AlSky
-
Posts
123 -
Joined
-
Last visited
Posts posted by AlSky
-
-
7 hours ago, Marcos said:
By the way, what mysterious file do you mean? I'm asking since that mem*.dll is not a file as explained above.
Hello. The file I mean is the RAM .dll I'm talking about.
@itman made an interesting contribution today that perhaps it would be interesting to study.
Otherwise, I asked a categorical question and requested an answer of the same kind.
Thank you in advance.
-
6 hours ago, Marcos said:
We'll stop reporting errors on internal streams soon, no further logs are needed. It is not a sign of infection.
Hello, Marcos. Thanks for the answer.
Are you sure in this case that I am reporting there is no hidden malware as indicated like the hypothesis that indicated @itman? I beg a categorical answer.
It's not just that mysterious file that we don't know what it is or what its origin is. Let's look at the background:
That file appears on on-demand scan in mid-June. On approximately the same days, Files Explorer begins to open spontaneously every night at 22.13. The existing restore points have disappeared. ESET cannot read the boot sector from external hard drives.
On the inability of the ESET product to read the boot sector of external hard disks, ESET Spain technical support has again done the same as with the mysterious file in RAM: they cannot ensure that there is no malware, better formatting external hard disks. (?) At least here you have requested logs of different programs, in the technical support of ESET Spain, no.
That's why I want to be sure that the problem is not related to malware.
Thank you in advance.
-
44 minutes ago, Marcos said:
It is not a dll which could not be scanned but an internal virtual stream. Unfortunately we don't have an idea why it could not be scanned so we'd need step-by-step instructions how to reproduce it before we can investigate it on our end. Do you get the error when scanning memory every time you run a scan and also after you've rebooted the machine? Please provide logs collected with ESET Log Collector, at least we will get a list of installed and running applications so we could install them here and see if we get the same error. Definitely it's nothing to worry about and the error can be ignored.
Good afternoon, Marcos, thank you for answering. I sent you by private message an ESET log collector log, selected all options and collected original binary from disk.
Indeed, every time I run an on-demand scan, that file appears. If I reboot the pc just the file changes name. Each time it has a different name, but the variation is minimal, the basic structure is preserved. The names till now are:
mem_19678010000_12860.dll
mem_25E7AE80000_8104.dll
mem_2BE77E60000_10020.dll
mem_2ABFC6D0000_19092.dll
mem_24A649D0000_13936.dll
mem_1883B4E0000_13256.dll
mem_2EBDBEB0000_7668.dll
mem_23A9E280000_13640.dll
mem_1325F220000_5904.dll
mem_178487D0000_5368.dll
mem_20577AC0000_8312.dll
mem_2DA3C590000_2580.dll
mem_198EF470000_6360.dll
mem_27B382B0000_7024.dll
Perhaps that mysterious file is nothing serious, no malware, and I wouldn't worry if along with the appearance of that file all restore points disappeared, the task manager opens every night at 22.13 spontaneously and on external hard drives (this is something I discovered recently) there is error reading in the boot sectors. ESET cannot read boot sectors. Attached screenshots.
Can it be a symptom of malware?
Itman wrote, about Process Monitor: "If the .dll doesn't load into memory after a system re-boot, this would be a strong indicator of malware activity. Certain malware are "Process Monitor aware" and will not perform malicious activities if it detects Process Monitor running”. Is it possible that we are facing this kind of problem?
Waiting your news. Thanks in advance.
-
Hello there. ¿Any answer or help? Bootlog and logfile were uploaded and sent days ago, but no answer yet.
Thanks in advance.
-
14 hours ago, itman said:
We'll have to wait and see. I am skeptical this will happen since the OS has those files locked from access;
Sophos can detect malware in pagefile.sys, hiberfile.sys, etc. but cannot remove it. Removal methods are identical to those I previously posted: https://support.sophos.com/support/s/article/KB-000037996?language=en_US .
Hello and thank you for answering.
I do not know if it is true or not what I was told from the technical service of ESET Spain, I only comment here in case anyone knew anything else about it.
Nor do I think currently I have any malware on pagefile.sys, hiberfile.sys and swapfile.sys, I simply indicate that the only way for ESET to attempt to scan those sectors and memory (even if it cannot and indicates error 4 unable to open) is to select all the disks and folders in the on-demand scan, if I don't, nor even try to scan it. And I was told on tech support that that's a product bug.
