AlSky

Hello. The file I mean is the RAM .dll I'm talking about. @itman made an interesting contribution today that perhaps it would be interesting to study. Otherwise, I asked a categorical question and requested an answer of the same kind. Thank you in advance.

Hello, Marcos. Thanks for the answer. Are you sure in this case that I am reporting there is no hidden malware as indicated like the hypothesis that indicated @itman? I beg a categorical answer. It's not just that mysterious file that we don't know what it is or what its origin is. Let's look at the background: That file appears on on-demand scan in mid-June. On approximately the same days, Files Explorer begins to open spontaneously every night at 22.13. The existing restore points have disappeared. ESET cannot read the boot sector from external hard drives. On the inability of the ESET product to read the boot sector of external hard disks, ESET Spain technical support has again done the same as with the mysterious file in RAM: they cannot ensure that there is no malware, better formatting external hard disks. (?) At least here you have requested logs of different programs, in the technical support of ESET Spain, no. That's why I want to be sure that the problem is not related to malware. Thank you in advance.

Good afternoon, Marcos, thank you for answering. I sent you by private message an ESET log collector log, selected all options and collected original binary from disk. Indeed, every time I run an on-demand scan, that file appears. If I reboot the pc just the file changes name. Each time it has a different name, but the variation is minimal, the basic structure is preserved. The names till now are: mem_19678010000_12860.dll mem_25E7AE80000_8104.dll mem_2BE77E60000_10020.dll mem_2ABFC6D0000_19092.dll mem_24A649D0000_13936.dll mem_1883B4E0000_13256.dll mem_2EBDBEB0000_7668.dll mem_23A9E280000_13640.dll mem_1325F220000_5904.dll mem_178487D0000_5368.dll mem_20577AC0000_8312.dll mem_2DA3C590000_2580.dll mem_198EF470000_6360.dll mem_27B382B0000_7024.dll Perhaps that mysterious file is nothing serious, no malware, and I wouldn't worry if along with the appearance of that file all restore points disappeared, the task manager opens every night at 22.13 spontaneously and on external hard drives (this is something I discovered recently) there is error reading in the boot sectors. ESET cannot read boot sectors. Attached screenshots. Can it be a symptom of malware? Itman wrote, about Process Monitor: "If the .dll doesn't load into memory after a system re-boot, this would be a strong indicator of malware activity. Certain malware are "Process Monitor aware" and will not perform malicious activities if it detects Process Monitor running”. Is it possible that we are facing this kind of problem? Waiting your news. Thanks in advance.

Hello there. ¿Any answer or help? Bootlog and logfile were uploaded and sent days ago, but no answer yet. Thanks in advance.

Hello and thank you for answering. I do not know if it is true or not what I was told from the technical service of ESET Spain, I only comment here in case anyone knew anything else about it. Nor do I think currently I have any malware on pagefile.sys, hiberfile.sys and swapfile.sys, I simply indicate that the only way for ESET to attempt to scan those sectors and memory (even if it cannot and indicates error 4 unable to open) is to select all the disks and folders in the on-demand scan, if I don't, nor even try to scan it. And I was told on tech support that that's a product bug. Otherwise, I'm waiting for Marcos' answer about the bootlog and logfile I sent, see if we can get anything clear about the strange file that keeps appearing. Have a nice day.

Hello and thank you for answering. That same screenshot I sent to ESET technical service. Along with others showing that in order for the on-demand scan to appear pagefile.sys, hiberfile.sys and swapfile.sys sectors with the "unable to open [4]" in the scan log, it is necessary to make an analysis enabling all the options, all the disks, all the folders. For example, I show in the screenshot: I do not want to scan the folder "Mis imágenes" or other "Mi musica" because they are folders that never change or do so rarely, take up a lot of space and analyze them takes about 1/3 of the total scan time. A hypothetical malware won't just stay there, where I keep my photos and my songs and music videos, it will infect other more important sectors of the computer. If I disable those options, "Mis imágenes" and "Mi musica" it doesn't show at the end pagefile.sys, hiberfile.sys and swapfile.sys with the "unable to open [4]." It doesn't seem to analyze the memory either. If I enable all options, yes. The technical service told me in June that it is an ESET product error that will be fixed in the next version. Have I not been told the truth? First screenshot showing what I mean when I say about disabling some option. Second without enabling all options in scan. Third screenshot enabling all options. The divergence scaning or not pagefile.sys, hiberfile.sys and swapfile.sys sectors is a bug of the ESET product according the tech support and will be solved in future new version.

