. Can you post a HijackThis! log?
Now I’ve remember… Frank, can it be connected?
See topic:
http://forum.avast.com/index.php?topic=30137.msg248801#msg248801
Well flash.10.exe certainly wasn’t a legit Flash file.
If you both posted HijackThis! logs we could probably clear this up!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:35 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\ATKKBService.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\RunDll32.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\ZoneAlarm\zlclient.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Vista Drive Icon\DrvIcon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Vista Inspirat 2\RocketDock\RocketDock.exe
D:\Program Files\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Internet Download Manager\IDMan.exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\WINDOWS\system32\DllHost.exe
D:\Program Files\Windows Media Player\setup_wm.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Implements TweakBHO - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - D:\PROGRA~1\TweakMASTER\TweakBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [ATICCC] “D:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Windows Defender] “D:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [DiskeeperSystray] “D:\Program Files\Executive Software\Diskeeper\DkIcon.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “D:\Program Files\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [DrvIcon] D:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM..\Run: [QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKCU..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [RocketDock] “D:\Program Files\Vista Inspirat 2\RocketDock\RocketDock.exe”
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - Startup: RocketDock.lnk = D:\Program Files\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = D:\Program Files\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = D:\Program Files\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip..{49985499-46A1-4238-9F07-1D380A377CCF}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip..{49985499-46A1-4238-9F07-1D380A377CCF}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
My HJT log, I don’t think you can find anything suspicious cause I’ve clean it up…
Well, I can’t see anything fishy.
Maybe a program running at startup is checking for updates, for some reason using a temp file to connect?
I would check you start up entries if you are still concerned about it. Look for updaters. You can use a program like this.
http://www.snapfiles.com/get/starter.html
If you find something like Yahoo! toolbar/Adobe Flash updater, disable it temporarily and see if that stops the firewall warnings. If it does, you can re-enable the updater without worrying, if you want to receive updates.
The program have successfully installed and found nothing fishy. My system running normal and it goes same to my start up program. The GLB file just exist when you do some updates or install from YM, Flash and Shockwave Player and it’ll vanish just like that after you’ve completed the process. Just a few of them you need to remove manually…
False alarm then. Glad to hear everything’s OK.