Otherwise, I'm waiting for Marcos' answer about the bootlog and logfile I sent, see if we can get anything clear about the strange file that keeps appearing.
Have a nice day.
-
5 hours ago, itman said:
Eset does not and cannot scan pagefile.sys, hiberfile.sys and swapfile.sys files. As your screen shot and my below screen shot shows, zero files were scanned;
If you are worried about malware in the pagefile, it can be cleared at system shutdown by setting appropriate registry key to do so. Or, via like Group Policy setting if you are running a Win Pro+ version.
Likewise, the hiberfil.sys and swapfile.sys files can be deleted by running appropriate command line option to disable Hibernation, rebooting, and then re-enabling Hibernation. The same also can be done via Group Policy option.
Hello and thank you for answering. That same screenshot I sent to ESET technical service. Along with others showing that in order for the on-demand scan to appear pagefile.sys, hiberfile.sys and swapfile.sys sectors with the "unable to open [4]" in the scan log, it is necessary to make an analysis enabling all the options, all the disks, all the folders. For example, I show in the screenshot: I do not want to scan the folder "Mis imágenes" or other "Mi musica" because they are folders that never change or do so rarely, take up a lot of space and analyze them takes about 1/3 of the total scan time. A hypothetical malware won't just stay there, where I keep my photos and my songs and music videos, it will infect other more important sectors of the computer.
If I disable those options, "Mis imágenes" and "Mi musica" it doesn't show at the end pagefile.sys, hiberfile.sys and swapfile.sys with the "unable to open [4]." It doesn't seem to analyze the memory either. If I enable all options, yes.
The technical service told me in June that it is an ESET product error that will be fixed in the next version. Have I not been told the truth?
First screenshot showing what I mean when I say about disabling some option. Second without enabling all options in scan. Third screenshot enabling all options. The divergence scaning or not pagefile.sys, hiberfile.sys and swapfile.sys sectors is a bug of the ESET product according the tech support and will be solved in future new version.
-
13 hours ago, itman said:
Repeat the test again. If you see clouldcar.exe file in your Downloads folder, check its file size. It should have a size of 0 bytes.
You car also check the cloudcar.exe files that currently exist in your Downloads folder. They also should be 0 bytes in length.
In other words, no actual executable file was created.
Hello. I reported the error to technical support then, I was told that there was a problem with the ESET web link and that they would fix it. So it looks like it was, two days later it was fixed. I did the cloudcar test several times after I was told it was fixed and no files were downloaded to the computer.
The files that were downloaded to the computer weighed 7 kb. But none should have been downloaded. I made six or seven attempts, three of them downloaded, you can see in the screenshot. The other three or four were blocked by the ESET product with a warning screen.
These LiveGrid tests, repeating the on-demand scan over and over again, are due to the fact that since early June I noticed that if I did not enable all on-demand scanning options, the ESET product does not scan pagefile.sys, hiberfile.sys and swapfile.sys, or home/UEFI sectors. You have to mark them all. Why do you have the option to choose which sectors you want to analyze if ESET don't do it?
File that can never be read by ESET (it is normal) and that's why usually appears a message with error number 4 (can't be read), so I realized that the ESET product should not scan them. In the attached screenshot you can see that by selecting only those sectors for analysis the result is zero detections, zero scanned files.
After sending several logs to the support service, repeated numerous times the on-demand scan, complete and partial, the support service told me that the developers had encountered a problem in the product that will be resolved in the next version of ESET.
It was doing so many on-demand scans (almost daily) that I realized the appearance of the mysterious file that motivated the current thread.
-
1 hour ago, itman said:
One final comment in this thread and I am done with responding to replies.
KVRT scan didn't detect anything malicious with this .dll in question.
Eset real-time protection employs an advanced memory scanner which would have scanned the .dll when it loaded into memory.
I therefore conclude baring further proof that this .dll is malicious, one should not worry further about it.
