Jump to content

Threat Removal


Recommended Posts


I get this msg "Threat found" on my updated windows 8.1 and it is blocking TightVNC and other applications. If i click "Delete" is it going to remove "tvnserver.exe" which is an executable of TightVNC? What is the meaning of Operating memory >> tvnserver.exe ? The files are in ProgramFiles->Tight VNC ->tvnserver.exe , but anyone explain why it shows operating memory?

WhatsApp Image 2020-10-20 at 11.34.32 AM.png

Link to comment
Share on other sites

  • Administrators

Since Sality is a file infecting virus and it was detected also in memory, I'd recommend running a full disk scan with ESET SysRescue first.

Link to comment
Share on other sites

What the alert says me is the malware was detected in tvnserver.exe after it was loaded into memory. This could be for example, a maliciously .dll was injected/loaded into the process, a thread hooked to a malicious process, etc.. 

At this point, it is hard to determine if tvserver.exe itself is infected. You could submit to VirusTotal for static scanning detection. If nothing found there, submit it to Hybrid-Analysis for a dynamic sandbox analysis.

Edited by itman
Link to comment
Share on other sites

Microsoft has a technical description of Sality:


Threat behavior


Most variants of Win32/Sality drop a DLL onto your PC. For example, we have seen variants use the following file names:

  • <system folder>\wmdrtc32.dll - this file contains the bulk of the virus code
  • <system folder> \wmdrtc32.dl_- this is a compressed copy of the virus code

Some variants of Sality, like Virus:Win32/Sality.AM, do not drop the DLL, but instead load it entirely in memory without writing it to disk. This variant, along with others, also drops a driver with a random file name in the folder <system folder>\drivers. The driver is detected as Trojan:WinNT/Sality (see the Payload - Drops other components) section below.

Sality may be dropped by other malware, including other Sality variants. For example, a Sality variant detected as Virus:Win32/Sality.AU is dropped by Worm:Win32/Sality.AU.

We have also observed the Sality variant Virus:Win32/Sality.G being dropped by a member of the Win32/Bagle family of mass-mailing worms: Worm:Win32/Bagle.IF@mm.


Note what I underlined; Sality can inject its .dll directly into the memory of a process; i.e. fileless malware.

Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...