False positive?

[Umiamz]

For the past 3 hours EAM has been detecting Trojan.MSIL.XAA in a .DLL in a Temp directory. It looks like something runs at the same time each hour and creates a temporary DLL. Here's the File Guard log:

 

Emsisoft Anti-Malware - Version 11.0

FG log

 

Date PID Application Event Detection

05/12/2015 08:49:05 0 C:\Users\mikez\AppData\Local\Temp\kn0uetb-.dll Quarantined by rule Trojan.MSIL.XAA (B)

05/12/2015 07:49:03 0 C:\Users\mikez\AppData\Local\Temp\kliukj8k.dll Quarantined by rule Trojan.MSIL.XAA (B)

05/12/2015 06:49:02 0 C:\Users\mikez\AppData\Local\Temp\ddcyoaxm.dll Quarantined by rule Trojan.MSIL.XAA (B)

 

 

I've no idea what is creating the DLL - I can't see anything in any of the more common Windows event logs, and whatever it is cleans up after itself and leaves no files in Temp that are dated around the same time.

 

Also, Quarantine is actually empty, as is the Quarantine log.

 

Any ideas?

[Graaoer]

I'm having the exact same problem. Also started this morning for me.

 

Funnily enough my user map it's happening in, is called Mike.. Maybe an attack on Mike named users?

[Umiamz]

Looks like it might have been fixed - last one was 11:49 and it's now 14:50.

[Umiamz]

I spoke too soon - it's doing it again but detecting a different trojan this time:

 

Emsisoft Anti-Malware - Version 11.0

FG log

 

Date PID Application Event Detection

06/12/2015 07:49:03 0 C:\Users\mikez\AppData\Local\Temp\0_emqk0k.dll Quarantined by rule Trojan.Ranapama.HJ (B)

06/12/2015 06:49:02 0 C:\Users\mikez\AppData\Local\Temp\pnnmocab.dll Quarantined by rule Trojan.Ranapama.HJ (B)

06/12/2015 05:49:03 0 C:\Users\mikez\AppData\Local\Temp\bz-t3r32.dll Quarantined by rule Trojan.Ranapama.HJ (B)

06/12/2015 04:49:03 0 C:\Users\mikez\AppData\Local\Temp\d2gs8m_1.dll Quarantined by rule Trojan.Ranapama.HJ (B)

06/12/2015 03:49:03 0 C:\Users\mikez\AppData\Local\Temp\qlcyvklq.dll Quarantined by rule Trojan.Ranapama.HJ (B)

06/12/2015 02:49:02 0 C:\Users\mikez\AppData\Local\Temp\wxlhesaq.dll Quarantined by rule Trojan.Ranapama.HJ (B)

05/12/2015 11:49:03 0 C:\Users\mikez\AppData\Local\Temp\i7vznkoj.dll Quarantined by rule Trojan.MSIL.XAA (B)

05/12/2015 10:49:04 0 C:\Users\mikez\AppData\Local\Temp\ywuwzr7w.dll Quarantined by rule Trojan.MSIL.XAA (B)

05/12/2015 09:49:04 0 C:\Users\mikez\AppData\Local\Temp\vt-yy5xq.dll Quarantined by rule Trojan.MSIL.XAA (B)

05/12/2015 08:49:05 0 C:\Users\mikez\AppData\Local\Temp\kn0uetb-.dll Quarantined by rule Trojan.MSIL.XAA (B)

05/12/2015 07:49:03 0 C:\Users\mikez\AppData\Local\Temp\kliukj8k.dll Quarantined by rule Trojan.MSIL.XAA (B)

05/12/2015 06:49:02 0 C:\Users\mikez\AppData\Local\Temp\ddcyoaxm.dll Quarantined by rule Trojan.MSIL.XAA (B)

[stapp]

What kind of scan does this appear with quick, malware or custom?

 

Or does it appear in all types of scans?

[Umiamz]

What kind of scan does this appear with quick, malware or custom?

 

Or does it appear in all types of scans?

 

None of those - it's File Guard that's detecting it. The DLL only seems to be there for a very short time and isn't appearing in quarantine or in the quarantine log despite EAM saying it has quarantined it. File Guard is on the Balanced setting.

 

Appears to be fixed again now, anyway...

[GT500]

I recommend following the instructions at this link to open a malware removal topic in this section of our forums. Be sure to also post the parts of the File Guard log showing the detections you are seeing when you post the rest of your logs.

[Umiamz]

I recommend following the instructions at this link to open a malware removal topic in this section of our forums. Be sure to also post the parts of the File Guard log showing the detections you are seeing when you post the rest of your logs.

 

Thanks, but it appears to have been fixed via a signature update a couple of days ago.

[GT500]

OK. If you have any further trouble, then you can go ahead and follow the instructions for getting malware removal assistance.