Jump to content

EEK detects Malware in C:\Windows\System32\Fonts


kp1512
 Share

Recommended Posts

Hi

 

We have a brand new build of a laptop with WIndows 10 and we noticed that when we ran EEK it showed a detection of a virus in C:\Windows\System32\Fonts

But we are not able to open it when we try and open the location from with EEK

When I browse to the folder it has three TTF files per the attached screen shot.

I then ran an AV with Kasersky and Bitdefender and that didnt detect anything.

Could this be a false positive?

 

files3.png

Link to comment
Share on other sites

Does EEK have a log?  If so does it show more info if you double-click the line saying there's a detection?  One might hope for the name of the supposedly-infected file.

Also, in your File Explorer settings, do you have the option to display hidden files turned on?  (That should, if W10 is like W8.1, be in the View tab of File Explorer's Options dialog.)

Link to comment
Share on other sites

Log file contents

=======

Emsisoft Emergency Kit - Version 2020.5
Last update: 04/07/2020 12:49:26
My own EDITED
Hostname Edited
 Windows 10x64 

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: ON
Scan archives: OFF
Scan mail archives: OFF
ADS Scan: ON
Direct disk access: OFF

Scan start:    04/07/2020 12:49:36
C:\WINDOWS\system32\fonts     detected: Trojan-Spy.Win32.Agent (A) [221784]

Scanned    75966
Found    1

Scan end:    04/07/2020 12:50:26
Scan time:    0:00:50
=========

 

I then enabled view for Hidden files and also OS - 

 

Looked in to the C:\Windows\System32\Fonts and same three files

I also checked to see if fonts was a file in the root of System32 - but nothing is there.

 

Very confused....but equally would like to see what is causing this

Link to comment
Share on other sites

You could try uploading each of the three font files to VirusTotal  - see:  https://www.virustotal.com/gui/home/upload - and make sure you use the "File" tab there.   Their system will let lots of different antivirus products examine the files, and tell you what it thinks about each one.  If it's clear that most of all of the other products think the files are fine, it'd be useful to Emsisoft if you'd post the URLs of the three VirusTotal reports into your next reply.  

 

Link to comment
Share on other sites

6 minutes ago, JeremyNicoll said:

You could try uploading each of the three font files to VirusTotal  - see:  https://www.virustotal.com/gui/home/upload - and make sure you use the "File" tab there.   Their system will let lots of different antivirus products examine the files, and tell you what it thinks about each one.  If it's clear that most of all of the other products think the files are fine, it'd be useful to Emsisoft if you'd post the URLs of the three VirusTotal reports into your next reply.  

 

Sure here you go

 

https://www.virustotal.com/gui/file/9287925cae90ac480804094ff0876832065e2db116470da1f524d79ed9c18b70/detection

 

https://www.virustotal.com/gui/file/b17667ce7e13581db105777f986e141168231e88a8ef16d13e581c7c1525f14b/detection

 

https://www.virustotal.com/gui/file/b2efabca5ea4bc56eea829713706b5cd0788b82aca153bd4adde9b1573933b4f/detection

 

 

Link to comment
Share on other sites

Someone who knows more than me will need to comment.  It's odd that EEK, using (according to its log) uptodate definitions, thinks - it seems - that one of these files is iffy. 

On the other hand, all those a/v products, including EAM, think the files are ok. 

That makes me wonder if there was ever another file involved - can EEK quarantine things?  I don't know.  Or if a directory itself can somehow be infected? 

I note also that the EEK scan did look in Alternate Data Streams.  If any of these font files have an ADS, I don't know if that would have been uploaded to VirusTotal along with the principal content of the files.   You could use: https://docs.microsoft.com/en-gb/sysinternals/downloads/streams  to see if any of the file do have an ADS, or (if you prefer a GUI): https://www.nirsoft.net/utils/alternate_data_streams.html

 

Link to comment
Share on other sites

27 minutes ago, JeremyNicoll said:

Someone who knows more than me will need to comment.  It's odd that EEK, using (according to its log) uptodate definitions, thinks - it seems - that one of these files is iffy. 

On the other hand, all those a/v products, including EAM, think the files are ok. 

That makes me wonder if there was ever another file involved - can EEK quarantine things?  I don't know.  Or if a directory itself can somehow be infected? 

I note also that the EEK scan did look in Alternate Data Streams.  If any of these font files have an ADS, I don't know if that would have been uploaded to VirusTotal along with the principal content of the files.   You could use: https://docs.microsoft.com/en-gb/sysinternals/downloads/streams  to see if any of the file do have an ADS, or (if you prefer a GUI): https://www.nirsoft.net/utils/alternate_data_streams.html

 

Ho

So used both - and no streams at all

I then copied the Fonts folder to a USB and performed a scan off a VM and it detects nothing

 

How bizarre is this?

 

Windows Defender Online scan and offline scan showed nothing as well

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...