Jump to content

Strange file in operating memory of the computer


Recommended Posts

Hello,

I am user of ESET Internet Security 16.1.14.0, running Windows 11 and since the second half of June on-demand computer scans a mysterious file appears that cannot be opened by antivirus: Registro memoria operativa "mem_1883B4E0000_13256.dll. As you can see in the screenshots, the file has no path, it does not indicate the disk on which it is, unlike what it does with other files, which it does.

I wrote to the ESET technical service and initially responded that I should not worry, ignore files that cannot be opened because they are not infected, they are simply in use by the operating system or another program. I asked how they can tell whether or not it is infected if ESET cannot open and scan it, and if there was hidden malware the file could be in use by the malware itself ("or another program").

They replied that they could not guarantee that there is no infection in the computer and that, if I have doubts about it, I could contact a specialist malware technician to analyze my computer and the other devices in my network in depth.

I don't think it's serious. Why do you need an antivirus product if they offer you that option when there are doubts on a strange file?

Because it's not just that mysterious file that pops up every time I do an on-demand scan. Since that mysterious file began to appear, the file explorer spontaneously opens every night at 22.13. The restoration points disappeared and I had at least four points, so I could not restore system to a point previous to the appearance of this file. These are strange failures. If you write to Windows Help explaining that you have a strange file and malfunctions in Windows, the first thing they tell you is to make sure you don't have malware on your PC. Should I tell them that the service of my antivirus product tells me that can't ensure if there is malware in my computer?

I have tried to perform on-demand scan immediately after starting the computer without opening any program, not even the file explorer, in case that file was created by some program after opening it, but that file appears anyway, so that is a file created by something that starts with the same computer (Windows or other, there are multitude of processes) or that was created at any given time and does not disappear since then.

I have tried looking for it in the computer, selecting the option "Show hidden files and folders," but it does not appear. However ESET detects it, it exists.

At this point, the important thing is to know what that file is, where it is located and specially if it poses a threat. Depending on whether it is a threat or not the actions will be different.

Thank you,

Al

ESET 1.jpg

ESET 2.jpg

Link to comment
Share on other sites

It is odd that Eset is detecting a .dll in memory that it cannot scan. I have never encountered an instance where Eset on-demand scan could not scan something in memory.

The first step here would be determine what is loading the .dll into memory. Something like SysInternals Process Monitor utility set to run at system startup with logging enabled might detect the .dll loading into memory. Just don't keep this utility running for an extended period time since the log file would be huge.

You could also try running Eset's SysInspector and see if can provide any information on this .dll.

-EDIT- What you should do first is download SysInternals Process Explorer from here: https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer . Then run procexp64.exe as Admin. Mouse click on the Find tab and select "Handle or DLL." In the search bar, enter "mem_1883B4E0000_13256.dll" less the quote marks. Then mouse click on the Search tab. The search result should indicate what process loaded the .dll but no guaranty on that.

Edited by itman
Link to comment
Share on other sites

4 hours ago, itman said:

It is odd that Eset is detecting a .dll in memory that it cannot scan. I have never encountered an instance where Eset on-demand scan could not scan something in memory.

The first step here would be determine what is loading the .dll into memory. Something like SysInternals Process Monitor utility set to run at system startup with logging enabled might detect the .dll loading into memory. Just don't keep this utility running for an extended period time since the log file would be huge.

You could also try running Eset's SysInspector and see if can provide any information on this .dll.

-EDIT- What you should do first is download SysInternals Process Explorer from here: https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer . Then run procexp64.exe as Admin. Mouse click on the Find tab and select "Handle or DLL." In the search bar, enter "mem_1883B4E0000_13256.dll" less the quote marks. Then mouse click on the Search tab. The search result should indicate what process loaded the .dll but no guaranty on that.

Good night and thank you for the answer. I am a user with poor computer notions beyond basic things, I have no idea how to use that program that you tell me. I'll try to see if I can make it work. In any case, you admit that it is unusual that ESET cannot read a file in memory. More reasons to suspect something disused and that it is necessary to discard all options, including the option of a malware.

Tech didn't tell me anything about Eset's SysInspector. Just told didn't worry about an error when opening files during the scan, and then nuanced that "don't worry" to "we can't guarantee no malware."

Thanks.

Al

Link to comment
Share on other sites

Referring to your first posted screen shot of an Eset scan, the other odd thing observed is DeviceFlowUI.dll running in memory with the scan line suffix - esto correcto - which translates to - this is correct?

I have never seen an Eset scan show anything detected in memory; only a scan object count is displayed in the log. Why would Eset inform that an object detected in memory is correct? Perhaps this means - object is not detected as malware. But, why is the notification shown in the first place?