Thank you for your time. Anyway, although the file may not be malware, how do you explain that more or less since that file started appearing the task manager spontaneously opens every day at 22.13? Or that the restore points disappeared? You said yesterday that it could be, as a conjecture, a case of hijacking dll. Also, in your first answer you said have never encountered an instance where ESET on-demand scan could not scan something in memory. I yes found it sometimes, but it happened occasionally and if I repeated the analysis in one or two days, there was no longer any file that could not be read. However, this file, whatever it is, persists. There is some process that makes it stay there or that creates it every time the computer starts.
About the working of the ESET real-time protection last month I had some problems that I reported to technical service. Doing the test to download cloudcar from the link that ESET indicates to check the functionality of ESET LiveGrid, I came across the ugly surprise that in half the attempts the cloudcare file was downloaded to my computer, when ESET should have blocked it. Cloudcar is harmless, but there is other software that is not. By the way, look at the date of the screenshot, June 15. Soon after, the problem with the mysterious file began. Coincidence? Maybe yes, maybe not. Could the protection of my ESET product have been malfunctioning during those days running a risk for my computer?
Please don't get me wrong. I'm not claiming that file is malware. I'm just saying we don't know what it is and what causes it.
-
1 hour ago, itman said:
There is another possibility based on lack of comment by an Eset moderator.
If either of you have an Intel CPU installed on your device, open Eset GUI -> Setup -> Computer Protection. Then open HIPS settings. Under Ransomware Shield protection settings, does the following highlighted setting exist?
If this Intel TDT setting exists and is enabled, it is possible this mystery .dll running in memory is related to that protection.
Hello. On your question, I have Intel Core i7 -12650H, but the option you show isn't available in my ESET product. Why? Isn't supposed ESET product is the same for al countries?
-
1 hour ago, Mr_Frog said:
I have done this and KVRT.exe found nothing. Right now I feel insecure and just think maybe someone is spying on my Computer.
Hello. Looks like we have a similar problem. Does that file of yours have the same format as what it looks like to me? Like mem_2EBDBEB0000_7668.dll. Does it change every time you start the computer? Small changes, some digits. It's easy not notice it because seems to be the same, but in my case it changes every time.
The truth is that one feels unsafe not knowing if there is something dangerous on the computer. Good luck.
-
1 hour ago, itman said:
Another possibility here is we are dealing with an unknown rootkit.
I came across the old Eset posting yesterday: https://forum.eset.com/topic/28800-cleaning-rootkit-problem/ . In this instance, the attacker dropped the .dll into the C:\Windows\System32 directory. Whereas Eset did detect the .dll as malicious, it could not stop the .dll from being repeatedly loaded into memory at boot time.
The original poster and others used Kaspersky's Virus Removal Tool (KVRT) to remove the rootkit. It can be downloaded here: https://www.kaspersky.com/downloads/free-virus-removal-tool . I have never used the tool since it's a Kaspersky provided product. If one has no reservation on using Kaspersky's products, you can try running it and see if it detects anything. Again, I can't help you with any issues with KVRT.
Hello and thank you for the answer. I have sent the logs to Marcos, indicating the thread of the forum I opened to see everything written here. I wait to see what he answers.
The other user with a similar problem uses a different operating system and the user of the thread 28800-cleaning-rootkit-problem/ had a similar and different problem at the same time, because his ESET product is able to detect the infection. In my case it only detects a strange file that it cannot open and there are some issues in the operation of the computer since then.
We'll see what's the result.
-
30 minutes ago, itman said:
Great news! I was waiting to see if this could be duplicated elsewhere.
Was the Eset scan done on a Win 11 device? My suspicion was that Win 11 OS was possibly loading this .dll into memory at boot time.
Hello again. I'm going now to the house of the person who will let me to use his internet conection. I've also made a file log now.
I've seen that another user has a similar case. It remains to be known if he is running Windows 11 and if each time the file has a different name (although only a few digits change). Anyway, I have this computer for almost two months and only for about last twenty days have I noticed this problem. Previously, on-demand scans (I'm used to do it weekly) did not show that mysterious file.
And let's not forget that simultaneously appeared the problems of the task manager that spontaneously opens every day at 22.13, the restore points have disappeared. It is possible that finally is a harmless file and the rest has explanation, but it is better to be sure.
-
10 minutes ago, itman said:
It is enough. What we are trying to determine is what is loading the .dll into memory.