Hello. I reported the error to technical support then, I was told that there was a problem with the ESET web link and that they would fix it. So it looks like it was, two days later it was fixed. I did the cloudcar test several times after I was told it was fixed and no files were downloaded to the computer. The files that were downloaded to the computer weighed 7 kb. But none should have been downloaded. I made six or seven attempts, three of them downloaded, you can see in the screenshot. The other three or four were blocked by the ESET product with a warning screen. These LiveGrid tests, repeating the on-demand scan over and over again, are due to the fact that since early June I noticed that if I did not enable all on-demand scanning options, the ESET product does not scan pagefile.sys, hiberfile.sys and swapfile.sys, or home/UEFI sectors. You have to mark them all. Why do you have the option to choose which sectors you want to analyze if ESET don't do it? File that can never be read by ESET (it is normal) and that's why usually appears a message with error number 4 (can't be read), so I realized that the ESET product should not scan them. In the attached screenshot you can see that by selecting only those sectors for analysis the result is zero detections, zero scanned files. After sending several logs to the support service, repeated numerous times the on-demand scan, complete and partial, the support service told me that the developers had encountered a problem in the product that will be resolved in the next version of ESET. It was doing so many on-demand scans (almost daily) that I realized the appearance of the mysterious file that motivated the current thread.

Thank you for your time. Anyway, although the file may not be malware, how do you explain that more or less since that file started appearing the task manager spontaneously opens every day at 22.13? Or that the restore points disappeared? You said yesterday that it could be, as a conjecture, a case of hijacking dll. Also, in your first answer you said have never encountered an instance where ESET on-demand scan could not scan something in memory. I yes found it sometimes, but it happened occasionally and if I repeated the analysis in one or two days, there was no longer any file that could not be read. However, this file, whatever it is, persists. There is some process that makes it stay there or that creates it every time the computer starts. About the working of the ESET real-time protection last month I had some problems that I reported to technical service. Doing the test to download cloudcar from the link that ESET indicates to check the functionality of ESET LiveGrid, I came across the ugly surprise that in half the attempts the cloudcare file was downloaded to my computer, when ESET should have blocked it. Cloudcar is harmless, but there is other software that is not. By the way, look at the date of the screenshot, June 15. Soon after, the problem with the mysterious file began. Coincidence? Maybe yes, maybe not. Could the protection of my ESET product have been malfunctioning during those days running a risk for my computer? Please don't get me wrong. I'm not claiming that file is malware. I'm just saying we don't know what it is and what causes it.

Hello. On your question, I have Intel Core i7 -12650H, but the option you show isn't available in my ESET product. Why? Isn't supposed ESET product is the same for al countries?

Hello. Looks like we have a similar problem. Does that file of yours have the same format as what it looks like to me? Like mem_2EBDBEB0000_7668.dll. Does it change every time you start the computer? Small changes, some digits. It's easy not notice it because seems to be the same, but in my case it changes every time. The truth is that one feels unsafe not knowing if there is something dangerous on the computer. Good luck.

Hello and thank you for the answer. I have sent the logs to Marcos, indicating the thread of the forum I opened to see everything written here. I wait to see what he answers. The other user with a similar problem uses a different operating system and the user of the thread 28800-cleaning-rootkit-problem/ had a similar and different problem at the same time, because his ESET product is able to detect the infection. In my case it only detects a strange file that it cannot open and there are some issues in the operation of the computer since then. We'll see what's the result.

Hello again. I'm going now to the house of the person who will let me to use his internet conection. I've also made a file log now. I've seen that another user has a similar case. It remains to be known if he is running Windows 11 and if each time the file has a different name (although only a few digits change). Anyway, I have this computer for almost two months and only for about last twenty days have I noticed this problem. Previously, on-demand scans (I'm used to do it weekly) did not show that mysterious file. And let's not forget that simultaneously appeared the problems of the task manager that spontaneously opens every day at 22.13, the restore points have disappeared. It is possible that finally is a harmless file and the rest has explanation, but it is better to be sure.

Thank you very much for the answer. When that person whose home I can go finishes his working day within two hours I will go to his home. I have the bootlog. Do you need a filelog too?

