Umiamz Posted December 5, 2015 Report Share Posted December 5, 2015 For the past 3 hours EAM has been detecting Trojan.MSIL.XAA in a .DLL in a Temp directory. It looks like something runs at the same time each hour and creates a temporary DLL. Here's the File Guard log: Emsisoft Anti-Malware - Version 11.0 FG log Date PID Application Event Detection 05/12/2015 08:49:05 0 C:\Users\mikez\AppData\Local\Temp\kn0uetb-.dll Quarantined by rule Trojan.MSIL.XAA (B) 05/12/2015 07:49:03 0 C:\Users\mikez\AppData\Local\Temp\kliukj8k.dll Quarantined by rule Trojan.MSIL.XAA (B) 05/12/2015 06:49:02 0 C:\Users\mikez\AppData\Local\Temp\ddcyoaxm.dll Quarantined by rule Trojan.MSIL.XAA (B) I've no idea what is creating the DLL - I can't see anything in any of the more common Windows event logs, and whatever it is cleans up after itself and leaves no files in Temp that are dated around the same time. Also, Quarantine is actually empty, as is the Quarantine log. Any ideas? Link to comment Share on other sites More sharing options...
Graaoer Posted December 5, 2015 Report Share Posted December 5, 2015 I'm having the exact same problem. Also started this morning for me. Funnily enough my user map it's happening in, is called Mike.. Maybe an attack on Mike named users? Link to comment Share on other sites More sharing options...
Umiamz Posted December 5, 2015 Author Report Share Posted December 5, 2015 Looks like it might have been fixed - last one was 11:49 and it's now 14:50. Link to comment Share on other sites More sharing options...
Umiamz Posted December 6, 2015 Author Report Share Posted December 6, 2015 I spoke too soon - it's doing it again but detecting a different trojan this time: Emsisoft Anti-Malware - Version 11.0 FG log Date PID Application Event Detection 06/12/2015 07:49:03 0 C:\Users\mikez\AppData\Local\Temp\0_emqk0k.dll Quarantined by rule Trojan.Ranapama.HJ (B) 06/12/2015 06:49:02 0 C:\Users\mikez\AppData\Local\Temp\pnnmocab.dll Quarantined by rule Trojan.Ranapama.HJ (B) 06/12/2015 05:49:03 0 C:\Users\mikez\AppData\Local\Temp\bz-t3r32.dll Quarantined by rule Trojan.Ranapama.HJ (B) 06/12/2015 04:49:03 0 C:\Users\mikez\AppData\Local\Temp\d2gs8m_1.dll Quarantined by rule Trojan.Ranapama.HJ (B) 06/12/2015 03:49:03 0 C:\Users\mikez\AppData\Local\Temp\qlcyvklq.dll Quarantined by rule Trojan.Ranapama.HJ (B) 06/12/2015 02:49:02 0 C:\Users\mikez\AppData\Local\Temp\wxlhesaq.dll Quarantined by rule Trojan.Ranapama.HJ (B) 05/12/2015 11:49:03 0 C:\Users\mikez\AppData\Local\Temp\i7vznkoj.dll Quarantined by rule Trojan.MSIL.XAA (B) 05/12/2015 10:49:04 0 C:\Users\mikez\AppData\Local\Temp\ywuwzr7w.dll Quarantined by rule Trojan.MSIL.XAA (B) 05/12/2015 09:49:04 0 C:\Users\mikez\AppData\Local\Temp\vt-yy5xq.dll Quarantined by rule Trojan.MSIL.XAA (B) 05/12/2015 08:49:05 0 C:\Users\mikez\AppData\Local\Temp\kn0uetb-.dll Quarantined by rule Trojan.MSIL.XAA (B) 05/12/2015 07:49:03 0 C:\Users\mikez\AppData\Local\Temp\kliukj8k.dll Quarantined by rule Trojan.MSIL.XAA (B) 05/12/2015 06:49:02 0 C:\Users\mikez\AppData\Local\Temp\ddcyoaxm.dll Quarantined by rule Trojan.MSIL.XAA (B) Link to comment Share on other sites More sharing options...
stapp Posted December 6, 2015 Report Share Posted December 6, 2015 What kind of scan does this appear with quick, malware or custom? Or does it appear in all types of scans? Link to comment Share on other sites More sharing options...
Umiamz Posted December 6, 2015 Author Report Share Posted December 6, 2015 What kind of scan does this appear with quick, malware or custom? Or does it appear in all types of scans? None of those - it's File Guard that's detecting it. The DLL only seems to be there for a very short time and isn't appearing in quarantine or in the quarantine log despite EAM saying it has quarantined it. File Guard is on the Balanced setting. Appears to be fixed again now, anyway... Link to comment Share on other sites More sharing options...
GT500 Posted December 8, 2015 Report Share Posted December 8, 2015 I recommend following the instructions at this link to open a malware removal topic in this section of our forums. Be sure to also post the parts of the File Guard log showing the detections you are seeing when you post the rest of your logs. Link to comment Share on other sites More sharing options...
Umiamz Posted December 8, 2015 Author Report Share Posted December 8, 2015 I recommend following the instructions at this link to open a malware removal topic in this section of our forums. Be sure to also post the parts of the File Guard log showing the detections you are seeing when you post the rest of your logs. Thanks, but it appears to have been fixed via a signature update a couple of days ago. Link to comment Share on other sites More sharing options...
GT500 Posted December 10, 2015 Report Share Posted December 10, 2015 OK. If you have any further trouble, then you can go ahead and follow the instructions for getting malware removal assistance. Link to comment Share on other sites More sharing options...
Recommended Posts