Umiamz

False positive?

Recommended Posts

For the past 3 hours EAM has been detecting Trojan.MSIL.XAA in a .DLL in a Temp directory. It looks like something runs at the same time each hour and creates a temporary DLL. Here's the File Guard log:

 

Emsisoft Anti-Malware - Version 11.0
FG log
 
Date PID Application Event Detection
05/12/2015 08:49:05 0 C:\Users\mikez\AppData\Local\Temp\kn0uetb-.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 07:49:03 0 C:\Users\mikez\AppData\Local\Temp\kliukj8k.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 06:49:02 0 C:\Users\mikez\AppData\Local\Temp\ddcyoaxm.dll Quarantined by rule Trojan.MSIL.XAA (B)
 
 
I've no idea what is creating the DLL - I can't see anything in any of the more common Windows event logs, and whatever it is cleans up after itself and leaves no files in Temp that are dated around the same time.
 
Also, Quarantine is actually empty, as is the Quarantine log.
 
Any ideas?

Share this post


Link to post
Share on other sites

I'm having the exact same problem. Also started this morning for me.

 

Funnily enough my user map it's happening in, is called Mike.. Maybe an attack on Mike named users? ;)

Share this post


Link to post
Share on other sites

I spoke too soon - it's doing it again but detecting a different trojan this time:

 

Emsisoft Anti-Malware - Version 11.0
FG log
 
Date PID Application Event Detection
06/12/2015 07:49:03 0 C:\Users\mikez\AppData\Local\Temp\0_emqk0k.dll Quarantined by rule Trojan.Ranapama.HJ (B)
06/12/2015 06:49:02 0 C:\Users\mikez\AppData\Local\Temp\pnnmocab.dll Quarantined by rule Trojan.Ranapama.HJ (B)
06/12/2015 05:49:03 0 C:\Users\mikez\AppData\Local\Temp\bz-t3r32.dll Quarantined by rule Trojan.Ranapama.HJ (B)
06/12/2015 04:49:03 0 C:\Users\mikez\AppData\Local\Temp\d2gs8m_1.dll Quarantined by rule Trojan.Ranapama.HJ (B)
06/12/2015 03:49:03 0 C:\Users\mikez\AppData\Local\Temp\qlcyvklq.dll Quarantined by rule Trojan.Ranapama.HJ (B)
06/12/2015 02:49:02 0 C:\Users\mikez\AppData\Local\Temp\wxlhesaq.dll Quarantined by rule Trojan.Ranapama.HJ (B)
05/12/2015 11:49:03 0 C:\Users\mikez\AppData\Local\Temp\i7vznkoj.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 10:49:04 0 C:\Users\mikez\AppData\Local\Temp\ywuwzr7w.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 09:49:04 0 C:\Users\mikez\AppData\Local\Temp\vt-yy5xq.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 08:49:05 0 C:\Users\mikez\AppData\Local\Temp\kn0uetb-.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 07:49:03 0 C:\Users\mikez\AppData\Local\Temp\kliukj8k.dll Quarantined by rule Trojan.MSIL.XAA (B)
05/12/2015 06:49:02 0 C:\Users\mikez\AppData\Local\Temp\ddcyoaxm.dll Quarantined by rule Trojan.MSIL.XAA (B)

Share this post


Link to post
Share on other sites

What kind of scan does this appear with quick, malware or custom?

 

Or does it appear in all types of scans?

Share this post


Link to post
Share on other sites

What kind of scan does this appear with quick, malware or custom?

 

Or does it appear in all types of scans?

 

None of those - it's File Guard that's detecting it. The DLL only seems to be there for a very short time and isn't appearing in quarantine or in the quarantine log despite EAM saying it has quarantined it. File Guard is on the Balanced setting.

 

Appears to be fixed again now, anyway...

Share this post


Link to post
Share on other sites

I recommend following the instructions at this link to open a malware removal topic in this section of our forums. Be sure to also post the parts of the File Guard log showing the detections you are seeing when you post the rest of your logs.

Share this post


Link to post
Share on other sites

I recommend following the instructions at this link to open a malware removal topic in this section of our forums. Be sure to also post the parts of the File Guard log showing the detections you are seeing when you post the rest of your logs.

 

Thanks, but it appears to have been fixed via a signature update a couple of days ago.

Share this post


Link to post
Share on other sites

OK. If you have any further trouble, then you can go ahead and follow the instructions for getting malware removal assistance. ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.