I've found a possible solution. This afternoon I can go to the home of a relative of the person who I said is currently on vacation to whom I have explained the problem looking for help. I will upload the file from there and send the data by private message to Marcos. Important before I do anything. In Malwarebytes instructions to make the bootlog said about to wait 10-15 minutes for all Windows processes and other programs to load. After five minutes I started the ESET on-demand scan, I saw that the mysterious file had already been created (like every time the computer starts, with a new name very similar to the previous one) and I finished the bootlog without waiting 15 minutes because there was already the file we want to search and track. Is it enough or should I repeat the process and wait 15 minutes as the instructions indicate? I would not want to go, disturb someone I don't know personally, upload the file, and then tell me that it was useless and I have to repeat the process. Thank you in advance.

Thank you for the answer. I explained myself badly. It's not just about how to upload the file to the ESET forum. It is a question of that since a week ago, due to technical incidence of the ISP in the area where I do live, the internet speed (upload and download) has been dramatically reduced, besides having random microcortes. Uploading such a large file to any server is virtually impossible. Nor can I ask a neighbor to let me use their internet connection because they all suffer the same problem. The only person I could ask for help living outside the affected area is on vacation and doesn't come back until August. The ISP does not know when it will be able to solve the incidence, it could be tomorrow or in ten days. Do you have any other options? Use TeamViewer to remotely check the file on my computer?

The bootlog has a size of almost 4 gb! I don't know how I will upload it.

Okay, thank you. It is that the link of your first answer was to download Process Explorer and when you told me about Process Monitor I was confused because I didn't know if it was the same thing said with other words name or not. Now I know they're two different things and I already know where to download Process Monitor. I've done it. In Spain it is already very late, how I do not know how long it will take me to log, tomorrow I will put myself to it and post it here. Thank you in advance. Al

Good evening and thanks for the answer. Maybe we're not talking about the same thing, but I downloaded SysInternals Process Explorer from the link you indicated in your first message, followed the instructions (fortunately they weren't complicated) and showed a screenshot of the result: no match. No file with that name. But the file is still detected by ESET in the on-demand scan, today I have repeated it and it appears again. Every time with different names, names so similar that until yesterday I didn't realize that they change some digits of the name. So this option, download SysInternals Process Explorer, run procexp64.exe as Administrator, select Handle or DLL, write the file name and search did not work. Is it safe to use Malwarebytes at same time with ESET? Last time since ESET support I was discouraged from using it (in 2022), not even the free version that only works by doing on-demand scanning. Surprising thing because it was ESET's own technical support that recommended me to use it some years ago, but in 2022 they said that things have changed and that Malwarebytes is neither necessary nor useful, apart from that it can interfere in the operation of ESET.

Thanks. Unfortunately, technical support in Spain leaves much scope for improvement. ESET Spain has not told me that I should not worry about that file. ESET Spain said that at first, then nuanced it stating that could not ensure that this strange file is or isn't a malware because the ESET product can't read it and without reading it it isn't possible to get out of doubt. But if I'm worried I can seek help from a specialist malware technician to analyze my computer. This is like saying "don't count on us to solve your problem." It's not serious and I expected more from ESET. You told me yesterday that it could be a case of DLL hijacking. Maybe or maybe not, but it's a possibility that would have to be explored. Just, how to do it? ESET cannot abandon the customer in this way.

Some other idea and /or help to find out what is this strange file, please?

Hello again. I expand information. I had not noticed, but it seems that every time the name of this mysterious file is different: the last one is mem_2EBDBEB0000_7668.dll. I was fool on no noticing it previously. It seems that each time the computer starts the file is created new or renamed. You can see it in the first screenshot. I searched Process Explorer, following the instructions, for the last file name, but without success. The second screenshot shows it. Any idea since ESET's technical service is limited to saying (not very politely) that they cannot guarantee that my computer is free of malware and if this file is or not a malware, but that if I have doubts seek help from a specialist malware technician to analyze my computer? This is not serious and I expected more from ESET. And yes, "esto correcto" means "this is correct". I'm am from Spain, my ESET product is in Spanish. Thanks in advance. Al

Good night and thank you for the answer. I am a user with poor computer notions beyond basic things, I have no idea how to use that program that you tell me. I'll try to see if I can make it work. In any case, you admit that it is unusual that ESET cannot read a file in memory. More reasons to suspect something disused and that it is necessary to discard all options, including the option of a malware. Tech didn't tell me anything about Eset's SysInspector. Just told didn't worry about an error when opening files during the scan, and then nuanced that "don't worry" to "we can't guarantee no malware." Thanks. Al