-EDIT- One possibility is DLL hijacking is going on. The attacker is replacing DeviceFlowUI.dll with mem_1883B4E0000_13256.dll and then executing ShellExperienceHost.exe, a legit Windows process, to run the malicious .dll. This is just speculation at this point.

Edited by itman
Link to comment
Share on other sites

49 minutes ago, itman said:

Referring to your first posted screen shot of an Eset scan, the other odd thing observed is DeviceFlowUI.dll running in memory with the scan line suffix - esto correcto - which translates to - this is correct?

I have never seen an Eset scan show anything detected in memory; only a scan object count is displayed in the log. Why would Eset inform that an object detected in memory is correct? Perhaps this means - object is not detected as malware. But, why is the notification shown in the first place?

-EDIT- One possibility is DLL hijacking is going on. The attacker is replacing DeviceFlowUI.dll with mem_1883B4E0000_13256.dll and then executing ShellExperienceHost.exe, a legit Windows process, to run the malicious .dll. This is just speculation at this point.

Hello again. I expand information. I had not noticed, but it seems that every time the name of this mysterious file is different: the last one is mem_2EBDBEB0000_7668.dll. I was fool on no noticing it previously. It seems that each time the computer starts the file is created new or renamed. You can see it in the first screenshot.

I searched Process Explorer, following the instructions, for the last file name, but without success. The second screenshot shows it.

Any idea since ESET's technical service is limited to saying (not very politely) that they cannot guarantee that my computer is free of malware and if this file is or not a malware, but that if I have doubts seek help from a specialist malware technician to analyze my computer? This is not serious and I expected more from ESET.

And yes, "esto correcto" means "this is correct". I'm am from Spain, my ESET product is in Spanish.

Thanks in advance.

Al

scan.jpg

Process explorer.jpg

Link to comment
Share on other sites

Eset forum procedure is to instruct contacting Eset in-country tech support when the matter cannot be resolved in the forum. You have already done this . Eset - Spain tech support stated the file running in memory is not something to be concerned about.

At this point, I can't assist you further in this issue. If you are still concerned this file might be malware related, you could seek assistance in the following web site security forums;

https://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-help/

https://malwaretips.com/forums/windows-malware-removal-help-support.10/

Edited by itman
Link to comment
Share on other sites

1 hour ago, itman said:

Eset forum procedure is to instruct contacting Eset in-country tech support when the matter cannot be resolved in the forum. You have already done this . Eset - Spain tech support stated the file running in memory is not something to be concerned about.

At this point, I can't assist you further in this issue. If you are still concerned this file might be malware related, you could seek assistance in the following web site security forums;

https://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-help/

https://malwaretips.com/forums/windows-malware-removal-help-support.10/

Thanks. Unfortunately, technical support in Spain leaves much scope for improvement. ESET Spain has not told me that I should not worry about that file. ESET Spain said that at first, then nuanced it stating that could not ensure that this strange file is or isn't a malware because the ESET product can't read it and without reading it it isn't possible to get out of doubt. But if I'm worried I can seek help from a specialist malware technician to analyze my computer. This is like saying "don't count on us to solve your problem." It's not serious and I expected more from ESET.

You told me yesterday that it could be a case of DLL hijacking. Maybe or maybe not, but it's a possibility that would have to be explored. Just, how to do it?

ESET cannot abandon the customer in this way.

Link to comment
Share on other sites

As I stated in my initial posting, you can use Process Monitor to detect what is loading this .dll into memory at system startup.

MalwareBytes use instructions of Process Monitor are a bit clearer that Eset's, so I will post its download link: https://service.malwarebytes.com/hc/en-us/articles/4413798945811-Use-Process-Monitor-to-create-real-time-event-logs . Refer to the section on how to create a boot log. You can stop Process Monitor logging activities once the .dll has been loaded into memory. Once the log is created, create a zip folder containing the log. Post the zipped log folder as an attachment to your next reply.

Perhaps @Marcos will review the log to see if it can be determined what is loading this .dll into memory. Otherwise, contact Eset - Spain again attaching the zipped log folder.

Note: If the .dll does not load into memory after a system re-boot, this would be a strong indicator of malware activity. Certain malware are "Process Monitor aware" and will not perform malicious activities if it detects Process Monitor running.

Edited by itman
Link to comment
Share on other sites

41 minutes ago, itman said:

As I stated in my initial posting, you can use Process Monitor to detect what is loading this .dll into memory at system startup.

