cship

Suspicious behaviour "CryptoMalware" notices

Recommended Posts

Hello,

I have two issues which may or may not be related...

1.I have had this issue in the past which seemed to be resolved after review with Emsisoft and which may have been a false positive? 

Every time I boot up computer, within minutes I get an Emsisoft suspicious behavior notification which states in the log "Behavior.CryptoMalware" in "oct7FE.tmp.exe" or

"octA08.tmp.exe".  It seems as though it generates the same prefix "oct.* followed by a different suffix "A08" (as an example).

I had this happen before approximately 6 months ago, got direct help through Emsisoft and finally was able to resolve it. 

 

 

 

Share this post


Link to post
Share on other sites

Pardon me I prematurely submitted before finishing my issues...

2.  I believe there is a software conflict with Emsisoft and Topaz Lab software.  When I update any Topaz Lab software I get a notice that it may be a Trojan Downloader or some such.  I downloaded "Studio 2" yesterday, had it opened while participating in a seminar and my computer rebooted 3 times approximately 5-10 minutes apart.  I had to shut down and get help as I thought it may be a virus, but I was told I was not via "Support.com".  The site to download "Studio 2" is " https://topazlabs.com/studio/

I have not had my computer simultaneously reboot since, however.  I have not used Topaz Labs since though.

Any assistance would be most appreciated.

My computer is Windows 10, system is 64 bit operating system.

Thank you,

C

 

 

 

Share this post


Link to post
Share on other sites
12 hours ago, cship said:

Every time I boot up computer, within minutes I get an Emsisoft suspicious behavior notification which states in the log "Behavior.CryptoMalware" in "oct7FE.tmp.exe" or

"octA08.tmp.exe".  It seems as though it generates the same prefix "oct.* followed by a different suffix "A08" (as an example).

I'd need to either have a copy of the file in question or know its SHA-1 hash in order to look it up before I could comment as to whether or not it's safe.

If you open the logs in Emsisoft Anti-Malware and search for the file name to find it quickly. There will be two types of entries in the logs that will come up in the search; one that has a blue icon on the left, and one that has a red icon on the left. Double-click on one of the entries that has a red icon (these will say "Detection" in the Action column), click the Copy button in the dialog that pops up, and then paste it into a reply for me to review.

Note: The search field in the logs is not automatically cleared when you close Emsisoft Anti-Malware, so you will need to manually delete anything you enter into the search field when you're done.

 

11 hours ago, cship said:

When I update any Topaz Lab software I get a notice that it may be a Trojan Downloader or some such.

This is not abnormal with software that doesn't have a digital signature. If you trust the publisher/developer of the software, then you can add it to the exclusions in Emsisoft Anti-Malware to prevent issues.

 

11 hours ago, cship said:

I downloaded "Studio 2" yesterday, had it opened while participating in a seminar and my computer rebooted 3 times approximately 5-10 minutes apart.

Are you sure it rebooted rather than crashing? Is there a file named "MEMORY.DMP" in the Windows folder, and was it last modified on the day you had this issue?

Share this post


Link to post
Share on other sites

Hello,

I did as instructed and copied the log file.  It is as follows:

8/1/2019 11:09:12 AM
Behavior Blocker detected suspicious behavior "CryptoMalware" of C:\Users\c1wav\AppData\Local\Temp\octA08.tmp.exe (SHA1: E1B1D23B29C2901779335E92AF802BD39BF33032)

8/1/2019 11:09:18 AM
A notification message "Suspicious behavior has been found in the following program: C:\Users\c1wav\AppData\Local\Temp\octA08.tmp.exe" has been shown

I will try doing as you said regarding the Topaz Labs software and see if this resolves it.

Thank you!

 

 

Share this post


Link to post
Share on other sites

I'm sorry, the other log file as an example is the following:

7/30/2019 9:31:34 AM
Behavior Blocker detected suspicious behavior "CryptoMalware" of C:\Users\c1wav\AppData\Local\Temp\oct7FE.tmp.exe (SHA1: E1B1D23B29C2901779335E92AF802BD39BF33032)

7/30/2019 9:31:38 AM
A notification message "Suspicious behavior has been found in the following program: C:\Users\c1wav\AppData\Local\Temp\oct7FE.tmp.exe" has been shown

This is a typical type file name that appeared in the past as well.

Thank you

 

Share this post


Link to post
Share on other sites

Searching for those two hashes on VirusTotal produces these two report pages, for something called " App Explorer ":

https://www.virustotal.com/gui/file/d6fce4e58f95e983ec26eb1f0d865bd24c98ddd26dafaf8384747d652254bec2/detection

and

https://www.virustotal.com/gui/file/d6fce4e58f95e983ec26eb1f0d865bd24c98ddd26dafaf8384747d652254bec2/detection

and the files (at least those analysed by VT)   DO appear to be  signed... by "Sweetlabs".    Nothing on the VT pages mentions TopazLabs. 

Share this post


Link to post
Share on other sites
12 hours ago, cship said:

7/30/2019 9:31:34 AM
Behavior Blocker detected suspicious behavior "CryptoMalware" of C:\Users\c1wav\AppData\Local\Temp\oct7FE.tmp.exe (SHA1: E1B1D23B29C2901779335E92AF802BD39BF33032)

According to VirusTotal, that file is digitally signed by SweetLabs, Inc. I'll have to ask our malware analysts about this one.

Share this post


Link to post
Share on other sites
5 hours ago, JeremyNicoll said:

Searching for those two hashes on VirusTotal produces these two report pages, for something called " App Explorer ":

Those are both the same hash. ;)

Share this post


Link to post
Share on other sites
20 hours ago, cship said:

8/1/2019 11:09:12 AM
Behavior Blocker detected suspicious behavior "CryptoMalware" of C:\Users\c1wav\AppData\Local\Temp\octA08.tmp.exe (SHA1: E1B1D23B29C2901779335E92AF802BD39BF33032)

The digital signature has been whitelisted now, so hopefully that should resolve the issue for you.

  • Thanks 1

Share this post


Link to post
Share on other sites
8 hours ago, GT500 said:

Those are both the same hash. ;)

Ach, so they are.  I just c&p them out of the OP's report and looked them up separately.   I wonder why the OP had two copies?

  • Thanks 1

Share this post


Link to post
Share on other sites

Thank you so much! 

I have to say, when I got support through "Support.com" for the rebooting problem, the tech asked why I would be using Emsisoft?... this is why because of your excellent support and product.  Thank you once again.

Share this post


Link to post
Share on other sites
On 8/2/2019 at 9:30 AM, JeremyNicoll said:

I wonder why the OP had two copies?

It could use a different file name every time it gets copied to the TEMP folder and executed.

 

On 8/2/2019 at 12:25 PM, cship said:

... when I got support through "Support.com" for the rebooting problem, the tech asked why I would be using Emsisoft?

Well, if they really need a reason, then you could always use our list of ransomware decrypters as proof that we know what we're doing:
https://www.emsisoft.com/ransomware-decryption-tools/free-download

Granted I think support.com has a contract with someone else to sell their software, so they might be concerned more with fulfilling that sales agreement than with what's actually effective or not.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.