kp1512

EEK detects Malware in C:\Windows\System32\Fonts

Recommended Posts

Hi

 

We have a brand new build of a laptop with WIndows 10 and we noticed that when we ran EEK it showed a detection of a virus in C:\Windows\System32\Fonts

But we are not able to open it when we try and open the location from with EEK

When I browse to the folder it has three TTF files per the attached screen shot.

I then ran an AV with Kasersky and Bitdefender and that didnt detect anything.

Could this be a false positive?

 

files3.png
Download Image

Share this post


Link to post
Share on other sites

Does EEK have a log?  If so does it show more info if you double-click the line saying there's a detection?  One might hope for the name of the supposedly-infected file.

Also, in your File Explorer settings, do you have the option to display hidden files turned on?  (That should, if W10 is like W8.1, be in the View tab of File Explorer's Options dialog.)

Share this post


Link to post
Share on other sites

Log file contents

=======

Emsisoft Emergency Kit - Version 2020.5
Last update: 04/07/2020 12:49:26
My own EDITED
Hostname Edited
 Windows 10x64 

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: ON
Scan archives: OFF
Scan mail archives: OFF
ADS Scan: ON
Direct disk access: OFF

Scan start:    04/07/2020 12:49:36
C:\WINDOWS\system32\fonts     detected: Trojan-Spy.Win32.Agent (A) [221784]

Scanned    75966
Found    1

Scan end:    04/07/2020 12:50:26
Scan time:    0:00:50
=========

 

I then enabled view for Hidden files and also OS - 

 

Looked in to the C:\Windows\System32\Fonts and same three files

I also checked to see if fonts was a file in the root of System32 - but nothing is there.

 

Very confused....but equally would like to see what is causing this

Share this post


Link to post
Share on other sites

You could try uploading each of the three font files to VirusTotal  - see:  https://www.virustotal.com/gui/home/upload - and make sure you use the "File" tab there.   Their system will let lots of different antivirus products examine the files, and tell you what it thinks about each one.  If it's clear that most of all of the other products think the files are fine, it'd be useful to Emsisoft if you'd post the URLs of the three VirusTotal reports into your next reply.  

 

Share this post


Link to post
Share on other sites
Just now, stapp said:

If you look in C\Windows\fonts is the Roboto font listed there?

Correct - all three files are in there

Share this post


Link to post
Share on other sites
6 minutes ago, JeremyNicoll said:

You could try uploading each of the three font files to VirusTotal  - see:  https://www.virustotal.com/gui/home/upload - and make sure you use the "File" tab there.   Their system will let lots of different antivirus products examine the files, and tell you what it thinks about each one.  If it's clear that most of all of the other products think the files are fine, it'd be useful to Emsisoft if you'd post the URLs of the three VirusTotal reports into your next reply.  

 

Sure here you go

 

https://www.virustotal.com/gui/file/9287925cae90ac480804094ff0876832065e2db116470da1f524d79ed9c18b70/detection

 

https://www.virustotal.com/gui/file/b17667ce7e13581db105777f986e141168231e88a8ef16d13e581c7c1525f14b/detection

 

https://www.virustotal.com/gui/file/b2efabca5ea4bc56eea829713706b5cd0788b82aca153bd4adde9b1573933b4f/detection

 

 

Share this post


Link to post
Share on other sites

Someone who knows more than me will need to comment.  It's odd that EEK, using (according to its log) uptodate definitions, thinks - it seems - that one of these files is iffy. 

On the other hand, all those a/v products, including EAM, think the files are ok. 

That makes me wonder if there was ever another file involved - can EEK quarantine things?  I don't know.  Or if a directory itself can somehow be infected? 

I note also that the EEK scan did look in Alternate Data Streams.  If any of these font files have an ADS, I don't know if that would have been uploaded to VirusTotal along with the principal content of the files.   You could use: https://docs.microsoft.com/en-gb/sysinternals/downloads/streams  to see if any of the file do have an ADS, or (if you prefer a GUI): https://www.nirsoft.net/utils/alternate_data_streams.html

 

Share this post


Link to post
Share on other sites
27 minutes ago, JeremyNicoll said:

Someone who knows more than me will need to comment.  It's odd that EEK, using (according to its log) uptodate definitions, thinks - it seems - that one of these files is iffy. 

On the other hand, all those a/v products, including EAM, think the files are ok. 

That makes me wonder if there was ever another file involved - can EEK quarantine things?  I don't know.  Or if a directory itself can somehow be infected? 

I note also that the EEK scan did look in Alternate Data Streams.  If any of these font files have an ADS, I don't know if that would have been uploaded to VirusTotal along with the principal content of the files.   You could use: https://docs.microsoft.com/en-gb/sysinternals/downloads/streams  to see if any of the file do have an ADS, or (if you prefer a GUI): https://www.nirsoft.net/utils/alternate_data_streams.html

 

Ho

So used both - and no streams at all

I then copied the Fonts folder to a USB and performed a scan off a VM and it detects nothing

 

How bizarre is this?

 

Windows Defender Online scan and offline scan showed nothing as well

Share this post


Link to post
Share on other sites

It looks like Elise has already replied to your other topic. She should be able to resolve any false positives you find. ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.