MalwareBytes use instructions of Process Monitor are a bit clearer that Eset's, so I will post its download link: https://service.malwarebytes.com/hc/en-us/articles/4413798945811-Use-Process-Monitor-to-create-real-time-event-logs . Refer to the section on how to create a boot log. You can stop Process Monitor logging activities once the .dll has been loaded into memory. Once the log is created, create a zip folder containing the log. Post the zipped log folder as an attachment to your next reply.

Perhaps @Marcos will review the log to see if it can be determined what is loading this .dll into memory. Otherwise, contact Eset - Spain again attaching the zipped log folder.

Note: If the .dll does not load into memory after a system re-boot, this would be a strong indicator of malware activity. Certain malware are "Process Monitor aware" and will not perform malicious activities if it detects Process Monitor running.

Good evening and thanks for the answer. Maybe we're not talking about the same thing, but I downloaded SysInternals Process Explorer from the link you indicated in your first message, followed the instructions (fortunately they weren't complicated) and showed a screenshot of the result: no match. No file with that name. But the file is still detected by ESET in the on-demand scan, today I have repeated it and it appears again. Every time with different names, names so similar that until yesterday I didn't realize that they change some digits of the name. So this option, download SysInternals Process Explorer, run procexp64.exe as Administrator, select Handle or DLL, write the file name and search did not work.

Is it safe to use Malwarebytes at same time with ESET? Last time since ESET support I was discouraged from using it (in 2022), not even the free version that only works by doing on-demand scanning. Surprising thing because it was ESET's own technical support that recommended me to use it some years ago, but in 2022 they said that things have changed and that Malwarebytes is neither necessary nor useful, apart from that it can interfere in the operation of ESET.

Link to comment
Share on other sites

16 minutes ago, AlSky said:

Maybe we're not talking about the same thing,

Correct. Process Monitor and Process Explorer are two entirely different SysInternals utilities.

17 minutes ago, AlSky said:

Is it safe to use Malwarebytes at same time with ESET?

The Malwarebytes link I posted just shows how to use Process Monitor. The link shown on the the MalwareBytes web page is just to download  Process Monitor from the SysInternals web site.

Finally, if all this is too complicated for you, I suggest you employ the help of a PC technical savvy friend.

Link to comment
Share on other sites

1 hour ago, itman said:

Correct. Process Monitor and Process Explorer are two entirely different SysInternals utilities.

The Malwarebytes link I posted just shows how to use Process Monitor. The link shown on the the MalwareBytes web page is just to download  Process Monitor from the SysInternals web site.

Finally, if all this is too complicated for you, I suggest you employ the help of a PC technical savvy friend.

Okay, thank you. It is that the link of your first answer was to download Process Explorer and when you told me about Process Monitor I was confused because I didn't know if it was the same thing said with other words name or not. Now I know they're two different things and I already know where to download Process Monitor. I've done it.

In Spain it is already very late, how I do not know how long it will take me to log, tomorrow I will put myself to it and post it here.

Thank you in advance.

Al

Link to comment
Share on other sites

1 hour ago, itman said:

Correct. Process Monitor and Process Explorer are two entirely different SysInternals utilities.

The Malwarebytes link I posted just shows how to use Process Monitor. The link shown on the the MalwareBytes web page is just to download  Process Monitor from the SysInternals web site.

Finally, if all this is too complicated for you, I suggest you employ the help of a PC technical savvy friend.

The bootlog has a size of almost 4 gb! I don't know how I will upload it.

Link to comment
Share on other sites

25 minutes ago, AlSky said:

The bootlog has a size of almost 4 gb! I don't know how I will upload it.

Upload the zipped log file to a file sharing web site. Then private message @Marcos the file download link provided by the file sharing web site.

Link to comment
Share on other sites

12 hours ago, itman said:

Upload the zipped log file to a file sharing web site. Then private message @Marcos the file download link provided by the file sharing web site.

Thank you for the answer. I explained myself badly. It's not just about how to upload the file to the ESET forum. It is a question of that since a week ago, due to technical incidence of the ISP in the area where I do live, the internet speed (upload and download) has been dramatically reduced, besides having random microcortes. Uploading such a large file to any server is virtually impossible. Nor can I ask a neighbor to let me use their internet connection because they all suffer the same problem. The only person I could ask for help living outside the affected area is on vacation and doesn't come back until August. The ISP does not know when it will be able to solve the incidence, it could be tomorrow or in ten days.

Do you have any other options? Use TeamViewer to remotely check the file on my computer?

Link to comment
Share on other sites

13 hours ago, itman said:

Upload the zipped log file to a file sharing web site. Then private message @Marcos the file download link provided by the file sharing web site.

I've found a possible solution. This afternoon I can go to the home of a relative of the person who I said is currently on vacation to whom I have explained the problem looking for help. I will upload the file from there and send the data by private message to Marcos.

