files sent to ESET for analysis

Discussion in 'ESET Smart Security' started by JackSun, Apr 2, 2009.

Thread Status:
Not open for further replies.
  1. JackSun

    JackSun Registered Member

    Joined:
    Mar 21, 2009
    Posts:
    25
    Every few days I am getting about 6 - 10 files being sent to Eset for analysis.

    They seem to be randomly named .dll files.

    Here are a few examples :- (not the files just the messages from log files)


    01/04/2009 14:26:22 Kernel File 'G:\WINDOWS\system32\huhevita.dll' was sent to ESET for analysis.

    02/04/2009 17:00:37 Kernel File 'G:\WINDOWS\system32\sinodisi.dll' was sent to ESET for analysis.

    02/04/2009 17:00:38 Kernel File 'G:\WINDOWS\system32\sujuwido.dll' was sent to ESET for analysis.

    The strange thing is I don't have a G: drive in my system at all. And it's not a letter assigned to any USB memory sticks.

    I have run full system scans every day and ESS V4, malwarebytes, superantispyware, spybot search & destroy and Lavasoft adaware find nothing.

    The fact that it shows as a G: drive which I don't have on my system makes me think it's a bug, anyone any ideas?
     
  2. Novicex

    Novicex Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    72
    Maybe some virtual drive? and those .dlls run it.
     
  3. JackSun

    JackSun Registered Member

    Joined:
    Mar 21, 2009
    Posts:
    25
    To my knowledge I have no virtual drives or any network shares etc....

    I have only 1 Hard drive with 2 partitions, C: for system files D: for programs and data. E: is my DVD drive and that's it.

    If I plug in my USB memory stick it is assigned to X: but that hasn't been in the machine when the files have been detected.
     
  4. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Accidentally you have found the Windows G spot.

    Are you running any virtualization environment like Sandboxie or returntonil?

    :ninja: You could be infected with a virtualization rootkit, your whole windows runs in a virtual environment from the boot. And somehow, Eset is seeing the real installation via it's Anti-Stealth technology. MUAHAHAHAHAHAH:ninja:


    Those were the droids you were looking for?
     
  5. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    You may have an undetected malware component such as a rootkit which is dropping the files onto your system.

    ESET has a diagnostic tool called ESET SysInspector which can be used to help detect such programs.

    I would recommend downloading a copy from http://www.eset.com/download/sysinspector.php and running it on your system to create a log file, then emailing it to support@eset.com along with a description of the problem and a link to this message thread. A support engineer can then investigate the issue.

    Regards,

    Aryeh Goretsky
     
  6. DarrenDavisLeeSome

    DarrenDavisLeeSome Registered Member

    Joined:
    Mar 23, 2009
    Posts:
    315
    Location:
    Riverside, CA U.S.A
    You may wind up zeroing your HDD, reformatting, and installing the OS all over again from scratch. Rootkits are nasty little buggers. Not easily removed even with expert knowledge.

    Wouldn't hurt to have your BIOS flashed either.

    You need to be VERY careful JackSun. I'd keep that machine of yours disconnected from the Internet as much as possible. I don't mean to come off like an alarmist and I hate how paranoid this may sound but somebody could be using your system as a surrogate for Internet crimes without you even knowing it. Big Brother could be knocking at your door someday implicating your involvement in some ID Theft, Child Porn, or some other junk.
     
  7. The Nodder

    The Nodder Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    296
    Location:
    UK
    It is indeed possible.
    If it were me I'd cut my losses and re-install windows and all the other programs.

    Jaksun,
    What security programs do you run, e.g.,
    ESS, or
    NOD32 and Agnitum Outpost firewall
    Spybot Search and Destroy its Free
    SUPERAntispyware
    Trojan hunter
    Malwarebytes antiMalware

    I run those, so far I've not had any problems.
    You wont get a much better set of programs than those.
    I have SASpyware always on with Malwarebytes used only to scan my PC.
    Spybot is an exceptionally super great program, it is used only to scan your C: partition as and when you wish, but regularly is great.
    When you download the updates some experts advise not to immunize your system 'cos that adds bits onto - I think its - registry entries, I just cant recall at this moment, I've stopped doing it.
    I use SASpyare to monitor my system and Malwarebytes to scan my system as and when I want to do so, usually about every 1 or 2 weeks.
    they must be updated frequently.
     
    Last edited: Apr 3, 2009
  8. JackSun

    JackSun Registered Member

    Joined:
    Mar 21, 2009
    Posts:
    25
    Ok thanks for replies.

    The only Virtual machine I have is an UBUNTU 8.10 running under virtualbox.

    I have never installed a Virtual Windows of any kind.

    I will run the sysinspector as suggested and see what happens.

    I run the latest version of ESS with the 4.0.417 update.

    I have also run all of the Anti virus/malware programs I listed in Safe Mode and booted form a UBCD for Windows environment and run them from there but they find nothing.
     
  9. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372

    By virtual windows I mean a rootkit that installs itself into your boot sector, which then is capable of lunching virutalized Windows in a sense that everything you do is the same, it's just unseen. The performance impact is minimal due to increased hardware vitualization calls in today's CPU's.
    It was an old proof of concept, where a whole windows was launched virtualized w/o the user knowledge. However, there are many simpler rootkit methods that don't have to reach that extreme.
     
Thread Status:
Not open for further replies.