ESET Smart Security can't protect me from .lnk malware

Status
Not open for further replies.

Khairul

Level 2
Verified
Feb 3, 2015
89
Hi the sample that you uploaded are not the virus, it just a shortcut, i have face it before, with bitdefender. Which bitdefender remove the core of the malware, but did not remove the shortcut created by the malware, but it does kill the malware. when you click the shortcut, it wont gave any effect to your PC as the main core files already been destroy by those av.

Anyway hope you can try to recover back the malware, as the one you remove using mac shield, is the "Left over" of the malware and not the malware it self. Thats why when you uploaded it to virus total it shows fully clean, as it is clean.

And if possible, please recitify your ESET database. Is it the latest version of it?
 

Maxxx58

Level 13
Dec 20, 2014
619
Hi the sample that you uploaded are not the virus, it just a shortcut, i have face it before, with bitdefender. Which bitdefender remove the core of the malware, but did not remove the shortcut created by the malware, but it does kill the malware. when you click the shortcut, it wont gave any effect to your PC as the main core files already been destroy by those av.

Anyway hope you can try to recover back the malware, as the one you remove using mac shield, is the "Left over" of the malware and not the malware it self. Thats why when you uploaded it to virus total it shows fully clean, as it is clean.

And if possible, please recitify your ESET database. Is it the latest version of it?
Yes, my ESET virus database always up-to-date. I didn't see any notification about ESET detects malware on my computer
 

Maxxx58

Level 13
Dec 20, 2014
619
Sure it's exactly the same one.
Only find that after scan
WdEMSMB.png
 

Enju

New Member
Jul 16, 2014
443
Only find that after scan
That's odd, normally Hitman Pro is quite good at detecting USB spreading malware. Maybe I assumed the worst or missread something.
So let me go throug this again: First you plugged in a friend's USB stick, did you open or run anything on it or is autoplay enabled? Did anything suspicious happen after plugging in?
After some time you plugged in your USB stick and all your files were "gone" (hidden) and only this shortcut was on the stick, so you downloaded MCShield to scan your USB drive and it deleted the .lnk and restored the files. Has anything happened in the meantime? Did you see any abnormal behaviour?
 
  • Like
Reactions: Maxxx58
L

LabZero

The file uploaded on VT is rundll32, running the DLL files and puts their libraries into the memory of your system.

It's a legitimate Windows file and it is certainly not a malware.

We must understand what is the infected file, if it exists, or if it's a FP.

It may have been removed by Mcshield but if it did damage, these have not been repaired.
 
Last edited by a moderator:

Maxxx58

Level 13
Dec 20, 2014
619
That's odd, normally Hitman Pro is quite good at detecting USB spreading malware. Maybe I assumed the worst or missread something.
So let me go throug this again: First you plugged in a friend's USB stick, did you open or run anything on it or is autoplay enabled? Did anything suspicious happen after plugging in?
After some time you plugged in your USB stick and all your files were "gone" (hidden) and only this shortcut was on the stick, so you downloaded MCShield to scan your USB drive and it deleted the .lnk and restored the files. Has anything happened in the meantime? Did you see any abnormal behaviour?
After my friend's USB pluged in, I found nothing except 1 USB shorcut in that drive (autoplay enabled). After that, I pluged in my USB, and I saw all of my files like copy to 1 shorcut of USB, I have to click to this shorcut to show my files. And I download MCShield, scan it with and it quarantined that .ink file
 
L

LabZero

Maxxx58

Level 13
Dec 20, 2014
619
UPDATE:
I've just pluged in my USB and ESET detects lots of threats (same threats). ESET can't totally clean threats, I try to eject my USB and plug in it again, ESET shows the same notification about cleaning this threat
5gZO7M0.png

And my USB drive goes blank
tx3mESr.png

It means ESET only can detect threats after scan by MCShield. How to sure my machine does not get infected?
 
Last edited:
  • Like
Reactions: LabZero

Enju

New Member
Jul 16, 2014
443
UPDATE:
I've just pluged in my USB and ESET detects lots of threats (same threats). ESET can't totally clean threats, I try to eject my USB and plug in it again, ESET shows the same notification about cleaning this threat
It means ESET only can detect threats after scan by MCShield. How to sure my machine does not infected?
Eset could just have added signatures for the malware (yup was just added http://www.eset.com/us/threat-center/threatsense-updates/ v.11644 (May 18, 2015)). To make sure there is nothing shady going on open a thread in http://malwaretips.com/forums/malware-removal-assistance.10/ .
 

SkyLambert

New Member
Nov 16, 2014
5
That shortcut leads to the legit rundll32 file from microsoft. As Klipsh says above, it runs dll files in its process. For example, it hosts control panel applets. To evade detection malware will sometimes hide inside processes like rundll32 and svchost as a dll. That way if you look through task manager, rundll32.exe won't look out of place at all. The shortcut target is intriguing however. This looks suspicious, "rundll32.exe \~$aqnsoymqn". It looks like this shortcut is trying to launch a rundll process to host the malicious file that your AV keeps detecting.
 
  • Like
Reactions: LabZero and Maxxx58

omidomi

Level 70
Verified
Trusted
Malware Hunter
Apr 5, 2014
5,924
sud your files to vendor( dr.web,kaspersky,avira)
they said the file is safe or no :D
 

jamescv7

Level 85
Verified
Trusted
Mar 15, 2011
13,088
McShield mainly focus on all USB-based detection even the leftovers from viruses, .lnk are shortcut file extensions which links to the main file however possibility its considered dead after quarantine/deletion process. ESET and other AV's sometimes no need to detect any leftovers (mainly shortcut) when its out of criteria for possible infection behavior.
 
Status
Not open for further replies.
Top