Important before I do anything. In Malwarebytes instructions to make the bootlog said about to wait 10-15 minutes for all Windows processes and other programs to load. After five minutes I started the ESET on-demand scan, I saw that the mysterious file had already been created (like every time the computer starts, with a new name very similar to the previous one) and I finished the bootlog without waiting 15 minutes because there was already the file we want to search and track. Is it enough or should I repeat the process and wait 15 minutes as the instructions indicate? I would not want to go, disturb someone I don't know personally, upload the file, and then tell me that it was useless and I have to repeat the process.

Thank you in advance.

Link to comment
Share on other sites

41 minutes ago, AlSky said:

Is it enough or should I repeat the process and wait 15 minutes as the instructions indicate?

It is enough. What we are trying to determine is what is loading the .dll into memory.

Also, letting Process Monitor run for 15 mins. as instructed might create a log so large, it would exceed the allowable maximum file upload size for most file sharing web sites.

Link to comment
Share on other sites

10 minutes ago, itman said:

It is enough. What we are trying to determine is what is loading the .dll into memory.

Also, letting Process Monitor run for 15 mins. as instructed might create a log so large, it would exceed the allowable maximum file upload size for most file sharing web sites.

Thank you very much for the answer. When that person whose home I can go finishes his working day within two hours I will go to his home. I have the bootlog. Do you need a filelog too?

Link to comment
Share on other sites

5 minutes ago, AlSky said:

I have the bootlog. Do you need a filelog too?

You can upload the filelog also but do two separate uploads which will result in two fileshare download links you provide to @Marcos .

Link to comment
Share on other sites

On 7/9/2023 at 9:21 PM, AlSky said:

mem_1883B4E0000_13256.dll

Today I decided to scan my system and I found this file in the scan log results. Searched the entire C drive, but found none. Im still wondering what it was.

I see nobody ESET Staff or Moderator confirm about it. Do they don't know about it?? maybe. 

Link to comment
Share on other sites

27 minutes ago, Mr_Frog said:

Today I decided to scan my system and I found this file in the scan log results. Searched the entire C drive, but found none. Im still wondering what it was.

Great news! I was waiting to see if this could be duplicated elsewhere.

Was the Eset scan done on a Win 11 device? My suspicion was that Win 11 OS was possibly loading this .dll into memory at boot time.

Edited by itman
Link to comment
Share on other sites

30 minutes ago, itman said:

Great news! I was waiting to see if this could be duplicated elsewhere.

Was the Eset scan done on a Win 11 device? My suspicion was that Win 11 OS was possibly loading this .dll into memory at boot time.

Hello again. I'm going now to the house of the person who will let me to use his internet conection. I've also made a file log now.

I've seen that another user has a similar case. It remains to be known if he is running Windows 11 and if each time the file has a different name (although only a few digits change). Anyway, I have this computer for almost two months and only for about last twenty days have I noticed this problem. Previously, on-demand scans (I'm used to do it weekly) did not show that mysterious file.

And let's not forget that simultaneously appeared the problems of the task manager that spontaneously opens every day at 22.13, the restore points have disappeared. It is possible that finally is a harmless file and the rest has explanation, but it is better to be sure.

Link to comment
Share on other sites

36 minutes ago, itman said:

Was the Eset scan done on a Win 11 device?

Nope. Im using Windows 10 pro 64bit. I notice many of exe files are auto create and sent to ESET Virus labs. Tomorrow I will post log information here. 

Edited by Mr_Frog
Typo
Link to comment
Share on other sites

Another possibility here is we are dealing with an unknown rootkit.

I came across the old Eset posting yesterday: https://forum.eset.com/topic/28800-cleaning-rootkit-problem/ . In this instance, the attacker dropped the .dll into the C:\Windows\System32 directory. Whereas Eset did detect the .dll as malicious, it could not stop the .dll from being repeatedly loaded into memory at boot time.

The original poster and others used Kaspersky's Virus Removal Tool (KVRT) to remove the rootkit. It can be downloaded here: https://www.kaspersky.com/downloads/free-virus-removal-tool . I have never used the tool since it's a Kaspersky provided product. If one has no reservation on using Kaspersky's products, you can try running it and see if it detects anything. Again, I can't help you with any issues with KVRT.

Edited by itman
Link to comment
Share on other sites

11 minutes ago, itman said:

The original poster and others used Kaspersky's Virus Removal Tool (KVRT) to remove the rootkit. It can be downloaded here: https://www.kaspersky.com/downloads/free-virus-removal-tool .

I have done this and KVRT.exe found nothing. Right now I feel insecure and just think maybe someone is spying on my Computer.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...