multiple plugtmp-1 plugtmp-2 etc. in local\temp folder stay , crossdomain.xml and other files containing visited websitenames created while private browsing
OS = Windows 7
When I visit a site like youtube whith private browsing enabled and with the add-on named "shockwave flash" in firefox add-on list installed and activate the flashplayer by going to a video the following files are created in the folder C:\Users\MyUserName\AppData\Local\Temp\plugtmp-1
plugin-crossdomain.xml plugin-strings-nl_NL-vflLqJ7vu.xlb
The contents of plugin-crossdomain contain both the "youtube.com" adress as "s.ytimg.com" and is as follows:
-<cross-domain-policy> <allow-access-from domain="s.ytimg.com"/> <allow-access-from domain="*.youtube.com"/> </cross-domain-policy>
The contents of the other file I will spare you cause I think those are less common when I visit other sites but I certainly don't trust the file. The crossdomain.xml I see when I visit most other flashpayer sites as well.
I've also noticed multiple plugin-crossdomain-1.xml and onwards in numbers, I just clicked a youtube video to test, got 6 of them in my temp plus a file named "plugin-read2" (no more NL file cause I changed my country, don't know how youtube knows where I'm from, but that's another subject, don't like that either). I just noticed one with a different code:
-<cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy>
So I guess this one comprimises my browsing history a bit less since it doesn't contain a webadress. If these files are even meant to be deposited in my local\temp folder. The bigger problem occurs when they stay there even after using private browsing, after clearing history, after clearing internet temporary files, cache, whatever you can think of. Which they do in my case, got more than 50 plugtmp-# folders in the previous mentioned local\temp folder containing all website names I visited in the last months. There are a variety of files in them, mostly ASP and XML, some just say file. I have yet to witness such a duplicate folder creation since I started checking my temp (perhaps when firefox crashes? I'd say I've had about 50 crashes in recent months).
I started checking my temp because of the following Microsoft Security Essential warnings I received on 23-4-12:
Exploit:Java/CVE-2010-0840.HE
containerfile:C:\Users\Username\AppData\Local\Temp\jar_cache2196625541034777730.tmp file:C:\Users\Username\AppData\Local\Temp\jar_cache2196625541034777730.tmp->pong/reversi.class
and...
Exploit:Java/CVE-2008-5353.ZT
containerfile:C:\Users\Noname\AppData\Local\Temp\jar_cache1028270176376464057.tmp file:C:\Users\Noname\AppData\Local\Temp\jar_cache1028270176376464057.tmp->Testability.class
Microsoft Security Essentials informed me that these files were quarantained and deleted but when going to my temp file they were still there, I deleted them manually and began the great quest of finding out what the multiple gigabytes of other files and folders were doing in that temp folder and not being deleted with the usual clearing options within firefox (and IE).
Note that I have set my adobe flasplayer settings to the most private intense I could think of while doing these tests (don't allow data storage for all websites, disable peer-to peer stuff, don't remember exactly anymore, etc.). I found it highly suspicious that i needed to change these settings online on an adobe website, is that correct? When right-clicking a video only limited privacy options are available which is why I tried the website thing.
After the inital discovery of the java exploit (which was discovered by MSE shortly after I installed and started my first scan with Malwarebytes, which in turn made me suspicious whether I had even downloaded the right malwarebytes, but no indication in the filename if I google it). Malwarebytes found nothing, MSE found nothing after it said it removed the files, yet it didn't remove them, manually scanning these jar_cache files with both malwarevytes and MSE resulted in nothing. Just to be sure, I deleted them anyways like I said earlier. No new jar_cache files have been created, no exploits detected since then. CCleaner has cleaned most of my temp folder, I did the rest, am blocking all cookies (except for now shortly), noscript add-on has been running a while on my firefox (V 3.6.26) to block most javascripts except from sites like youtube. I've had almost the same problem using similar manual solutions a couple of months ago, and a couple of months before that (clearing all the multiple tmp folders, removing or renaming jar_cache manually, running various antmalware software, full scan not finding a thing afterwards, installing extra add-ons to increase my security, this time it's BetterPrivacy which I found through a mozilla firefox https connection, I hope, which showed me nicely how adobe flash was still storing LSO's even after setting all storage settings to 0 kb and such on the adobe website, enabling private browsing in firefox crushed those little trolls, but still plugtmp trolls are being created, help me crush them please, they confuse me when I'm looking for a real threat but I still want to use flash, IE doesn't need those folders and files, or does it store them somewhere else?).