Hello, I am user of ESET Internet Security 16.1.14.0, running Windows 11 and since the second half of June on-demand computer scans a mysterious file appears that cannot be opened by antivirus: Registro memoria operativa "mem_1883B4E0000_13256.dll. As you can see in the screenshots, the file has no path, it does not indicate the disk on which it is, unlike what it does with other files, which it does. I wrote to the ESET technical service and initially responded that I should not worry, ignore files that cannot be opened because they are not infected, they are simply in use by the operating system or another program. I asked how they can tell whether or not it is infected if ESET cannot open and scan it, and if there was hidden malware the file could be in use by the malware itself ("or another program"). They replied that they could not guarantee that there is no infection in the computer and that, if I have doubts about it, I could contact a specialist malware technician to analyze my computer and the other devices in my network in depth. I don't think it's serious. Why do you need an antivirus product if they offer you that option when there are doubts on a strange file? Because it's not just that mysterious file that pops up every time I do an on-demand scan. Since that mysterious file began to appear, the file explorer spontaneously opens every night at 22.13. The restoration points disappeared and I had at least four points, so I could not restore system to a point previous to the appearance of this file. These are strange failures. If you write to Windows Help explaining that you have a strange file and malfunctions in Windows, the first thing they tell you is to make sure you don't have malware on your PC. Should I tell them that the service of my antivirus product tells me that can't ensure if there is malware in my computer? I have tried to perform on-demand scan immediately after starting the computer without opening any program, not even the file explorer, in case that file was created by some program after opening it, but that file appears anyway, so that is a file created by something that starts with the same computer (Windows or other, there are multitude of processes) or that was created at any given time and does not disappear since then. I have tried looking for it in the computer, selecting the option "Show hidden files and folders," but it does not appear. However ESET detects it, it exists. At this point, the important thing is to know what that file is, where it is located and specially if it poses a threat. Depending on whether it is a threat or not the actions will be different. Thank you, Al

I'm sorry I didn't write this from these days, health problems. The problem with using RAM seemed resolved, but in the last week it has reappeared again, although not in the same form. For some reason the ESET product returned to normality and was using an average of 150 MB of RAM, increased slightly during the on-demand scan, and then returned to 150 MB of average. Last two weeks, no. It began increasing again, slowly but persistent, to 260 Mb and never diminishes, only increases. You can see it in the first screenshot. If every time week increases around 50 Mb of RAM usage I will have the same problem again in some weeks: excessive RAM usage. Second problem. It appeared that the random search for updates issue had been fixed with version 14.1.20.0. But in the last few days I have observed a new randomness. In the second screenshot you can see that the computer was switched on at 22:09 hours and updated (red arrow). It should have searched for updates at 23:09, 00:09... every 60 minutes. But you can see on the yellow arrows that the ESET product searched for updates at 23:58 and has a new search scheduled at 00:58. Both in the task that is configured by default with the ESET product and in the task that I created to compensate for the randomness of the update search. One more time it searches when it wants. No updates of Windows or any other program happened during this last two weeks. I have in few programs. The ones I need and no more. And the version of the protection module is already 1425, but the date of compilation is April 16, 2021. In April it was not released the 1425, it was still the 1423. I could use the 1425 thanks to pre-release option. Why date of release is April I it was released in May? And again I have problems with the safe browser.

Hello, Marcos. In theory they did, it was a very long process from July up to February. Sometimes the answers were ridiculous and even contradictory. For example, say that there is no problem and I was watching problems where there were no, and immediately then recognize that there was evidently a synchronization problem. So, there was a problem. Or say that now the ESET product doesn't search for updates regurlarly every 60 minutes but randomly (but the product still was showing in settings the search every 60 minutes). And the last one was to say that could be possible to make a test with something that I wouldn't know how to translate into English (it's a rare technicality), but that they spent a long time with this matter and closed it. BTW, I was checking last days and the version 14.1.20.0 and seems fixed someway the synchronization problem of ESET that began with the 13.2.14.0 version in July. Now, fortunately, it search updates every 60 minutes. I know because despite the task I created to to search for updates every 60 minutes, the update task that is configured by default with the product was still looking for updates aletoriously, so that in 60 minutes it was updated twice: one by the task created ex profeso and one random by the task configured by default. Now it search for updates only every 60 minutes. On the RAM usage, probably may of you faced two days ago the problems with Microsoft Outlook. It was fixed, but was necessary to reboot the computer... so again the usage of RAM dropped like after every reboot. I'll see what happens next days.