Also, letting Process Monitor run for 15 mins. as instructed might create a log so large, it would exceed the allowable maximum file upload size for most file sharing web sites.
Thank you very much for the answer. When that person whose home I can go finishes his working day within two hours I will go to his home. I have the bootlog. Do you need a filelog too?
-
13 hours ago, itman said:
Upload the zipped log file to a file sharing web site. Then private message @Marcos the file download link provided by the file sharing web site.
I've found a possible solution. This afternoon I can go to the home of a relative of the person who I said is currently on vacation to whom I have explained the problem looking for help. I will upload the file from there and send the data by private message to Marcos.
Important before I do anything. In Malwarebytes instructions to make the bootlog said about to wait 10-15 minutes for all Windows processes and other programs to load. After five minutes I started the ESET on-demand scan, I saw that the mysterious file had already been created (like every time the computer starts, with a new name very similar to the previous one) and I finished the bootlog without waiting 15 minutes because there was already the file we want to search and track. Is it enough or should I repeat the process and wait 15 minutes as the instructions indicate? I would not want to go, disturb someone I don't know personally, upload the file, and then tell me that it was useless and I have to repeat the process.
Thank you in advance.
-
12 hours ago, itman said:
Upload the zipped log file to a file sharing web site. Then private message @Marcos the file download link provided by the file sharing web site.
Thank you for the answer. I explained myself badly. It's not just about how to upload the file to the ESET forum. It is a question of that since a week ago, due to technical incidence of the ISP in the area where I do live, the internet speed (upload and download) has been dramatically reduced, besides having random microcortes. Uploading such a large file to any server is virtually impossible. Nor can I ask a neighbor to let me use their internet connection because they all suffer the same problem. The only person I could ask for help living outside the affected area is on vacation and doesn't come back until August. The ISP does not know when it will be able to solve the incidence, it could be tomorrow or in ten days.
Do you have any other options? Use TeamViewer to remotely check the file on my computer?
-
1 hour ago, itman said:
Correct. Process Monitor and Process Explorer are two entirely different SysInternals utilities.
The Malwarebytes link I posted just shows how to use Process Monitor. The link shown on the the MalwareBytes web page is just to download Process Monitor from the SysInternals web site.
Finally, if all this is too complicated for you, I suggest you employ the help of a PC technical savvy friend.
The bootlog has a size of almost 4 gb! I don't know how I will upload it.
-
1 hour ago, itman said:
Correct. Process Monitor and Process Explorer are two entirely different SysInternals utilities.
The Malwarebytes link I posted just shows how to use Process Monitor. The link shown on the the MalwareBytes web page is just to download Process Monitor from the SysInternals web site.
Finally, if all this is too complicated for you, I suggest you employ the help of a PC technical savvy friend.
Okay, thank you. It is that the link of your first answer was to download Process Explorer and when you told me about Process Monitor I was confused because I didn't know if it was the same thing said with other words name or not. Now I know they're two different things and I already know where to download Process Monitor. I've done it.
In Spain it is already very late, how I do not know how long it will take me to log, tomorrow I will put myself to it and post it here.
Thank you in advance.
Al
-
41 minutes ago, itman said:
As I stated in my initial posting, you can use Process Monitor to detect what is loading this .dll into memory at system startup.
MalwareBytes use instructions of Process Monitor are a bit clearer that Eset's, so I will post its download link: https://service.malwarebytes.com/hc/en-us/articles/4413798945811-Use-Process-Monitor-to-create-real-time-event-logs . Refer to the section on how to create a boot log. You can stop Process Monitor logging activities once the .dll has been loaded into memory. Once the log is created, create a zip folder containing the log. Post the zipped log folder as an attachment to your next reply.
Perhaps @Marcos will review the log to see if it can be determined what is loading this .dll into memory. Otherwise, contact Eset - Spain again attaching the zipped log folder.
Note: If the .dll does not load into memory after a system re-boot, this would be a strong indicator of malware activity. Certain malware are "Process Monitor aware" and will not perform malicious activities if it detects Process Monitor running.