I'm sorry for the long story and many questions, hope it doesn't scare you away from helping me fight this. I suspect it's people wanting to belong to the hackergroup Anonymous who are doing this to my system and repeating their tricks (or the virus is still there, but I've done many antivirus scans with different programs so no need to suggest that option to me, they don't find it or I run into it after a while again, so far, have not seen jar_cache show up). Obviously, you may focus on the questions pertaining firefox and plugtmp folders, but if you can help me with any information regarding those exploits I would be extremely grateful, I've read alot but there isn't much specific information for checking where it comes from when all the anti-virus scanners don't detect anything anymore and don't block it incoming. I also have downloaded and installed process monitor but it crashes when I try to run it. The first time I tried to run it it lasted the longest, now it crashes after a few seconds, I just saw the number of events run up to almost a million and lots of cpu usage. When it crashed everything returned back to normal, or at least that's what I'm supposed to think I guess. I'll follow up on that one on their forum, but you can tell me if the program is ligit or not (it has a microsoft digital signature, or the name micosoft is used in that signature).
All Replies (3)
update:
I haven't upgraded my firefox yet because of a "TVU Web Player" plugin that isn't supported in the new firefox and I'm using it occasionally, couldn't find an upgrade for it. Most of my other plugins are upgraded in the green (according to mozilla websitechecker):
Java(TM) Platform SE 6 U31 (green) Shockwave for Director (green - from Adobe I think) Shockwave Flash (green - why do I even need 2 of these adobe add-ons? can I remove one? I removed everything else i could find except the reader i think, I found AdobeARM and Adobe Acrobat several versions, very confusing with names constantly switching around) Java Deployment Toolkit 6.0.310.5 (green, grrr, again a second java, why do they do this stuff, to annoy people who are plagued with java and flash exploits? make it more complicating?) Adobe Acrobat (green, great, it's still there, well I guess this is the reader then) TVU Web Player for FireFox (grey - mentioned it already) Silverlight Plug-In (yellow - hardly use it, I think, unless it's automatic without my knowing, perhaps I watched one stream with it once, I'd like to remove it, but just in case I need it, don't remember why I didn't update, perhaps a conflict, perhaps because I don't use it, or it didn't report a threat like java and doesn't create unwantend and history compromising temp files) Google Update (grey - can I remove? what will i lose? don't remember installing it, and if I didn't, why didn't firefox block it?) Veetle TV Core (grey) Veetle TV Player (grey - using this for watching streams on veetle.com, probably needs the Core, deleted the broadcaster that was there earlier, never chose to install that, can't firefox regulate that when installing different components? or did i just miss that option and assumed I needed when I was installing veetle add-on?)
Well, that's the list i get when checking on your site, when i use my own browseroptions to check add-ons I get a slightly different and longer list including a few I have already turned off (which also doesn't seem very secure to me, what's the point in using your site then for anything other than updates?), here are the differences in MY list:
I can see 2 versions of Java(TM) Platform SE 6 U31, (thanks firefox for not being able to copy-paste this)
one "Classic Java plug-in for Netscape and Mozilla"
the other is "next generation plug-in for Mozilla browsers".
I think I'll just turn off the Netscape and Mozilla one, don't trust it, why would I need 2? There I did it, no crashes, screw java :P
There's also a Mozilla Default plugin listed there, why does firefox list it there without any further information whether I need it or not or whether it really originates from Mozilla firefox? It doesn't even show up when I use your website plugin checker, so is there no easy way by watching this list for me to determin I can skip worrying about it?
There's also some old ones that I recently deactivated still listed like windows live photo gallery, never remember adding that one either or needing it for anything and as usual, right-clicking and "visit homepage" is greyed out, just as it is for the many java crap add-ons I encountered so far.
Doing a quick check, the only homepage I can visit is the veetle one. The rest are greyed out. I also have several "Java Console" in my extentions tab, I deactivated all but the one with the highest number. Still no Java Console visible though, even after going to start/search "java", clicking java file and changing the settings there to "show" console instead of "hide" (can't remember exact details).
There's some other extentions from noscript, TVU webplayer again, ADblock Plus and now also BetterPrivacy (sidenote, a default.LSO remains after cleanup correct? How do I know that one isn't doing anything nasty if it's code has been changed or is being changed? To prevent other LSO's I need to use both private browsing and change all kinds of restrictions online for adobe flashplayer, can anyone say absurd!!! if you think you're infected and want to improve your security? Sorry that rant was against Adobe, but it's really against Anonymous, no offense).
I can only see 1 program called Java in my "remove software" window from windows at the moment (I had more previously just after the virus). Yet there they are, multiple java named add-ons in firefox as I described (one turned off now, wanted to delete it as well using remove software, couldn't find it, thank you Oracle, if that's even the real publisher, don't know or trust anything like this).
Don't you agree that having 3 instances of a java oracle (and there were more earlier versions a day ago) and only 1 instance of it in my "remove software" is a bit suspicious behaviour when you google and find many comments about java older versions vulnerabilities? So right now I got 2 active for 1 program installed.
I'm glad Adobe is 3 for 3 right now. I don't think it was. I think i had an additional reader in there somewhere, it gets so confusing, nvm. I'll just shut up and let people think about the information I've given so far and see what kind of information they can help me further with (without telling me to go ask help on an anti-virus site, I'll do that anyway, but not through my own browser).
edit: 3 instances of java in the add-ons I meant, I have no idea if they're from Oracle since as i said, "visit homepage" is greyed out.