|
Problem description: So today, yesterday and this past Sunday Rkill has been picking up and deleting these exe files in my Temp folder as malware processes listed as follows... Checking for processes to terminate: * C:\Users\Owner\AppData\Local\Temp\{EDE1C972-6D26-40A2-B94F-AA8949413685}\{13250C03-6E30-47A0-A1A4-B4B41463A075}.exe (PID: 14712) [T-HEUR] 1 proccess terminated! and then another time today * C:\Users\Owner\AppData\Local\Temp\{DA34F588-1644-4B46-95B6-D7B399587D65}\{52C17FEA-3A1E-45C6-9851-3EC1926F5A39}.exe (PID: 7784) [T-HEUR] So far its happened four times in these three days. They seem to be accompanied by these folders named in a similar code popping up in my Temp folder, and I can't access them or change my permissions or run as administrator to look at them. A Webroot scan says theres about a dozen tmp files in these folders as well. I can delete them, but they also seemed to disappear on their own (they are created at the exact same minute as when Rkill picks up these exe files). On the 20th I had to reinstall Webroot due to hopefully fix an issue I was having with their extension. That's when Rkill started picking these up. So far I haven't seen any damage being done (no popups, malware detections, ransomware, programs running apparently, etc.). However I never had Rkill detect these before and that they are still being picked up has me worried. Attempted fixes: Ran Rkill, TDSSKiller, Malwarebytes for both quick and full custom scan with Rootkit detect option on. Nothing was found except with Rkill. I posted this issue at bleepingcomputer.com and ran the following scans they suggested: JRT, AdwCleaner, and Zamena but no major infections or malware has been detected. Restarts and shut downs don't seem to make a difference, the detections happen randomly (they don't always happen when I run RKill) Recent changes: As stated before, I did reinstall Webroot that required my security to be down temporarily. However I had no Internet or programming running at the time. I've also uninstalled some game software, but the recent detect occurred by itself. -- Operating system: Windows 8.1 Home, 64 System specs: ASUS G46VW Model: 2230BNHMW Intel Core i5-3230m CPU 2.60GHz Memory 8.00 GB (7.89 usable) Location: USA I have Googled and read the FAQ: Yes
|
# ? Dec 24, 2015 07:25 |
|
|
# ? Apr 28, 2024 07:43 |
|
That seems like normal Temp folder activity, Rkill is showing a heuristic result, which means activity looks vaguely suspicious but that doesn't match any threats. Unless you have other indications of a problem or suspicious activity you can assume heuristic results are false-positives. I'd also recommend you remove the security software you have running in the background. Security professionals agree that these tools aren't really helpful against the threats people face today, and software that adds browser plug-ins generally makes you more vulnerable to threats on the web, because they can just exploit the plug-in. The included Windows Defender software provides about all the protection that is possible for security software, and won't cause system problems or generate false positives to try to convince you it is doing something helpful.
|
# ? Dec 24, 2015 11:02 |
|
Any idea why it's picking up false positives now? I run Rkill pretty much daily. As for removing security software, that's years of paranoia and failed devices I'm going to have mentally jump over to do that. Web root has been good to me as I've had zero infections so far with it. On the other hand I've been practicing smarter Web searching since then so that could just as easily be the reason I've been safe as well. If I ever get around to buying another laptop I'll try testing that out. UPDATE: I figured out what was going on. I usually run TDSSKiller right after I do Rkill, right? But if I open it up at the same time Rkill runs it detects the tmp files of TDSSKiller running and labels it as a malware process. I think I'm good. Still thanks for the response, Alereon, it definitely eased my mind. And I'll think on what you said about removing security software. Roman Reigns fucked around with this message at 20:18 on Dec 24, 2015 |
# ? Dec 24, 2015 15:30 |