Good evening and thanks for the answer. Maybe we're not talking about the same thing, but I downloaded SysInternals Process Explorer from the link you indicated in your first message, followed the instructions (fortunately they weren't complicated) and showed a screenshot of the result: no match. No file with that name. But the file is still detected by ESET in the on-demand scan, today I have repeated it and it appears again. Every time with different names, names so similar that until yesterday I didn't realize that they change some digits of the name. So this option, download SysInternals Process Explorer, run procexp64.exe as Administrator, select Handle or DLL, write the file name and search did not work.
Is it safe to use Malwarebytes at same time with ESET? Last time since ESET support I was discouraged from using it (in 2022), not even the free version that only works by doing on-demand scanning. Surprising thing because it was ESET's own technical support that recommended me to use it some years ago, but in 2022 they said that things have changed and that Malwarebytes is neither necessary nor useful, apart from that it can interfere in the operation of ESET.
-
1 hour ago, itman said:
Eset forum procedure is to instruct contacting Eset in-country tech support when the matter cannot be resolved in the forum. You have already done this . Eset - Spain tech support stated the file running in memory is not something to be concerned about.
At this point, I can't assist you further in this issue. If you are still concerned this file might be malware related, you could seek assistance in the following web site security forums;
https://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-help/
https://malwaretips.com/forums/windows-malware-removal-help-support.10/
Thanks. Unfortunately, technical support in Spain leaves much scope for improvement. ESET Spain has not told me that I should not worry about that file. ESET Spain said that at first, then nuanced it stating that could not ensure that this strange file is or isn't a malware because the ESET product can't read it and without reading it it isn't possible to get out of doubt. But if I'm worried I can seek help from a specialist malware technician to analyze my computer. This is like saying "don't count on us to solve your problem." It's not serious and I expected more from ESET.
You told me yesterday that it could be a case of DLL hijacking. Maybe or maybe not, but it's a possibility that would have to be explored. Just, how to do it?
ESET cannot abandon the customer in this way.
-
Some other idea and /or help to find out what is this strange file, please?
-
49 minutes ago, itman said:
Referring to your first posted screen shot of an Eset scan, the other odd thing observed is DeviceFlowUI.dll running in memory with the scan line suffix - esto correcto - which translates to - this is correct?
I have never seen an Eset scan show anything detected in memory; only a scan object count is displayed in the log. Why would Eset inform that an object detected in memory is correct? Perhaps this means - object is not detected as malware. But, why is the notification shown in the first place?
-EDIT- One possibility is DLL hijacking is going on. The attacker is replacing DeviceFlowUI.dll with mem_1883B4E0000_13256.dll and then executing ShellExperienceHost.exe, a legit Windows process, to run the malicious .dll. This is just speculation at this point.
Hello again. I expand information. I had not noticed, but it seems that every time the name of this mysterious file is different: the last one is mem_2EBDBEB0000_7668.dll. I was fool on no noticing it previously. It seems that each time the computer starts the file is created new or renamed. You can see it in the first screenshot.
I searched Process Explorer, following the instructions, for the last file name, but without success. The second screenshot shows it.
Any idea since ESET's technical service is limited to saying (not very politely) that they cannot guarantee that my computer is free of malware and if this file is or not a malware, but that if I have doubts seek help from a specialist malware technician to analyze my computer? This is not serious and I expected more from ESET.
And yes, "esto correcto" means "this is correct". I'm am from Spain, my ESET product is in Spanish.
Thanks in advance.
Al
-
4 hours ago, itman said:
It is odd that Eset is detecting a .dll in memory that it cannot scan. I have never encountered an instance where Eset on-demand scan could not scan something in memory.
The
first stephere would be determine what is loading the .dll into memory. Something like SysInternals Process Monitor utility set to run at system startup with logging enabled might detect the .dll loading into memory. Just don't keep this utility running for an extended period time since the log file would be huge.You could also try running Eset's SysInspector and see if can provide any information on this .dll.
-EDIT- What you should do first is download SysInternals Process Explorer from here: https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer . Then run procexp64.exe as Admin. Mouse click on the Find tab and select "Handle or DLL." In the search bar, enter "mem_1883B4E0000_13256.dll" less the quote marks. Then mouse click on the Search tab. The search result should indicate what process loaded the .dll but no guaranty on that.
Good night and thank you for the answer. I am a user with poor computer notions beyond basic things, I have no idea how to use that program that you tell me. I'll try to see if I can make it work. In any case, you admit that it is unusual that ESET cannot read a file in memory. More reasons to suspect something disused and that it is necessary to discard all options, including the option of a malware.
Tech didn't tell me anything about Eset's SysInspector. Just told didn't worry about an error when opening files during the scan, and then nuanced that "don't worry" to "we can't guarantee no malware."
Thanks.
Al
-
Hello,
I am user of ESET Internet Security 16.1.14.0, running Windows 11 and since the second half of June on-demand computer scans a mysterious file appears that cannot be opened by antivirus: Registro memoria operativa "mem_1883B4E0000_13256.dll. As you can see in the screenshots, the file has no path, it does not indicate the disk on which it is, unlike what it does with other files, which it does.
I wrote to the ESET technical service and initially responded that I should not worry, ignore files that cannot be opened because they are not infected, they are simply in use by the operating system or another program. I asked how they can tell whether or not it is infected if ESET cannot open and scan it, and if there was hidden malware the file could be in use by the malware itself ("or another program").
They replied that they could not guarantee that there is no infection in the computer and that, if I have doubts about it, I could contact a specialist malware technician to analyze my computer and the other devices in my network in depth.
I don't think it's serious. Why do you need an antivirus product if they offer you that option when there are doubts on a strange file?
Because it's not just that mysterious file that pops up every time I do an on-demand scan. Since that mysterious file began to appear, the file explorer spontaneously opens every night at 22.13. The restoration points disappeared and I had at least four points, so I could not restore system to a point previous to the appearance of this file. These are strange failures. If you write to Windows Help explaining that you have a strange file and malfunctions in Windows, the first thing they tell you is to make sure you don't have malware on your PC. Should I tell them that the service of my antivirus product tells me that can't ensure if there is malware in my computer?
I have tried to perform on-demand scan immediately after starting the computer without opening any program, not even the file explorer, in case that file was created by some program after opening it, but that file appears anyway, so that is a file created by something that starts with the same computer (Windows or other, there are multitude of processes) or that was created at any given time and does not disappear since then.
I have tried looking for it in the computer, selecting the option "Show hidden files and folders," but it does not appear. However ESET detects it, it exists.
At this point, the important thing is to know what that file is, where it is located and specially if it poses a threat. Depending on whether it is a threat or not the actions will be different.
Thank you,
Al
-
I'm sorry I didn't write this from these days, health problems.
The problem with using RAM seemed resolved, but in the last week it has reappeared again, although not in the same form. For some reason the ESET product returned to normality and was using an average of 150 MB of RAM, increased slightly during the on-demand scan, and then returned to 150 MB of average. Last two weeks, no. It began increasing again, slowly but persistent, to 260 Mb and never diminishes, only increases. You can see it in the first screenshot. If every time week increases around 50 Mb of RAM usage I will have the same problem again in some weeks: excessive RAM usage.
Second problem. It appeared that the random search for updates issue had been fixed with version 14.1.20.0. But in the last few days I have observed a new randomness. In the second screenshot you can see that the computer was switched on at 22:09 hours and updated (red arrow). It should have searched for updates at 23:09, 00:09... every 60 minutes. But you can see on the yellow arrows that the ESET product searched for updates at 23:58 and has a new search scheduled at 00:58. Both in the task that is configured by default with the ESET product and in the task that I created to compensate for the randomness of the update search. One more time it searches when it wants.
No updates of Windows or any other program happened during this last two weeks. I have in few programs. The ones I need and no more.
And the version of the protection module is already 1425, but the date of compilation is April 16, 2021. In April it was not released the 1425, it was still the 1423. I could use the 1425 thanks to pre-release option. Why date of release is April I it was released in May?
And again I have problems with the safe browser.
Strange file in operating memory of the computer
in ESET Internet Security & ESET Smart Security Premium
Posted · Edited by AlSky
Hello, @itman and thanks for answering.
Then I really don't know what to think and nobody from ESET seems to know or want to say anything concrete. You pointed to an option where that .dll file or whatever we want to call it, could be malware. ESET says don't worry, it isn't important, there is no malware but they can't explain what that .dll or its origin is, so believing it's not important and not a malware becomes an act of faith. What should I do?
Thanks in advance.